JEDEN / docs
Documentation

The coding agent you can operate.

Jeden is Wisent’s private coding-agent harness. It owns the model loop, policy, tools, terminal interaction, sessions, memory, extensions, and integrations around the model.

Private preview

Jeden packages and managed model routes are distributed to approved teams. The public documentation describes the runtime contract without exposing private credentials or infrastructure.

The four-part contract

Ways to run Jeden

ModeUse it for
jedenInteractive terminal work with searchable native views and approval prompts.
jeden runOne-shot tasks in scripts, CI, or a shell pipeline. Add --json for machine-readable output.
jeden rpcNewline-delimited JSON RPC over standard input and output.
jeden acpAgent Client Protocol over standard input and output.
jeden headlessMutual-TLS headless service with an explicit identity map and optional revoked serial list.

Where to begin

Start with Getting started. Then read Security model before enabling writes or commands for unattended work.

Start

Getting started

Validate your private preview package, point Jeden at a repository, and complete a first read-only task before granting additional authority.

Prerequisites

  • A signed Jeden release supplied through the private preview channel.
  • An approved Wisent model entitlement or an operator-provided route through Brama.
  • A project directory the current user can read.
Safe default

Jeden starts with always-ask approval policy. Begin read-only. Grant writes or commands only when the task requires them.

Validate the runtime

Confirm the binary

Print the installed release identity.

Terminal
$ jeden --version

Check the environment

Run diagnostics for the current workspace. JSON mode is suitable for automation.

Terminal
$ jeden doctor --cwd .
$ jeden doctor --json --cwd .

Inspect the capability registry

Confirm which tools, commands, views, services, plugins, and MCP servers are healthy.

Terminal
$ jeden capabilities --json --cwd .

Configure a managed route

Operator-managed installations provide these values without putting them in project files. A direct deployment requires the following runtime environment:

Environment
BRAMA_URL=<brama-url>
WISENT_APP_AGENT_ID=wisent-app
WISENT_APP_AGENT_AUTH_SECRET=<signing-credential>

ENTITLEMENTS_ROUTER_BIN optionally overrides the executable used by authentication status and reauthorization commands.

Run the first task

Interactive
$ jeden --cwd ../content-platform
One shot
$ jeden run "summarize package.json" --cwd .
$ jeden run "create notes.txt" --cwd . --allow-write

The second command exposes write-capable tools but does not bypass the configured approval mode. Use --yolo or --auto-approve only in an already isolated environment.

Add project context

Create a JEDEN.md or AGENTS.md in the repository. Jeden discovers context from the project ancestor down to --cwd. Keep requirements concrete: commands, boundaries, architecture, and verification rules.

Core

CLI reference

The same runtime serves interactive terminal sessions, one-shot automation, RPC, ACP, and mutually authenticated headless clients.

Global invocation

Usage
jeden [--cwd path] [--model name] [--max-tokens n]
      [--allow-write] [--allow-command]
      [--yolo|--auto-approve] [--max-steps n]
FlagMeaning
--cwd pathSet the workspace root and filesystem jail for the run.
--model nameSelect the model route for this invocation.
--max-tokens nBound model output tokens for each request.
--max-steps nBound the number of model/tool loop iterations.
--allow-writeExpose write-capable tools to the model.
--allow-commandExpose command and process execution tools.
--yolo, --auto-approveApprove allowed effects without interactive confirmation. Use only inside a trusted isolation boundary.

Session and runtime commands

CommandPurpose
jeden sessions [limit]List recent durable sessions.
jeden show <session>Inspect a session by ID or path.
jeden export <session> [output]Export a complete session document.
jeden artifacts <session>List artifacts retained by a session.
jeden artifact <session> <name> [output]Recover one artifact.
jeden config …List, locate, read, set, or reset native configuration.
jeden doctor [--json]Diagnose the current environment.
jeden conformance [--json]Evaluate runtime conformance contracts.
jeden capabilities [--json]Read the versioned capability and health registry.

Interactive slash commands

Entering a management command without arguments opens a native searchable view where one exists. Direct arguments remain available for automation.

/model/tools/approval/mcp/plugins/marketplace/browser/plan/goal/loop/todo/roadmap/memory/jobs/collab/export/compact/handoff/resume

Picker controls

TypeFilter labels, details, and status badges.
↑ / ↓Move the active row.
Home / End / Page Up / Page DownJump through results.
Ctrl-UClear the filter.
EnterExecute the selected action.
EscClose the current view.

Destructive rows open a confirmation view with Cancel selected by default. When standard input is not a terminal, interactive views render deterministic text lists.

Core

Models & routing

Model selection is separate from policy and execution. Jeden signs OpenAI-compatible requests to Brama and records the route, usage, and billing decision in the session.

Selection precedence

  1. The invocation’s --model value.
  2. The JEDEN_MODEL environment variable.
  3. The model selected through native configuration or /model.
  4. The operator-provided default route.
Examples
$ jeden --model claude-code-subscription
$ jeden run "review this diff" --model <route>

/model
/model <route>

Authentication ownership

/login [provider] and /logout [provider] inspect or delegate to the entitlement owner. Jeden does not reimplement provider login inside the model loop. /settings shows provider and entitlement state without returning credentials.

Subscription routing

Weles owns subscription state and payment policy. Jeden discovers active subscriptions and quota snapshots, freezes a deterministic order for each logical request, and sends the selected billing target to Brama.

  • Request, idempotency, and decision identities remain stable across attempts.
  • Typed quota exhaustion places a target into a durable Retry-After-bounded cooldown.
  • Failover never occurs after model output becomes visible.
  • Served account, subscription, quota bucket, and decision ID are retained in usage and audit events.
Payment boundary

Jeden never accepts or stores card numbers, CVC/CVV values, processor tokens, or billing addresses. Payment setup opens a Weles-hosted HTTPS flow.

Usage controls

Interactive
/usage
/usage show
/usage reset
/subscriptions list
/subscriptions status
Core

Configuration

Jeden combines operator environment, user preferences, project settings, and discovered instructions without blurring their precedence.

Precedence

  1. Environment variables win over file configuration.
  2. Project config at <cwd>/.jeden/config.json overrides user config.
  3. User config loads from ~/.jeden/config.json and ~/.jeden/config.yml.
  4. Built-in defaults apply when no value is supplied.
Configuration commands
$ jeden config list --json --cwd .
$ jeden config path --cwd .
$ jeden config get tools.approvalMode
$ jeden config set tools.approvalMode write
$ jeden config reset tools.approvalMode

Native settings

KeyDefault and purpose
tools.approvalModealways-ask. Allowed values: always-ask, write, yolo.
commands.enableClaudeUsertrue. Load commands from ~/.claude/commands.
commands.enableClaudeProjecttrue. Load commands from .claude/commands.
commands.enableOpencodeUsertrue. Load commands from ~/.config/opencode/commands.
commands.enableOpencodeProjecttrue. Load commands from .opencode/commands.
startup.showSplashfalse. Show the startup animation.
startup.quietfalse. Suppress startup chrome.
context.maxBytes131072. Maximum UTF-8 bytes loaded from discovered context.
context.maxTokens32768. Approximate context token budget.
rules.alwaysApply[]. Sticky typed rules injected whenever the system prompt is rebuilt.
secrets.moderedact. Choose redact or obfuscate for known model-bound secrets.
secrets.minLength8. Minimum automatically discovered environment-secret length.
secrets.discoverEnvironmenttrue. Protect secret-named environment values.

Discovered context

User context loads from ~/.jeden/instructions.md and ~/.jeden/context.md. Project discovery walks ancestors down to --cwd and reads:

JEDEN.mdAGENTS.mdCLAUDE.mdRULES.md.jeden/instructions.md.jeden/context.md

A context line such as @./extra.md imports another file under the same context root. Imports remain within that root; oversized files are skipped.

Core

Tools

Jeden exposes typed tools through one capability registry. Every tool has a source, version, health state, policy classification, input schema, output schema, and handler identity.

Discover active tools

Terminal
$ jeden capabilities --json --cwd .
$ jeden tools --cwd .

/tools

The registry distinguishes executable healthy capabilities from planned or unavailable descriptors. Do not infer availability from a name alone; inspect health.state and ui.executable.

Built-in families

FamilyExamples
ReadDirectories, bounded text, binary files, images, documents, archives, notebooks, SQLite, URLs, and artifacts.
SearchLiteral search, regex grep, globs, AST search, Git history, GitHub issues, and pull requests.
WriteRevision-guarded files, patches, anchored edits, archive entries, notebooks, SQLite rows, moves, and deletes.
ProcessPackage scripts, bounded commands, background processes, PTY sessions, Node evaluation, and Python evaluation.
BrowserTabs, actions, extraction, screenshots, and browser state.
Agent stateTodos, memory, artifacts, conversation recall, user questions, and delegation.
IntegrationsMCP tools/resources/prompts, language intelligence, debugging, SSH, collaboration, and custom project tools.

Bounded reads and selectors

Prefer narrow selectors to unbounded output. Text reads support line ranges, comma-separated ranges, raw content, and unresolved conflict views.

Selector examples
src/server.ts:80-140
src/server.ts:10-20,90-110
src/server.ts:raw
src/server.ts:conflicts
artifact://tool-output:1-120
database.sqlite:users:42

Guarded mutations

Existing text files return a digest and snapshot tag when read. A mutation must identify the state it intends to replace. If another actor changes the file first, the write fails instead of overwriting newer work.

  • write_file and apply_patch require the expected SHA-256 for existing files.
  • The unified writer uses revision guards for files, archives, notebooks, and SQLite.
  • Anchored edits use a snapshot path#TAG plus exact visible line anchors.
  • Mutations return native diffs and previews.
Two gates

--allow-write or --allow-command makes a tool available. Approval policy still decides whether each proposed effect may execute.

State

Sessions & artifacts

A session is the durable record behind an answer: messages, tool calls, results, approvals, usage, artifacts, checkpoints, attachments, and lineage.

Storage

Session transcripts and artifacts live under ~/.jeden/sessions/. Oversized tool results are persisted as artifacts and replaced in the model loop with compact references.

Inspect and recover

Terminal
$ jeden sessions 20
$ jeden show <session>
$ jeden export <session> output.json
$ jeden artifacts <session>
$ jeden artifact <session> <name> output.bin
$ jeden resume <session> "continue"

Resuming starts a fresh session seeded with selected history; it does not append destructively to the original record.

Interactive lineage

/resume <session>/fork/branch <title>/tree/rename/drop/move <dir>

Checkpoints and rewind

Interactive
/checkpoint before-refactor
/checkpoint list
/rewind <checkpoint-event-id>

A checkpoint records the exact model-visible context. Rewind appends a new active lineage without deleting the abandoned history.

Attachments

Interactive
/attach path/to/context.txt
/attachments
/detach <id|all>

The attachment tray accepts bounded workspace-jailed text and PNG, JPEG, GIF, or WebP inputs for the next submitted turn.

State

Memory

Jeden’s durable memory is a local SQLite/FTS index with explicit retrieval and maintenance operations. It is separate from the immutable session transcript.

Storage and overrides

The default database is ~/.jeden/memory.sqlite3. Set JEDEN_MEMORY_DB to select another database. The legacy JEDEN_MEMORY_FILE remains an input-path override.

Operations

Interactive
/memory stats
/memory view
/memory enqueue
/memory queue
/memory queue run
/memory queue drain
/memory rebuild
/memory clear
enqueueAdd a durable maintenance or ingestion item.
queueInspect queued memory work.
queue runProcess one bounded queue step.
queue drainProcess the durable queue until empty.
rebuildRebuild the SQLite FTS index from durable records.
clearDestructive reset; requires confirmation.

What memory is not

  • It is not a substitute for project instructions or source-controlled context.
  • It does not erase or rewrite the session ledger.
  • Retrieved content remains subject to the current prompt budget and policy.
  • Maintenance commands do not silently grant tool authority.
State

Roadmap registry

A repository can carry a typed, versioned roadmap that the agent and team mutate through the same atomic contract.

Canonical files

roadmap/roadmap.yaml is canonical. roadmap/schema/roadmap-v1.schema.json defines the machine contract. Human views are deterministic generated outputs.

Mutation guarantees

  • Every operation uses a stable sibling lock.
  • expectedRevision detects concurrent updates.
  • Writes use a same-directory temporary file, flush, fsync, atomic rename, and parent-directory fsync.
  • Dependencies must resolve and remain acyclic.
  • passed requires evidence; external_blocked requires an external prerequisite.

Core commands

Terminal
$ jeden roadmap list --status planned --priority P1 --json
$ jeden roadmap show JED-024 --json
$ jeden roadmap graph --json
$ jeden roadmap check --json
$ jeden roadmap render
$ jeden roadmap work JED-024 --cwd .

State transitions

backlogplannedin_progressimplementednot_runfailedexternal_blockedpasseddropped

roadmap work sets the active goal and plan, creates todos from acceptance criteria, records a start event in the current session, and pins subsequent artifacts and branches to the roadmap item.

Integrate

Model Context Protocol

Jeden maintains bounded persistent MCP connections and exposes server tools, resources, prompts, notifications, and health through native commands.

Configuration

User servers load from ~/.jeden/mcp.json. Project servers load from <cwd>/.jeden/mcp.json. Both use the standard mcpServers shape.

.jeden/mcp.json
{
  "mcpServers": {
    "example": {
      "command": "/absolute/path/to/server",
      "args": ["--stdio"]
    }
  }
}

Operate servers

Interactive
/mcp
/mcp list
/mcp tools
/mcp resources
/mcp prompts
/mcp notifications
/mcp test
/mcp reload
/mcp reconnect

Tool naming

Generic MCP tools can list and call every configured server. Eligible tools may also be projected into the native registry as mcp__<server>__<tool>. Names remain unique and capability health reflects the current server connection.

Same policy

MCP does not bypass Jeden policy. A server tool is still subject to the active approval mode, hooks, capability health, and workspace contract.

Start

Installation & updates

Jeden is distributed as a signed private-preview release. Treat the binary, its trust roots, and its release evidence as one unit.

Requirements

  • A supported signed artifact supplied through the Wisent preview channel.
  • Access to the model and entitlement endpoints selected by your operator.
  • A writable home directory for configuration, sessions, memory, plugins, and update state.

Verify an installation

Terminal
$ jeden --version
$ jeden doctor --json --cwd .
$ jeden conformance --json --cwd .

Do not infer health from a successful process launch. Diagnostics confirm storage, policy, providers, capability registration, and workspace-specific dependencies.

Update and rebuild

/update enters the signed update flow. /rebuild rebuilds the local checkout and resumes the active session. Stable promotion remains operator-controlled; canary identities include the CI run, attempt, and tested commit.

Fail closed

A release without a valid signature, configured trust root, or immutable evidence must not be installed as a trusted Jeden build.

Start

Using Jeden

A reliable run has four explicit inputs: workspace, objective, authority, and verification.

Choose the workspace

--cwd establishes the project root used by context discovery and workspace-jailed tools. Start Jeden at the narrowest directory that contains the task.

State the observable outcome

Name the behavior to change, constraints that must remain true, and the command or scenario that proves completion. Put durable project rules in JEDEN.md or AGENTS.md; keep one-off instructions in the prompt.

Grant only required authority

Read-onlyDefault; suitable for inspection, explanation, and planning.
--allow-writeExpose guarded file and structured-data mutations.
--allow-commandExpose shell, process, package, and evaluation operations.
--auto-approveSkip eligible prompts only inside an independently trusted isolation boundary.

Review the evidence

Read the final answer together with the session’s tool results, artifacts, usage, and approval events. A confident statement is not a substitute for an executed verification path.

Start

Interactive terminal

Running jeden opens the native terminal interface: conversation, composer, status line, searchable management views, approvals, and streamed tool state.

Launch

Terminal
$ jeden --cwd .
$ jeden --cwd . --model <route> --allow-write

Composer

Enter submits a prompt; the attachment tray supplies bounded text or image inputs to the next turn. Slash commands act on runtime state without being sent as ordinary user prose.

Native views

Authentication, models, settings, approvals, sessions, todos, modes, tools, MCP, SSH, usage, memory, browser state, collaboration, jobs, extensions, plugins, and marketplaces expose searchable pickers. A selected row dispatches the same validated command available by direct entry.

Confirmations

Destructive views open with Cancel selected. Non-interactive standard input renders deterministic text instead of waiting for terminal controls.

Operate

One-shot runs

jeden run executes one objective without opening the long-lived interactive terminal.

Usage

Terminal
$ jeden run "summarize the API surface" --cwd .
$ jeden run "update the version" --cwd . --allow-write
$ jeden run "inspect failures" --cwd . --json

Bounds

--max-steps limits model/tool iterations and --max-tokens bounds each model response. The workspace, model, write exposure, command exposure, and approval flags have the same meaning as interactive mode.

Model-only mode

--model-only suppresses tool execution for tasks that must produce an answer solely from supplied context. It is not a substitute for filesystem isolation when sensitive data is present.

Automation contract

Use --json when another program consumes the result. Inspect the terminal status and retained session rather than treating process success as proof that a requested code change passed verification.

Operate

Run modes

Modes alter how Jeden organizes work; they do not silently grant filesystem, command, or network authority.

Plan mode

/plan on makes the active plan explicit. /plan-review opens review of the current plan. Use it for multi-step work where dependencies and acceptance criteria matter.

Goal and loop

/goal set records the outcome carried across turns. /loop on enables continuation while open work remains; /goal done or /goal drop closes it.

Fast and advisor

/fast selects the latency-oriented operating profile. /advisor selects an advisory posture. The active model route, policy, and capability registry remain independently inspectable.

Interactive
/plan status
/goal set Stabilize the import path
/loop status
/fast
/advisor
Operate

Slash commands

Slash commands control the local harness. They are parsed before ordinary prompts and are not treated as model-authored tool requests.

Accounts and models

/login/logout/refresh/settings/model/billing/subscriptions/usage

Work and state

/plan/goal/loop/todo/roadmap/jobs/memory/context

Session lifecycle

/new/branch/fork/tree/checkpoint/rewind/compact/handoff/resume/export

Runtime and extensions

/approval/tools/browser/mcp/ssh/extensions/hooks/plugins/marketplace/rebuild/update

Run /help for the current registry-derived command list. Availability and exact subcommands may depend on active capabilities and operator policy.

Operate

Hotkeys & pickers

Keyboard behavior is discoverable at runtime through /hotkeys; searchable views share a consistent control model.

Picker controls

TypeFilter labels, details, and status text.
↑ / ↓Move the active row.
Home / EndJump to the first or last row.
Page Up / Page DownMove by a viewport.
Ctrl-UClear the current filter.
EnterDispatch the selected validated action.
EscClose the view without applying an action.

Safety behavior

Rows that mutate or delete state route through a confirmation view. Cancellation is the initial selection. Filtering a list never executes a row.

Current bindings

Use /hotkeys rather than relying on a hard-coded copy when terminal integrations or active extensions can alter available actions.

Operate

Approvals

Exposure determines what the model can propose. Approval determines which exposed effects may execute.

Modes

always-askPrompt before every effect classified as approval-required.
writePermit configured write behavior while retaining stronger command boundaries.
yoloAutomatically approve exposed capabilities; safe only inside an external sandbox you trust.

Inspect and change

Interactive
/approval status
/approval mode
/approval set write
/approval reset

The persistent default is tools.approvalMode. Invocation flags may select a run-specific posture without editing project configuration.

Decision order

  1. Capability must be healthy and exposed.
  2. Input must satisfy schema and workspace policy.
  3. Pre-tool hooks may narrow or block the call.
  4. Approval policy decides whether operator confirmation is required.
  5. The result and decision are appended to the session.
Models & policy

Authentication

Jeden does not embed provider credentials into prompts or duplicate provider login logic. Authentication is delegated to the configured entitlement owner.

Inspect status

Interactive
/settings
/login
/login <provider>

Status views report provider and entitlement state in redacted form. They do not print tokens, cookies, or stored credentials.

Lifecycle

Interactive
/login <provider>
/refresh <provider>
/logout <provider>

The entitlement router owns whether a provider supports native login, a browser handoff, a device flow, or operator-managed credentials.

Operator configuration

ENTITLEMENTS_ROUTER_BIN overrides the executable used by authentication operations. The binary boundary allows Jeden to inspect and request actions without taking ownership of secret storage.

Models & policy

Billing & usage

Weles owns subscriptions and payment policy. Jeden records model usage and selects only eligible billing targets returned by that control plane.

Payment boundary

/payment-method setup --account <id> opens a Weles-hosted HTTPS setup flow. Jeden never accepts or stores card numbers, CVC/CVV values, processor tokens, billing addresses, or payment credentials.

Purchase policy

Interactive
/billing policy get
/billing policy set … --approve
/billing policy reset
/subscriptions list
/subscriptions status

Automatic purchase and renewal remain disabled until an explicit revision-pinned policy is enabled. Financial mutations require caller idempotency and are checked against pinned policy and quote revisions.

Quota and failover

For each logical model request, Jeden freezes an eligible subscription order. Typed quota exhaustion moves a target into a durable Retry-After-bounded cooldown. Failover does not occur after output becomes visible.

Usage ledger

/usage show reports token and cost accounting; /usage reset resets the local view. The served account, subscription, quota bucket, and route decision remain attached to session audit data.

Models & policy

Environment variables

Environment values override file configuration. Supply secrets through the operator’s secret store, not through source-controlled files.

Model routing

BRAMA_URLOpenAI-compatible Wisent model gateway.
WISENT_APP_AGENT_IDApplication identity used for signed requests.
WISENT_APP_AGENT_AUTH_SECRETSigning credential; must remain outside project files.
JEDEN_MODELDefault model route when no invocation override is supplied.

Control planes

ENTITLEMENTS_ROUTER_BINAuthentication and provider lifecycle executable override.
WELES_URLSubscription and policy service endpoint.
WELES_TOKENWeles service credential.

Storage

JEDEN_MEMORY_DBSQLite/FTS memory database path.
JEDEN_MEMORY_FILELegacy memory input-path override.

Inspect safely

jeden doctor --json reports whether required values are configured without printing their contents. Secret discovery protects values from secret-named environment variables before model-bound text is built.

Models & policy

Context & rules

Context is explicit project guidance loaded before the user task. It is distinct from memory, conversation history, and tool output.

Discovery

User sources are ~/.jeden/instructions.md and ~/.jeden/context.md. Project discovery walks from the project ancestor down to --cwd and reads JEDEN.md, AGENTS.md, CLAUDE.md, RULES.md, .jeden/instructions.md, and .jeden/context.md.

Imports

A line such as @./extra.md imports a file below the same context root. Absolute escapes and parent traversal outside that root are rejected. Oversized files are skipped rather than silently truncated into misleading rules.

Budgets

context.maxBytesDefault 131072 UTF-8 bytes across discovered sources.
context.maxTokensDefault approximate budget of 32768 tokens.
rules.alwaysApplyTyped sticky rules injected whenever the system prompt is rebuilt.

Inspect active context

Use /context to inspect the sources selected for the current workspace. Keep build commands, architectural boundaries, and verification requirements source-controlled; keep credentials out.

Models & policy

Secrets

Secret protection reduces accidental exposure to a model. It does not turn source files, prompts, or transcripts into a secret store.

Settings

secrets.moderedact replaces values; obfuscate preserves reversible placeholders inside the local runtime.
secrets.minLengthMinimum discovered value length; default 8.
secrets.discoverEnvironmentProtect values from secret-named environment variables; default true.

Boundary

  • Never commit credentials to project configuration or context files.
  • Do not paste private keys, session cookies, or access tokens into prompts.
  • Use the platform secret store for operator and control-plane credentials.
  • Review exported sessions before sharing them outside the trusted boundary.

Limitations

Automatic discovery depends on known values and secret-like names. It cannot reliably classify every sensitive business value. Workspace and network isolation remain necessary for high-risk data.

Tools

Capability registry

The registry is the source of truth for what this process can expose and execute. UI lists and protocol surfaces are projections, not independent feature declarations.

Inspect

Terminal
$ jeden capabilities --json --cwd .
$ jeden doctor --json --cwd .
$ jeden conformance --json --cwd .

Descriptor contract

Each descriptor identifies its stable ID, kind, source, version, operations, provenance, dependencies, health, policy, UI affordance, target, schemas, handler, grants, generation, and health evidence.

Availability

A visible label is not enough. A callable capability must have a healthy state, executable UI projection, registered handler, compatible schema, and effective grant. In-flight operations pin the generation they began with.

Kinds

toolslash-commandviewservicemcp
Tools

Files & structured data

Filesystem and structured-data tools share workspace jails, bounded output, and stale-state protection.

Read families

read routes text selectors, binary files, images, archives, documents, notebooks, SQLite rows, artifacts, MCP resources, and HTTP(S) content. Narrow operations remain available as read_file, read_image, read_archive, read_document, and read_sqlite.

list_dirglob_pathssearch_textsearch_filesgrep_regexast_search

Discover paths before reading unknown files. Prefer bounded selectors and native search over shell traversal.

Mutations

write, write_file, archive and SQLite writers, patches, anchored edits, moves, and deletes require write exposure. Existing state is guarded by a digest or snapshot tag so concurrent changes fail instead of being overwritten.

Addressing

Selectors
src/lib.rs:40-90
src/lib.rs:raw
archive.zip:path/in/archive
state.sqlite:jobs:42
artifact://large-output:1-120
Tools

Processes & evaluation

Process tools require command exposure and remain subject to approval, cancellation, deadlines, output limits, and session evidence.

Choose the narrowest operation

run_commandExecute a shell command when shell semantics are required.
run_processExecute an argv array without shell parsing.
run_package_scriptRun a declared package script after discovery.
node_eval / python_evalUse managed language runtimes for computed inspection.

Long-lived and interactive work

pty_session and pty_resize manage terminal processes that need later input. Background jobs must remain addressable by a stable handle; do not orphan servers or watchers.

Output and cancellation

Large output spills to an artifact reference. Cancellation applies to the tracked process tree, not just a parent PID. Timeouts and terminal status are retained in the session.

Verification

For behavioral changes, run the actual changed path. A successful compiler invocation proves compilation, not user-visible behavior.

Tools

Git & GitHub

Jeden separates read-only repository inspection from mutations that publish or rewrite shared state.

Local Git

git_statusgit_diffgit_loggit_showgit_worktreegit_guarded_push

Use typed history and diff tools before shelling out. Guarded push requires explicit authority and verifies the intended repository state.

GitHub

github_issuegithub_prgithub_searchgithub_actions

Issue and pull-request tools operate on typed repository resources. Search locates code and discussions; Actions inspection exposes workflow state without conflating it with local process output.

Shared-state rule

Do not overwrite unexpected local changes or rewrite a branch you do not own. Read current status and references immediately before any shared-state mutation.

Tools

Code intelligence

Structured code tools reason about syntax and runtime state instead of treating source as undifferentiated text.

AST search and rewrite

ast_search finds syntax-shaped matches with metavariables. ast_rewrite applies one-language structural transformations where text replacement would confuse shadowing, formatting, or nested syntax.

Debug sessions

debug_session owns debugger lifecycle. debug_request performs breakpoints, stepping, stack inspection, scopes, variables, evaluation, and supported memory operations through the active adapter.

Choose by invariant

Exact prose or literalUse bounded text search.
Language constructUse AST search or rewrite.
Exported symbolUse the available semantic language-service capability and inspect references before rename.
Runtime value or control flowUse a debugger session.
Tools

Browser & web

Use direct fetch for static content and browser automation only when navigation, JavaScript, authentication, or interaction requires a real page.

HTTP reads

fetch_url returns the requested response. fetch_readable_url extracts bounded reader-oriented content. Network output remains subject to size limits and artifact spill.

Tabs and actions

browser_tabbrowser_actionbrowser_screenshot

Tabs have stable handles. Actions navigate, observe, select, click, type, scroll, extract, and wait against the current document state. Navigation invalidates stale element references.

Visible and headless

Interactive
/browser status
/browser headless
/browser visible

Visible mode is appropriate when an operator must observe or complete an authentication step. Screenshots verify appearance; accessibility or DOM extraction verifies structure and state.

Tools

Images, audio & documents

Media tools preserve the distinction between visual inspection, generated assets, document extraction, and audio output.

Images

read_imageimage_inspectimage_generateimage_editbrowser_screenshot

Inspection grounds claims about an existing image. Generation creates a new asset from an explicit subject and composition. Editing requires an input image and named changes.

Documents and archives

read_document extracts supported office, PDF, and notebook content. read_archive addresses members without unpacking an entire archive into the workspace.

Audio

tts produces speech output where enabled. Generated media is retained as a file or session artifact rather than inlining unbounded binary data into the model loop.

Prompt attachments

The terminal attachment tray accepts bounded workspace-jailed text plus PNG, JPEG, GIF, and WebP files for the next submitted turn.

Tools

Tasks & delegation

Coordination tools turn multi-step work into explicit state without transferring authority implicitly.

Todos

todo and /todo track named tasks and completion state. A todo records intent; it is not evidence that implementation or verification happened.

Operator decisions

ask_user requests input only when materially different choices require the operator. Questions and answers remain in the session lineage.

Subagents

delegate_task assigns a self-contained slice to an available agent. Use /agents to inspect the current roster and capability state. Delegated work returns evidence and artifacts to the parent session.

Authority

A delegate receives only the grants, workspace, and interfaces provided by the parent runtime. It does not inherit external credentials or approval bypass merely because the parent requested work.

Tools

SSH & remote work

Remote work is a separate authority boundary. Host identity, authentication, path scope, and command exposure must all be explicit.

Remote tools

ssh_readssh_searchssh_writessh_exec

Read and search operations inspect configured hosts. Writes and command execution require the corresponding local capability exposure and approval.

Connections

/ssh opens the native SSH configuration and status view. It reports available connection identities without printing private key material.

Host identity

Use pinned known-hosts data for unattended work. Do not disable host-key verification to make an automation path pass. Scope remote identities to the exact command or filesystem surface they need.

Evidence

Remote requests, terminal status, bounded output, and artifacts remain attached to the local session. A remote mutation should be followed by a remote read or service-level smoke check.

State

Session tree

Conversation history is a graph of durable lineage, not one mutable transcript.

Lineage operations

/new, /freshStart a new root from the current workspace.
/branch <title>Create named child work from the active context.
/forkFork the active lineage without rewriting its parent.
/resume <session>Start a fresh session seeded from selected history.
/treeInspect lineage and active branch.

Organization

/rename changes a session label. /move <dir> changes its organizational location. /drop removes the active session from the normal working set through a confirmed operation.

Invariant

Branching, resume, and rewind append new lineage. They do not edit prior model messages, tool results, approvals, or usage events in place.

State

Checkpoints & rewind

Checkpoints name a recoverable context boundary inside a durable session.

Create and inspect

Interactive
/checkpoint before-refactor
/checkpoint list

The checkpoint event records the exact model-visible context, not merely a human label or source-control commit.

Rewind

Interactive
/rewind <checkpoint-event-id>

Rewind appends a new active lineage from the selected checkpoint. The abandoned continuation remains available for audit and comparison.

Source files

A session rewind does not automatically revert the workspace. Use Git or guarded file mutations when source state must also move back, and verify that the chosen source revision matches the checkpoint’s assumptions.

State

Compaction & handoff

Long sessions need bounded model context without discarding the durable event history.

Compaction

Interactive
/compact
/compact focus on the failing import path

Compaction summarizes the active model context. The original messages and tool events remain in the session ledger.

Handoff

Interactive
/handoff
/handoff focus on release verification

A handoff packages current state, decisions, unresolved work, and evidence so another continuation can resume with a bounded focus.

Choose correctly

Continue same objective, context too largeCompact.
Transfer work or start a focused continuationHandoff.
Explore an alternative without abandoning current workBranch or fork.
Return to a precise earlier contextCheckpoint and rewind.
State

Artifacts & attachments

Artifacts are durable session outputs. Attachments are bounded inputs consumed by a prompt.

Artifact recovery

Terminal
$ jeden artifacts <session>
$ jeden artifact <session> <name> output.bin
$ jeden export <session> output.json

Oversized tool results spill to the artifact store and are represented in model context by bounded artifact:// references.

Attachment tray

Interactive
/attach path/to/context.txt
/attachments
/detach <id|all>

Accepted inputs are bounded workspace-jailed text and supported PNG, JPEG, GIF, or WebP images.

Export and share

/export produces JSON or text session output. /dump renders diagnostic session content. /share creates the configured sharing representation. Review secrets and proprietary data before moving any export outside the trust boundary.

State

Collaboration & jobs

Collaboration synchronizes explicit session state. Jobs expose tracked work that outlives a single foreground tool call.

Collaboration lifecycle

Interactive
/collab status
/collab start
/collab share
/collab sync
/join <relay-file-url-or-path>
/leave
/collab stop

A relay reference conveys connection information, not blanket local tool authority. Joined peers remain represented as session events.

Jobs

/jobs opens the native tracked-job view. Use it to inspect ownership, state, progress, terminal outcome, and retained output instead of searching for unverified process IDs.

Failure behavior

Disconnects do not rewrite prior collaboration events. A stopped or failed job retains its outcome; restarting work creates a new attempt or explicit continuation.

Extend

Custom commands

File-based commands package repeatable prompts and local workflows without forking the Jeden runtime.

Locations

<cwd>/.jeden/commands/Project-owned commands.
~/.jeden/commands/User-owned commands.
.claude/commands, ~/.claude/commandsCompatibility sources controlled by native settings.
.opencode/commands, ~/.config/opencode/commandsCompatibility sources controlled by native settings.

Compatibility settings

commands.enableClaudeUser, commands.enableClaudeProject, commands.enableOpencodeUser, and commands.enableOpencodeProject enable their corresponding loaders. All default to true.

Discovery

Use /help to inspect active commands and /extensions to inspect extension sources. Names must not silently shadow a native command with a different authority contract.

Extend

Hooks

Hooks run at documented lifecycle boundaries and return bounded decisions to the same policy engine used by native operations.

Events

user-promptpre-toolpost-toolsession-startstop

Allowed decisions

A hook may add context, replace documented input fields, or block an operation. A hook cannot grant a capability that is absent, unhealthy, outside the workspace jail, or forbidden by operator policy.

Operate

/hooks inspects active hook sources and status. Hook output should be deterministic, bounded, non-interactive, and free of secret material.

Failure contract

A required policy hook that cannot produce a valid decision must fail closed. Post-tool failures are retained as evidence and must not erase the underlying tool result.

Extend

Custom tools

Custom modules add typed operations to the capability registry without bypassing native execution policy.

Locations

User modules load from ~/.jeden/tools/; project modules load from <cwd>/.jeden/tools/. Each module exports a default factory.

Factory contract

The factory receives current workspace helpers and returns one tool or a list of tools. Each tool declares a unique name, description, input contract, and executable handler.

Policy

  • Names cannot collide with built-in or already active tools.
  • Filesystem access remains workspace-jailed.
  • Write and command classifications still require exposure and approval.
  • Pre-tool and post-tool hooks apply.
  • Health and handler identity appear in the capability registry.

Inspect

Terminal
$ jeden tools --cwd .
$ jeden capabilities --json --cwd .
Extend

Plugins & marketplaces

Marketplaces discover packages; plugins are installed and activated extension units. Their state lives under ~/.jeden/plugins/.

Marketplace operations

Interactive
/marketplace list
/marketplace discover
/marketplace installed
/marketplace add <source>
/marketplace remove <name>
/marketplace install <name>
/marketplace uninstall <name>
/marketplace upgrade <name>

Plugin state

Interactive
/plugins list
/plugins enable <name>
/plugins disable <name>
/reload-plugins

Reload creates a new capability generation. Existing operations finish against the generation they started with.

Other extension sources

/extensions lists native project and user extensions. /agents lists available agent definitions. Installed status alone does not imply executable health; inspect the capability registry after activation.

Reference

RPC & ACP

Protocol modes adapt the same session lifecycle and capability registry used by the interactive terminal.

NDJSON RPC

Terminal
$ jeden rpc

RPC serves newline-delimited JSON requests and events over standard input and output. Keep diagnostic logging off the protocol stream.

Agent Client Protocol

Terminal
$ jeden acp

ACP exposes the runtime through the Agent Client Protocol on standard I/O for compatible editors and hosts.

Shared invariants

  • Requests use the same workspace and policy gates as local sessions.
  • Capabilities come from the active registry generation.
  • Tool calls, approvals, usage, artifacts, and terminal outcomes are durable session events.
  • Cancellation and deadlines are operation-scoped.
Reference

Headless mTLS

Headless mode exposes Jeden to authenticated clients without weakening local capability and approval policy.

Usage

Terminal
$ jeden headless <addr> \
  <server-cert.pem> <server-key.pem> \
  <client-ca.pem> <identity-map.json> \
  [revoked-serials.txt]

Identity

The server certificate authenticates the service. The client CA authenticates client certificates. The identity map converts a certificate identity into an explicit Jeden principal; unknown identities are rejected.

Revocation

The optional serial list denies known client certificates even when their chain remains valid. Keep it readable by the service and update it atomically.

Local policy remains authoritative

Mutual TLS authenticates transport and caller. It does not grant write, command, browser, SSH, plugin, or MCP authority by itself. Those decisions remain local and auditable.

Reference

Diagnostics

Diagnostics answer why a capability is unavailable or a run is unhealthy without printing protected credentials.

Doctor

Terminal
$ jeden doctor --cwd .
$ jeden doctor --json --cwd .

Doctor evaluates workspace storage, configuration, provider prerequisites, extension sources, and runtime dependencies.

Conformance

Terminal
$ jeden conformance --json --cwd .
$ jeden capabilities --json --cwd .

Conformance checks registry invariants and public contracts. Capability output supplies descriptor-level health and evidence.

Interactive status

/status/stats/settings/jobs/changelog

Report with evidence

Include the Jeden version, operating mode, affected capability ID, health state, terminal error, and smallest reproduction. Redact endpoint credentials, tokens, cookies, private keys, and session exports before sharing.

Reference

Security model

Jeden treats model output as a proposal. Authority comes from the local runtime, its operator policy, and the exact state observed before an effect.

Defense layers

Capability exposure

Read tools are available by default. Write and command families require explicit invocation flags or configuration.

Workspace jail

Filesystem tools resolve paths beneath --cwd. Context imports remain within their context root.

Approval policy

always-ask, write, or yolo determines which allowed effects still require confirmation.

Lifecycle hooks

Pre-tool hooks can inspect, narrow, replace supported inputs, or block the call.

Revision guards

Digests and snapshot tags reject stale writes rather than overwriting concurrent changes.

Durable evidence

Requests, tool calls, decisions, results, usage, and artifacts remain attached to the session.

Approval modes

always-askPrompt before any effect classified as approval-required.
writeGrant configured write behavior while retaining stronger boundaries for command execution.
yoloAutomatically approve exposed tools. Only safe inside an independently trusted sandbox.

Model-bound secrets

Known secrets are protected before text reaches the model. secrets.mode selects redaction or obfuscation. Environment discovery protects secret-named variables at or above secrets.minLength.

Do not confuse masking with storage

Secret protection reduces accidental model exposure. Credentials should still come from the operator’s secret store and must not be committed to project configuration, context files, or transcripts.

Remote runtimes

jeden headless requires a server certificate, server private key, client CA, explicit identity map, and optional revoked-serial list. Mutual TLS authenticates the transport; the local tool policy still governs effects.

Reference

Action protocol

Native provider tool calls and strict JSON actions enter the same validated local execution loop. Tool schemas are derived from each input contract and sent with the model request.

Execution loop

  1. The model returns a native tool call or a strict JSON action.
  2. Jeden resolves the action against the current capability registry.
  3. Input schema, path jail, exposure flags, approval mode, and hooks are evaluated.
  4. The handler executes and returns a typed result.
  5. The result is appended to the session and returned to the model.
  6. The loop continues until a final answer or configured step limit.

Action shapes

Actions are explicit objects; prose that resembles a command does not execute. A strict action identifies the action name and its typed arguments. Selectors and mutation guards are carried as data, not inferred from surrounding text.

Conceptual action
{
  "action": "read_file",
  "args": {
    "path": "src/server.ts:80-140"
  }
}

Selectors

:50Read from line 50.
:50-90Read an inclusive range.
:5-16,90-110Read several visible ranges.
:rawReturn verbatim content.
:conflictsReturn unresolved merge-conflict blocks.
archive.zip:path/fileAddress an archive member.
db.sqlite:table:keyAddress one SQLite row by primary key.
artifact://nameAddress a persisted session artifact.

Anchored edits

An anchored edit names the snapshot tag returned by the latest read, then applies tight line or block operations only to visible anchors. Every successful mutation produces a fresh snapshot; subsequent edits must re-read or use the new tag.

  • SWAP replaces an exact visible line range.
  • INS.PRE / INS.POST inserts without restating unchanged lines.
  • DEL deletes an exact line range.
  • Block operations target a complete syntax block at its opener.
  • MV / REM move or remove a file under the same guarded contract.
Invariant

The edit body is final content, not a diff. Ranges describe original lines. Stale tags and unseen anchors are rejected.

Oversized results

Large tool output is persisted under the session artifact store. The model receives a compact artifact:// reference and may issue bounded follow-up reads instead of carrying the full payload in context.