AGENT CONTRACT TEMPLATE (v1)

Purpose
- Name the workflow this agent owns (one sentence).
- State the business goal (reduce time, reduce errors, increase throughput). Avoid vague “productivity.”

Identity & Authentication
- Agent identity type: (a) per-user delegated, (b) service account, (c) hybrid.
- Token handling: where credentials live, how they’re rotated, and how they’re revoked.
- Session rules: timeout, re-auth requirements for sensitive actions.

Capabilities (Allowlist)
- Tools/systems the agent may access (e.g., Jira, GitHub, Salesforce, Zendesk).
- For each tool: list allowed actions (create, read, update, comment, merge, send email).
- Explicit “never” list (e.g., no payroll tools, no IAM policy edits, no outbound to non-domain).

Execution Modes
- Suggest mode: outputs drafts/diffs/commands only; human executes.
- Execute mode (gated): agent executes but requires approval for high-risk steps.
- Execute mode (autonomous): only for low-risk, reversible steps with strict scopes.

Approval Policy
- Define what triggers approval: irreversible actions, external communication, production changes, deletions.
- Who can approve (role-based) and where approvals happen (in-app, Slack, email).
- What the approver sees: the plan, affected objects, preview/diff, and rollback plan.

Audit & Evidence
- Minimum audit events: request, plan, tool call, tool response, approval/denial, final outcome.
- Log access: who can view logs; redaction rules for sensitive content.
- Retention: align with customer needs (security/compliance). If unsure, make it configurable.

Failure Handling
- Tool errors: retry policy, backoff, and escalation path.
- Permission errors: stop and request scoped access; never silently broaden privileges.
- Uncertainty: define when the agent must ask clarifying questions instead of acting.

Rollback / Recovery
- For reversible actions: specify undo steps.
- For irreversible actions: specify compensating actions (open ticket, notify owner, create incident record).

Controls
- Kill switch: who can disable the agent globally and per workspace.
- Rate limits: per-user and per-workspace execution limits.
- Safe defaults: ship with conservative scopes and suggest mode unless explicitly upgraded.

Acceptance Criteria (for launch)
- A new admin can understand scopes and revoke access in minutes.
- Every executed action is traceable to a user request and a specific credential.
- High-risk steps are gated by approval or denied by policy.
- The product can be safely disabled without breaking customer systems.