One ai-profile.yaml for Codex, Claude, and Tabnine.
Agent Profile Compiler is a local-first CLI that compiles one canonical agent profile into deterministic configuration for multiple AI coding agents. It is designed for developers who want consistent agent instructions without copying and hand-editing separate config files for every tool.
npm | Contributing | Security | Specs | Discussions
This repository is in preview / early access. The CLI is published as
agent-profile@0.3.5, but the schema, generated files, and command details may
change before 1.0.
Feedback is especially useful on:
- whether the profile model fits real repositories
- whether generated Codex, Claude, and Tabnine files are useful as-is
- confusing quick-start, doctor, or dry-run output
- missing safety checks or unclear local-first guarantees
- target outputs you would contribute or use next
Agent Profile Compiler turns this:
version: 1
project:
name: my-project
agents:
codex:
enabled: true
claude:
enabled: true
tabnine:
enabled: trueinto agent-specific local files for:
| Target | Generated output |
|---|---|
| Codex | project config and workflow skills |
| Claude | Claude project config, CLAUDE.md, and workflow skills |
| Tabnine | guideline output and MCP configuration |
Generated files are deterministic. Running the same profile through the same compiler version should produce the same output.
AI coding agents all need project context: conventions, safety rules, allowed
tools, workflow expectations, target-specific config, and reminders not to leak
source or secrets. Today that context is usually duplicated across files such
as AGENTS.md, CLAUDE.md, Codex config, Tabnine guidance, and MCP settings.
That creates three problems:
- agent instructions drift over time
- safety posture is easy to weaken accidentally
- onboarding a new agent means rewriting the same policy in another format
Agent Profile Compiler makes the profile the source of truth and treats agent-specific files as build artifacts.
Requirements: Node.js 24+ and npm 11+.
From the repository you want to configure:
npx agent-profile init
npx agent-profile compile --dry-run
npx agent-profile compile --write
npx agent-profile doctor
npx agent-profile uiThe workflow is:
initopens an interactive wizard that detects the stack and existing agent files, recommends a safe import strategy, and writes only after the finalWrite this plan?confirmation. In non-interactive environments (no TTY,CI=true, or--non-interactive)initreports a dry-run--import --strategy preserveplan and writes nothing. Power users can bypass the wizard with explicit flags such asinit --client codex --writeorinit --import --strategy regions --write.compile --dry-runpreviews the files that would be generated.compile --writewrites generated files under the project root.doctorchecks profile validity, drift, safety posture, and generated files. With--mcp-suggestions, doctor also runs a fully offline, informational scan that flags npm dependencies newer than APC's pinned knowledge baseline and points to curated MCP candidate ids. It emitsinfofindings only — it never installs, configures, fetches, or changes the exit code.uistarts a local browser UI on loopback. The UI can inspect the project and editai-profile.yamlthrough a diff-gated save flow; generated artifacts are still written only by the CLI.
Write-capable commands require an explicit --write. Dry-run is the default
review path.
init is intentionally conservative. As a temporary first-run workaround, it
checks allowlisted metadata at the repository root and candidate project roots
up to two directories below it. It never reads source, .env*, lockfiles,
hidden/tool directories, build output, or symlinked metadata. React and plain
JavaScript detection are temporary metadata-only bridges. When no language is
detected, the interactive wizard offers bounded manual slug entry and other
flows use the inert unknown fallback instead of refusing setup.
See the CLI reference for the exact depth, skip, allowlist, reporting, and fallback contracts. This temporary aggregation does not create per-package profiles or workspace ownership.
The MVP contract is intentionally narrow:
- no source-code upload
- no secret upload
- no hosted execution
- no telemetry by default
- generated files are deterministic
- writes stay under the selected project root after containment checks
- runtime permissions are enforced by the target agent clients, not by this tool
--root is the repository trust boundary. The CLI reads and writes only under
that root after path and symlink containment checks.
agent-profile init # interactive wizard (Phase 15)
agent-profile init --non-interactive # dry-run preserve, writes nothing
agent-profile init --dry-run
agent-profile init --write
agent-profile init --client codex,claude --write
agent-profile init --import --strategy preserve --dry-run
agent-profile init --import --strategy regions --write
agent-profile init --import --update-gitignore --write
agent-profile compile --dry-run
agent-profile compile --write
agent-profile doctor
agent-profile doctor --json
agent-profile doctor --mcp-suggestions # offline, informational MCP scan
agent-profile ui
agent-profile ui --root /path/to/project --port auto --open trueExit codes:
| Code | Meaning |
|---|---|
0 |
command completed without errors |
1 |
validation, compile, doctor, or write-safety error |
2 |
argument parsing failure |
3 |
protected files would be replaced without --force |
If your repository already has AGENTS.md, CLAUDE.md, custom skills, or
local MCP/Claude/Codex runtime config, run init --import instead of init.
The default --strategy preserve reports what exists without changing any
files; --strategy regions wraps existing AGENTS.md/CLAUDE.md content in
a manual region and inserts a compiler-managed generated region so subsequent
compile --write runs update only generated bytes. --update-gitignore --write appends recommended ignore lines for local-runtime files
(.cce/, .mcp.json, .claude/settings.local.json, .claude/worktrees/,
.codex/config.toml, .codex/hooks.json); .claude/settings.json is
generated client config and intentionally not recommended for ignore.
For AGENTS.md and CLAUDE.md with valid region markers, compile --write
preserves manual region bytes byte-for-byte and refuses to overwrite files
that lack markers (run init --import --strategy regions --write first).
--force does not bypass that refusal — the supported repair path is
manual.
ai-profile.lock is now version 2 with ownership labels
(generated-owned, mixed, manual-owned). Version 1 lockfiles remain
readable and are migrated to v2 on the next successful write; the migration
is deterministic and idempotent. Older agent-profile binaries will reject
v2 lockfiles — see Release notes.
For repos where reviewing import findings visually is easier than reading CLI
output, agent-profile ui includes a Migration view at /migration that
displays the same Phase 14 import report and lets you pick a per-file action
before writing.
agent-profile ui [--root <path>] [--port auto|<number>] [--open true|false]
--portdefaults toauto(ephemeral loopback port).--opendefaults totruein interactive TTY sessions,falseotherwise.- The CLI prints a one-time session token in the URL; the server rejects any
request that does not carry the token via query string, cookie, or
x-agent-profile-sessionheader. - The server binds
127.0.0.1by default and never binds0.0.0.0.
Per-file row actions in the Migration view:
| Action | When it appears |
|---|---|
Preserve |
always (for non-refused rows) |
Add regions |
unmarked supported root file (AGENTS.md/CLAUDE.md) |
Update generated region |
file already has region markers |
Replace generated-owned |
only for generated-owned non-root files; needs a per-row second confirmation, then confirmReplace:true on apply |
Skip |
always |
The UI never writes without showing a plan first, never reads or previews
.env* files, and surfaces a post-write doctor result inline — failed
doctor checks are reported, not auto-reverted.
- Read
ai-profile.yamlfrom the project root. - Validate it against the versioned schema.
- Compile target outputs in memory.
- Produce a deterministic lockfile and write plan.
- Preview or write files depending on the command.
- Run
doctorchecks for drift, structure, permission posture, secret hygiene, skill hygiene, and conservative semantic warnings.
The schema lives at
packages/schemas/ai-profile.schema.json.
The minimal valid fixture lives at
fixtures/minimal-valid/ai-profile.yaml.
Implemented and verified:
- profile schema validation
- deterministic compiler and lockfile generation
- golden fixture comparison
AGENTS.mdtarget output- Tabnine guideline and MCP outputs
- Codex config and workflow skill outputs
- Claude config,
CLAUDE.md, and workflow skill outputs init,compile,doctor, anduiCLI flows- local stack detection and import analysis
- diff-before-write review path
- local SvelteKit UI with guarded profile editing
- npm-distributed
npx agent-profileentrypoint
Deferred or out of scope for the MVP:
- hosted execution
- source-code upload
- secret upload
- telemetry
- browser writes for generated artifacts
- enterprise policy packs
- Cursor, Aider, Copilot, and other additional targets
- standalone
agent-profile diffcommand
Near-term preview work:
- improve first-run examples and generated profile comments
- collect feedback on real-world generated target files
- tighten docs around MCP/client capability differences
- improve local UI explanations for no-profile and doctor states
- define next target support only through approved specs
Longer-term ideas live in the later-phase specs under
docs/specs/.
Contributions are welcome during preview, especially small fixes, real-world profile examples, documentation improvements, doctor checks, and target-output feedback.
This repository uses SDD/TDD:
- Read the relevant spec in
docs/specs/. - Confirm the goal, non-goals, contracts, and acceptance criteria.
- Add or update tests where practical.
- Keep changes scoped to the approved spec.
- Run tests, golden tests, and doctor/checks where applicable.
See CONTRIBUTING.md and
docs/development/sdd-workflow.md.
For feedback that is not yet a bug or pull request, use GitHub Discussions.
Use npm workspaces:
npm install
npm test
npm run check
npm run buildFor local UI development:
npm run dev --workspace @agent-profile/webThe dev server binds to 127.0.0.1:5176 by default. Override the inspected
project root with AGENT_PROFILE_ROOT:
AGENT_PROFILE_ROOT=/path/to/your/repo npm run dev --workspace @agent-profile/webNetwork posture: loopback-only local UI, no outbound HTTP, no third-party fonts at runtime, and no telemetry.
apps/
cli/
web/
packages/
core/
scanner/
compiler/
doctor/
templates/
schemas/
docs/
specs/
architecture/
research/
targets/
security/
development/
fixtures/
examples/
Apache-2.0. See LICENSE.