Skip to content
Selu Docs

manifest.yaml Schema

A manifest.yaml file defines a capability’s interface, resource requirements, and credential needs. It tells Selu how to run the capability and what secrets it requires.

Schema

Section titled “Schema”
FieldTypeRequiredDefaultDescription
idstringyesUnique capability identifier (lowercase, alphanumeric, hyphens)
classstringno"tool"Capability class: "tool" or "environment"
imagestringyesDocker image that implements the capability
tool_sourcestringno"manifest"Tool discovery mode: "manifest" or "dynamic"
discovery_tool_namestringno"list_tools"Tool name for dynamic discovery (when tool_source is "dynamic")
toolsarrayno[]List of tools this capability provides (required for "manifest" mode)
tools[].namestringyesTool name (used by agents)
tools[].descriptionstringyesWhat the tool does (shown to agents)
tools[].input_schemaobjectyesJSON Schema for tool parameters
tools[].requires_confirmationbooleannofalseLegacy field for backwards compatibility
tools[].recommended_policystringnoderivedRecommended policy: "allow", "ask", or "block"
tools[].terminal_on_successbooleannofalseWhen true, the tool loop exits immediately after a successful invocation instead of giving the LLM another iteration. Useful for “produce-and-done” tools like PDF generation where a follow-up call would create a duplicate artifact.
networkobjectno{"mode": "none"}Network access policy
network.modestringno"none"Network mode: "none", "allowlist", or "any"
network.hostsarrayno[]Allowed hosts for "allowlist" mode (format: "host:port")
filesystemstringno"none"Filesystem policy: "none", "temp", or "workspace"
credentialsarrayno[]List of credentials this capability needs
credentials[].namestringyesEnvironment variable name for the credential
credentials[].scopestringyesCredential scope: "system" or "user"
credentials[].credential_typestringno"secret"Type of credential (currently only "secret")
credentials[].requiredbooleannotrueWhether the credential is required for the capability to function
credentials[].descriptionstringno""Human-readable description of what this credential is for
resourcesobjectnodefaultsResource limits for the container
resources.max_memory_mbintegerno128Maximum memory in megabytes
resources.max_cpu_fractionnumberno0.5Maximum CPU cores (0.5 = half a core)
resources.max_cpu_secondsintegerno30Maximum CPU time per tool invocation
resources.pids_limitintegerno64Maximum number of processes/threads

Tool discovery modes

Section titled “Tool discovery modes”

Capabilities can provide tools in two ways:

Static tools (tool_source: manifest)

Section titled “Static tools (tool_source: manifest)”

Tools are declared directly in the manifest (default behavior):

manifest.yaml
id: my-capability
tool_source: manifest  # explicit, but this is the default
tools:
  - name: search_web
    description: Search the internet for information
    input_schema:
      type: object
      properties:
        query: {type: string}
      required: [query]

Dynamic tools (tool_source: dynamic)

Section titled “Dynamic tools (tool_source: dynamic)”

Tools are discovered at runtime by calling a special discovery tool:

manifest.yaml
id: my-capability
tool_source: dynamic
discovery_tool_name: list_tools  # optional, defaults to "list_tools"
tools: []  # must be empty for dynamic mode

With dynamic discovery, the capability container must implement a discovery tool (default name: list_tools) that returns the available tools in JSON format. This enables capabilities that generate tools based on runtime conditions, API introspection, or user configuration.

Credential scopes

Section titled “Credential scopes”

Credentials can have different scopes:

  • system — Shared across all users. Set once by an admin and used by everyone.
  • user — Personal to each user. Each person provides their own API keys.

Choose system for organizational API keys that should be shared, and user for personal accounts or when users prefer to manage their own credentials.

Tool policies

Section titled “Tool policies”

Each tool can declare a recommended_policy that serves as the default when users install the agent:

  • "allow" — Tool runs automatically without asking
  • "ask" — User is prompted before each tool execution
  • "block" — Tool is blocked by default (users must explicitly enable)

If you don’t specify recommended_policy, it’s derived from the legacy requires_confirmation field, or defaults to "block" for security.

Network access

Section titled “Network access”

Capabilities run in isolated containers with configurable network access:

No network access (mode: none)

Section titled “No network access (mode: none)”
network:
  mode: none

The capability cannot make any outbound network connections. Use this for tools that only process local data or use built-in datasets.

Allowlist mode (mode: allowlist)

Section titled “Allowlist mode (mode: allowlist)”
network:
  mode: allowlist
  hosts:
    - "api.openweathermap.org:443"
    - "*.googleapis.com:443"  # wildcard subdomains supported
    - "httpbin.org"           # any port if not specified

The capability can only connect to explicitly listed hosts. Wildcard entries starting with *. match any subdomain. This is the recommended mode for most capabilities.

Any network access (mode: any)

Section titled “Any network access (mode: any)”
network:
  mode: any

The capability can connect to any host on the internet. Use sparingly and only for trusted capabilities that need unrestricted access.

Examples

Section titled “Examples”

Basic tool capability

Section titled “Basic tool capability”
manifest.yaml
id: web-search
class: tool
image: ghcr.io/selu-bot/cap-web-search:2.1.0


tools:
  - name: search_web
    description: Search the web and return relevant results
    input_schema:
      type: object
      properties:
        query:
          type: string
          description: The search query
        max_results:
          type: integer
          description: Maximum results to return
          default: 5
      required: [query]
    recommended_policy: allow


network:
  mode: allowlist
  hosts:
    - "duckduckgo.com:443"
    - "api.openai.com:443"


credentials:
  - name: SEARCH_API_KEY
    scope: system
    required: false
    description: >
      Optional API key for enhanced search results. Get one from
      https://serpapi.com if you want more reliable search data.


resources:
  max_memory_mb: 256
  max_cpu_fraction: 0.5
  pids_limit: 32

Environment capability with workspace

Section titled “Environment capability with workspace”
manifest.yaml
id: python-env
class: environment
image: ghcr.io/selu-bot/cap-python-env:1.0.0


tools:
  - name: execute_python
    description: Execute Python code in an isolated environment
    input_schema:
      type: object
      properties:
        code:
          type: string
          description: Python code to execute
      required: [code]
    recommended_policy: ask


filesystem: workspace


credentials:
  - name: OPENAI_API_KEY
    scope: user
    required: true
    description: >
      Your OpenAI API key. Get one from https://platform.openai.com/api-keys.
      This is needed for AI-powered code analysis.


resources:
  max_memory_mb: 512
  max_cpu_fraction: 1.0
  max_cpu_seconds: 60
  pids_limit: 128

Dynamic tool capability

Section titled “Dynamic tool capability”
manifest.yaml
id: github-integration
class: tool
image: ghcr.io/selu-bot/cap-github:1.5.0
tool_source: dynamic
discovery_tool_name: discover_repositories


tools: []  # empty - populated by discovery at runtime


network:
  mode: allowlist
  hosts:
    - "api.github.com:443"
    - "github.com:443"


credentials:
  - name: GITHUB_TOKEN
    scope: user
    required: true
    description: >
      GitHub Personal Access Token. Create one at:
      https://github.com/settings/personal-access-tokens


      Required scopes: 'repo' for private repositories,
      'public_repo' for public repositories only.


resources:
  max_memory_mb: 256
  max_cpu_fraction: 0.8

Validation

Section titled “Validation”

The Selu orchestrator validates manifests when loading capabilities. Common validation errors:

  • Missing required fields — All capabilities must have id and image
  • Invalid network hosts — Must be in "host:port" format or just "host"
  • Invalid tool schemasinput_schema must be valid JSON Schema
  • Invalid credential scopes — Must be "system" or "user"
  • Invalid policy values — Must be "allow", "ask", or "block"
  • Dynamic mode conflictstool_source: dynamic requires empty tools array
  • Filesystem restrictionsfilesystem: workspace only allowed for class: environment

Next steps

Section titled “Next steps”

See Container Guidelines for how to implement the capability server, or check out the gRPC Interface for the protocol details.