Edictum
Reference

Workflow Reference

Current `kind: Workflow` schema and runtime semantics.

AI Assistance

Right page if: you need the exact workflow YAML shape and the conditions the runtimes support today. Wrong page if: you want the ruleset schema -- see https://docs.edictum.ai/docs/rulesets/yaml-reference. Gotcha: this page documents the current shipped workflow format, including terminal stages and MCP-result evidence.

This is the current kind: Workflow document used by the Python, TypeScript, and Go runtimes.

Minimal Workflow

apiVersion: edictum/v1
kind: Workflow
metadata:
  name: coding-review

stages:
  - id: read-context
    tools: [Read]
    exit:
      - condition: file_read("TASK.md")
        message: Read the task before editing

  - id: implement
    entry:
      - condition: stage_complete("read-context")
    tools: [Edit, Bash]

  - id: done
    entry:
      - condition: stage_complete("implement")
    terminal: true

Top-Level Fields

FieldRequiredNotes
apiVersionYesMust be exactly edictum/v1
kindYesMust be exactly Workflow
metadataYesWorkflow identity
stagesYesOrdered list of workflow stages

metadata

FieldRequiredNotes
nameYesMust match ^[a-z0-9][a-z0-9._-]*$
descriptionNoFree-form text
versionNoOptional version label

stages[]

FieldRequiredNotes
idYesMust match ^[a-z0-9][a-z0-9._-]*$
descriptionNoFree-form text
entryNoArray of gate objects checked before the stage can start
toolsNoAuthoritative allowlist for the stage. Entries may be exact tool names or glob patterns like "mcp__*"
checksNoPer-call checks while the stage is active
exitNoArray of gate objects checked before the stage can finish
approvalNoPause at the stage boundary until approved
terminalNoFinal stage marker. A terminal stage never auto-advances past itself

Gate Objects

entry and exit gates use this shape:

entry:
  - condition: stage_complete("read-context")
  - condition: file_read("TASK.md")
    message: Read the task before editing
FieldRequiredNotes
conditionYesOne supported workflow condition
messageNoBlock message shown when the gate fails

Supported Conditions

ConditionWhat it checks
stage_complete("stage-id")Whether an earlier stage already completed
file_read("path")Whether successful read evidence recorded that path
approval()Whether the current stage was approved
approval("stage-id")Whether a named stage was approved
command_matches("regex")Whether command evidence for the stage matches the regex
command_not_matches("regex")Whether command evidence for the stage does not match the regex
exec("cmd", exit_code=0)Whether a trusted local command exits with the expected code
mcp_result_matches("tool", "field", "value")Whether recorded MCP result evidence for that tool matches one exact field/value pair

exec(...) requires explicit runtime opt-in.

Checks

Checks are structured objects, not condition: strings:

checks:
  - command_matches: "^pytest$"
    message: Run pytest before leaving this stage
  - command_not_matches: "^git push origin main$"
    message: Never push to main
FieldRequiredNotes
command_matchesExactly one of the twoRegex that must match command evidence
command_not_matchesExactly one of the twoRegex that must not match command evidence
messageYesFailure message

Approval

approval:
  message: Human review required before continuing

approval.message is required whenever approval is present.

Runtime Semantics

  • Stages are ordered and forward-only during normal execution.
  • State is persisted per session and per workflow name.
  • tools is authoritative when present.
  • Omitting tools makes a non-terminal stage unrestricted.
  • A terminal stage with no tools blocks all later tool calls once that stage is active.
  • A terminal stage with tools may still allow matching tools, but never auto-advances past itself.
  • Successful Read calls record evidence for file_read(...).
  • Successful Bash calls record evidence for command_matches(...) and command_not_matches(...).
  • Approved stages satisfy approval(...).
  • MCP-backed runs can record structured result evidence for mcp_result_matches(...).
  • evaluate() and other dry-run paths do not replace real runtime state progression.

Validation Rules

The current runtimes reject workflow YAML when any of these are false:

  • apiVersion is edictum/v1
  • kind is Workflow
  • metadata.name matches ^[a-z0-9][a-z0-9._-]*$
  • stages contains at least one item
  • every stage.id matches ^[a-z0-9][a-z0-9._-]*$
  • every stage.id is unique
  • every tools entry is a valid tool name or glob pattern
  • every gate condition is supported and non-empty
  • every checks entry sets exactly one of command_matches or command_not_matches
  • every checks entry has message
  • approval.message is present when approval is defined
  • terminal: true only appears on the last stage

Last updated on

Mutable Principal

Agents that serve multiple users, escalate privileges mid-session, or refresh auth tokens cannot use a fixed principal.

Lifecycle Callbacks

Edictum provides two lifecycle callbacks on the `Edictum` constructor for reacting to

On this page

Minimal WorkflowTop-Level Fieldsmetadatastages[]Gate ObjectsSupported ConditionsChecksApprovalRuntime SemanticsValidation RulesRelated