Agent System

Autonomous AI agents with tool-use loops

SuperFastClaw ships a built-in security agent with 6 analysis tools, plus a flexible runner that supports any custom agent defined in config.yaml. Agents run multi-turn, call tools, and stream results in real time.

Agent Run Lifecycle
1
Receive input
Via CLI, WebSocket, or any channel
2
Call provider (Complete)
Anthropic / OpenAI / Ollama
3
Execute tool calls
read_file, grep, scan_secrets, …
4
Append tool_result → repeat
Until no tool calls or maxTurns
Built-in

Security Agent

The security agent is registered automatically — no configuration required. It has 6 tools that let it read, search, and analyse a codebase for vulnerabilities, secrets, and risky dependencies.

🛡️

What the security agent checks

World-writable files · Setuid/setgid bits · 12 secret patterns (AWS, GitHub, Anthropic, OpenAI, JWT, DB URLs, Slack, Discord, private key headers) · Known risky npm/Go packages · Permission anomalies. All secret values are redacted in output — only the pattern type is reported.

📄
read_file

Reads a file with line numbers, buffered to a maximum of 500 lines. Provides the agent with full context of any source file.

Params: pathmax_lines?
📁
list_files

Recursively lists files under a directory with configurable depth. Automatically skips .git, node_modules, and other noise.

Params: pathdepth?
🔍
grep

Regex search across files with configurable context lines. Returns up to 100 matches with file path, line number, and surrounding context.

Params: patternpathcontext?
🔐
check_permissions

Walks a directory tree and flags files that are world-writable (0o002), setuid (0o4000), or setgid (0o2000).

Params: path
🕵️
scan_secrets

Scans files for 12 secret patterns. Matches are redacted — only the type and location are reported. Handles AWS keys, GitHub tokens, private key PEM headers, DB connection strings, and more.

Params: path · Patterns: 12
📦
check_dependencies

Reads go.mod or package.json and cross-references against a list of known-vulnerable or risky packages. Reports any matches with severity notes.

Params: path

Running the Security Agent

terminalbash
# CLI — audit a local project
$ ./superfastclaw agent run security --input "Audit /path/to/project"

# Read input from stdin
$ echo "Scan /app for secrets and risky deps" | ./superfastclaw agent run security --stdin

# Via WebSocket
{
  "method": "agents.run",
  "payload": {
    "agent_id": "security",
    "input": "Audit /srv/app for vulnerabilities"
  }
}
Internals

How the Runner works

The Runner is a generic multi-turn loop. It calls the provider, receives tool calls, executes them, and appends results — repeating until the model has no more tool calls or max_turns is reached.

1. Build messagesAppend user input + session history to the provider request
2. prov.Complete()Send to Anthropic / OpenAI / Ollama, receive Response with ToolCalls
↓ If response.ToolCalls is empty → done ↓
3. Execute toolsRun each ToolCall in the registered ToolDef map, capture output
4. Append tool_resultAdd [tool_result id=…] message to history, increment turn counter
↑ Loop back to step 1 (until no tool calls or maxTurns reached) ↑
Tool execution is synchronous per turn but agents run in goroutines — multiple agents can run concurrently without blocking the gateway. Each run is tracked by a runState and the client receives agent.started / agent.done events.
Configuration

Custom Agents

Define prompt-only agents in config.yaml under the agents key. No code required — just a system prompt, a model, and a max turns limit.

config.yamlyaml
agents:
  # Built-in security agent — no config needed
  # Run: ./superfastclaw agent run security

  default:
    provider: anthropic
    model: claude-sonnet-4-6
    system_prompt: "You are a helpful assistant."
    max_turns: 20

  code-reviewer:
    provider: anthropic
    model: claude-sonnet-4-6
    system_prompt: "You are a senior engineer reviewing code for correctness, performance, and security."
    max_turns: 10

  docs-writer:
    provider: anthropic
    model: claude-haiku-4-5-20251001
    system_prompt: "You write clear, concise technical documentation in Markdown."
    max_turns: 5

  analyst:
    provider: openai
    model: gpt-4o
    system_prompt: "You are a data analyst. Always respond with structured insights."
    max_turns: 15
    options:
      temperature: 0.3
Custom agents defined in config are prompt-only — they use the multi-turn runner but have no tools. To add tools, implement the Agent interface in Go and register with agent.Register() in internal/agent/.
Reference

WebSocket API — Agents

All agent interactions happen through these four methods and two events.

Method / EventDirectionDescription
agents.list→ requestReturns all registered agent IDs and their config (provider, model, max_turns)
agents.run→ requestStarts a new agent run. Returns immediately; progress arrives via events.
agent.started← eventFired as soon as the run goroutine begins. Payload: {run_id, agent_id}
agent.progress← eventFired after each tool call with intermediate output
agent.done← eventFired when the run completes. Payload: {run_id, output, turns_used}
agent.error← eventFired if the run fails. Payload: {run_id, error}
examplejson
// → Start a security audit
{
  "id": "req-42",
  "method": "agents.run",
  "payload": {
    "agent_id": "security",
    "input": "Audit /srv/myapp for vulnerabilities and exposed secrets",
    "provider": "anthropic",
    "model": "claude-sonnet-4-6"
  }
}

// ← Immediate acknowledgement
{ "id": "req-42", "ok": true, "payload": { "run_id": "run-7f3a" } }

// ← Progress events (asynchronous)
{ "event": "agent.started", "payload": { "run_id": "run-7f3a" } }
{ "event": "agent.progress", "payload": { "run_id": "run-7f3a", "tool": "list_files", "output": "..." } }
{ "event": "agent.done", "payload": { "run_id": "run-7f3a", "output": "Security report..." } }
CLI

Agent CLI Commands

terminalbash
# List all registered agents
$ ./superfastclaw agent list
  security      built-in  6 tools
  default       anthropic claude-sonnet-4-6
  code-reviewer anthropic claude-sonnet-4-6
  docs-writer   anthropic claude-haiku-4-5-20251001

# Run security agent on a directory
$ ./superfastclaw agent run security \
    --input "Audit /path/to/project for secrets and CVEs"

# Run with a custom provider override
$ ./superfastclaw agent run code-reviewer \
    --input "Review the PR diff below" \
    --provider openai \
    --model gpt-4o \
    --stdin < diff.txt