注册表模式

registry: "eve"     # Eve 原生注册表（内部 JWT 认证）
registry: "none"    # 禁用注册表处理（公共镜像）
registry:           # 自带注册表（完整对象 — 见下文）
  host: public.ecr.aws/w7c4v0w3
  namespace: myorg
  auth: { username_secret: REGISTRY_USERNAME, token_secret: REGISTRY_PASSWORD }

对于自带/私有注册表，请提供：

registry:
  host: public.ecr.aws/w7c4v0w3
  namespace: myorg
  auth:
    username_secret: REGISTRY_USERNAME
    token_secret: REGISTRY_PASSWORD

托管数据库

使用 x-eve.role: managed_db 声明平台提供的数据库：

services:
  db:
    x-eve:
      role: managed_db
      managed:
        class: db.p1
        engine: postgres
        engine_version: "16"

不会部署到 K8s — 由编排器在首次部署时提供。在其他地方引用托管值：${managed.db.url}。

用于数据库迁移的 Eve-Migrate

使用平台的迁移运行器，而不是 Flyway、TypeORM 或 Knex。它使用带时间戳前缀的纯 SQL 文件，并在 schema_migrations 中跟踪：

services:
  migrate:
    image: public.ecr.aws/w7c4v0w3/eve-horizon/migrate:latest
    environment:
      DATABASE_URL: ${managed.db.url}
      MIGRATIONS_DIR: /migrations
    x-eve:
      role: job
      files:
        - source: db/migrations
          target: /migrations

迁移文件：db/migrations/20260312000000_initial_schema.sql。x-eve.files 指令将它们挂载到容器中的 /migrations。

在流水线中，迁移步骤必须在部署之后运行（托管数据库需要提供）：

pipelines:
  deploy:
    steps:
      - name: build
        action: { type: build }
      - name: release
        depends_on: [build]
        action: { type: release }
      - name: deploy
        depends_on: [release]
        action: { type: deploy }
      - name: migrate
        depends_on: [deploy]
        action: { type: job, service: migrate }

对于本地开发，通过 Docker Compose 使用相同的镜像以保持一致性：

# docker-compose.yml
services:
  migrate:
    image: ghcr.io/incept5/eve-migrate:latest
    environment:
      DATABASE_URL: postgres://app:app@db:5432/myapp
    volumes:
      - ./db/migrations:/migrations:ro
    depends_on:
      db: { condition: service_healthy }

旧版清单

如果仓库仍在使用旧版清单中的 components:，请迁移到 services: 并添加 schema: eve/compose/v2。保持端口和环境变量键不变。

服务

• 提供 image 和可选的 build（上下文和 dockerfile）。
• 根据需要，使用 ports、environment、healthcheck、depends_on。
• 对于外部托管的服务，使用 x-eve.external: true 和 x-eve.connection_url。
• 对于一次性服务（迁移、种子数据），使用 x-eve.role: job。对于数据库迁移，优先使用 Eve 的 eve-migrate 镜像（见下文）。

构建配置

具有 Docker 镜像的服务应定义其构建配置：

services:
  api:
    build:
      context: ./apps/api           # 构建上下文目录
      dockerfile: Dockerfile        # 可选，默认为 context/Dockerfile
    # image: api      # 如果使用 build，则为可选；托管注册表会派生此名称
    ports: [3000]

注意：每个部署流水线都应在 release 之前包含一个 build 步骤。构建步骤会创建跟踪的 BuildSpec/BuildRun 记录，并生成发布用于确定性部署的镜像摘要。

本地开发对齐

• 保持服务名称和端口与 Docker Compose 对齐。
• 优先使用 ${secret.KEY}，并使用 .eve/dev-secrets.yaml 存储本地值。

环境、流水线、工作流

• 通过 environments.<env>.pipeline 将每个环境链接到一个流水线。
• 当设置了 pipeline 时，eve env deploy <env> 会触发该流水线，而不是直接部署。
• 使用 environments.<env>.pipeline_inputs 为流水线运行提供默认输入。
• 在运行时使用 eve env deploy <env> --ref <sha> --inputs '{"key":"value"}' --repo-dir ./my-app 覆盖输入。
• 使用 --direct 标志绕过流水线并直接部署：eve env deploy <env> --ref <sha> --direct --repo-dir ./my-app。
• 流水线步骤可以是 action、script 或 agent。
• 配置后，使用 action.type: create-pr 进行 PR 自动化。
• 工作流位于 workflows 下，通过 CLI 调用；db_access 会被遵守。

平台注入的环境变量

Eve 会自动将这些变量注入到所有已部署的服务容器中：

从您的容器进行后端调用时，请使用 EVE_API_URL。对于浏览器/客户端代码，请使用 EVE_PUBLIC_API_URL。服务可以在其 environment 部分覆盖这些变量。

插值和密钥

• 环境变量插值：${ENV_NAME}、${PROJECT_ID}、${ORG_ID}、${ORG_SLUG}、${COMPONENT_NAME}。
• 密钥插值：${secret.KEY} 从 Eve 密钥或 .eve/dev-secrets.yaml 中提取。
• 托管数据库插值：${managed.<service>.<field>} 在部署时解析。
• 使用 .eve/dev-secrets.yaml 进行本地覆盖；通过 API 为生产环境设置真实的密钥。

Eve 扩展

• 通过 x-eve.defaults 设置顶级默认值（env、harness、harness_profile、harness_options、hints、git、workspace）。
• 通过 x-eve.agents 设置顶级代理策略（profiles、councils、availability rules）。
• 通过 x-eve.packs 设置代理包，并可选择 x-eve.install_agents 默认值。
• 通过 x-eve.agents.config_path 和 x-eve.agents.teams_path 设置代理配置路径。
• 通过 x-eve.chat.config_path 设置聊天路由配置。
• 服务扩展位于 x-eve 下（ingress、role、api specs、worker pools、cli、object_store）。
• API 规范：x-eve.api_spec 或 x-eve.api_specs（默认情况下，规范 URL 相对于服务）。
• 应用 CLI：x-eve.cli 声明一个对代理友好的服务 CLI（见下文）。
• 工具链：代理级别的 toolchains 声明按需注入运行时（见下文）。
• 云文件系统挂载：通过集成配置，而不是清单（见 references/integrations.md）。
• 每个组织的 OAuth：每个组织通过 eve integrations configure 注册自己的 OAuth 应用凭证（见 eve-auth-and-secrets）。

示例：

x-eve:
  agents:
    version: 1
    config_path: agents/agents.yaml
    teams_path: agents/teams.yaml
  chat:
    config_path: agents/chat.yaml
  install_agents: [claude-code, codex]
  packs:
    - source: ./skillpacks/my-pack

应用 CLI 框架

推荐给每个带有 API 的应用。 将您的服务 API 包装在 CLI 中，并在此处注册。代理强烈倾向于使用 CLI 命令而不是原始 REST — CLI 透明地处理认证、URL 构建和错误格式化。这是 Eve 的方式：编码代理应该在仓库中构建一个 CLI，并在清单中注册它，而不是让代理直接调用 API。

平台会自动发现清单中带有 x-eve.cli 或 x-eve.api_spec 的服务，并使它们在项目的所有代理作业的 $PATH 上可用 — 无需显式的 with_apis。只需在此处声明 CLI，所有代理都会获得它。

services:
  api:
    x-eve:
      api_spec:
        type: openapi
      cli:
        name: myapp              # 二进制名称（放在 $PATH 上）
        bin: cli/bin/myapp       # 相对于仓库根目录的路径（预打包）

对于编译型 CLI，使用基于镜像的分发方式：

services:
  api:
    x-eve:
      cli:
        name: myapp
        image: ghcr.io/org/myapp-cli:latest    # 预构建镜像

工作原理

1. 清单同步将 CLI 元数据与 api_spec 一起存储。
2. 作业工作区设置（克隆后）运行 chmod +x 并将二进制文件符号链接到 /usr/local/bin/。
3. 对于基于镜像的 CLI，一个初始化容器会从镜像中复制二进制文件。
4. CLI 读取 EVE_APP_API_URL_{SERVICE} 和 EVE_JOB_TOKEN（已注入）— 无需手动配置认证或 URL。

CLI 命名规则

• 小写字母数字加连字符：[a-z][a-z0-9-]*
• 每个项目内必须唯一
• 该名称成为代理调用的命令（例如，eden projects list）

工作器工具链声明

代理声明它们需要哪些运行时工具链。平台将它们作为初始化容器注入 — 无需臃肿的工作器镜像。

# 在 agents.yaml 中
agents:
  data-analyst:
    name: Data Analyst
    skill: analyze-data
    harness_profile: claude-sonnet
    toolchains: [python]           # 需要 python + uv

  doc-processor:
    name: Document Processor
    skill: process-documents
    harness_profile: claude-sonnet
    toolchains: [media]            # 需要 ffmpeg + whisper

可用工具链：python、media、rust、java、kotlin。

工作流可以覆盖代理默认值：

workflows:
  process-document:
    steps:
      - name: process
        agent: doc-processor
        toolchains: [media, python]  # 覆盖：需要两者

工具链挂载在 /opt/eve/toolchains/{name}/，二进制文件位于 $PATH 上。默认工作器镜像是 base（约 800MB）；工具链仅添加每个作业所需的内容。

云文件系统挂载

Google Drive 文件夹可以通过云文件系统集成挂载到组织文件系统中。配置通过集成系统完成，而不是清单。

# 组织管理员注册 Google Drive OAuth 应用凭证（自带应用）
eve integrations configure google-drive \
  --client-id "xxx.apps.googleusercontent.com" \
  --client-secret "GOCSPX-xxx"

# 连接并挂载一个 Drive 文件夹
eve integrations connect google-drive
eve cloud-fs mount --org org_xxx \
  --provider google-drive \
  --folder-id <drive-folder-id> \
  --label "Shared Drive"

开发人员使用 eve cloud-fs ls 浏览挂载的内容，并使用 eve cloud-fs search 进行搜索。挂载存储提供者文件夹 ID 以及一个可选的人类可读根文件夹路径提示；没有单独的 CLI --mount-path 设置。

应用对象存储

状态：模式存在，配置逻辑待定。 数据库模式（storage_buckets 表）和存储桶命名约定已实现。从清单自动配置的功能尚未连接。

在清单中声明应用范围的对象存储桶。每个存储桶按环境提供，凭证作为环境变量注入。

services:
  api:
    x-eve:
      object_store:
        buckets:
          - name: uploads
            visibility: private
          - name: avatars
            visibility: public
            cors:
              allowed_origins: ["*"]

自动注入的存储环境变量

当对象存储桶被提供时，这些环境变量会被注入到服务容器中：

设计规则

• 每个关注点一个存储桶。 将 uploads、avatars、exports 分开。
• 有意识地设置可见性。 只有提供公共资产的存储桶才应设置为 visibility: public。
• 为浏览器上传使用 CORS。 当前端通过预签名 URL 直接上传时，设置 cors.allowed_origins。
• 存储桶名称在服务内必须唯一。 平台从项目、环境和逻辑名称派生物理存储桶名称。

有关存储层的详细文档，请参阅 eve-read-eve-docs 技能：references/object-store-filesystem.md。

每周安装数

156

仓库

incept5/eve-skillpacks

首次出现

2026年2月8日

安全审计

Gen Agent Trust HubPassSocketPassSnykPass

安装于

codex156

gemini-cli156

claude-code154

pi60

opencode35

github-copilot35

Why this matters : Metadata helps preserve repository ownership and improves traceability. The Eve builder injects these labels automatically, but including them in your Dockerfile is still recommended.

For multi-stage Dockerfiles, add the labels to the final stage (the production image).

Registry Modes

registry: "eve"     # Eve-native registry (internal JWT auth)
registry: "none"    # Disable registry handling (public images)
registry:           # BYO registry (full object — see section below)
  host: public.ecr.aws/w7c4v0w3
  namespace: myorg
  auth: { username_secret: REGISTRY_USERNAME, token_secret: REGISTRY_PASSWORD }

For BYO/private registries, provide:

registry:
  host: public.ecr.aws/w7c4v0w3
  namespace: myorg
  auth:
    username_secret: REGISTRY_USERNAME
    token_secret: REGISTRY_PASSWORD

Managed Databases

Declare platform-provisioned databases with x-eve.role: managed_db:

services:
  db:
    x-eve:
      role: managed_db
      managed:
        class: db.p1
        engine: postgres
        engine_version: "16"

Not deployed to K8s — provisioned by the orchestrator on first deploy. Reference managed values elsewhere: ${managed.db.url}.

Eve-Migrate for Database Migrations

Use the platform's migration runner instead of Flyway, TypeORM, or Knex. It uses plain SQL files with timestamp prefixes, tracked in schema_migrations:

services:
  migrate:
    image: public.ecr.aws/w7c4v0w3/eve-horizon/migrate:latest
    environment:
      DATABASE_URL: ${managed.db.url}
      MIGRATIONS_DIR: /migrations
    x-eve:
      role: job
      files:
        - source: db/migrations
          target: /migrations

Migration files: db/migrations/20260312000000_initial_schema.sql. The x-eve.files directive mounts them into the container at /migrations.

In the pipeline, the migrate step must run after deploy (managed DB needs provisioning):

pipelines:
  deploy:
    steps:
      - name: build
        action: { type: build }
      - name: release
        depends_on: [build]
        action: { type: release }
      - name: deploy
        depends_on: [release]
        action: { type: deploy }
      - name: migrate
        depends_on: [deploy]
        action: { type: job, service: migrate }

For local dev, use the same image via Docker Compose for parity:

# docker-compose.yml
services:
  migrate:
    image: ghcr.io/incept5/eve-migrate:latest
    environment:
      DATABASE_URL: postgres://app:app@db:5432/myapp
    volumes:
      - ./db/migrations:/migrations:ro
    depends_on:
      db: { condition: service_healthy }

Legacy manifests

If the repo still uses components: from older manifests, migrate to services: and add schema: eve/compose/v2. Keep ports and env keys the same.

Services

• Provide image and optionally build (context and dockerfile).
• Use ports, environment, healthcheck, depends_on as needed.
• Use x-eve.external: true and x-eve.connection_url for externally hosted services.
• Use x-eve.role: job for one-off services (migrations, seeds). For database migrations, prefer Eve's eve-migrate image (see below).

Build configuration

Services with Docker images should define their build configuration:

services:
  api:
    build:
      context: ./apps/api           # Build context directory
      dockerfile: Dockerfile        # Optional, defaults to context/Dockerfile
    # image: api      # optional if using build; managed registry derives this
    ports: [3000]

Note: Every deploy pipeline should include a build step before release. The build step creates tracked BuildSpec/BuildRun records and produces image digests that releases use for deterministic deployments.

Local dev alignment

• Keep service names and ports aligned with Docker Compose.
• Prefer ${secret.KEY} and use .eve/dev-secrets.yaml for local values.

Environments, pipelines, workflows

• Link each environment to a pipeline via environments.<env>.pipeline.
• When pipeline is set, eve env deploy <env> triggers that pipeline instead of direct deploy.
• Use environments.<env>.pipeline_inputs to provide default inputs for pipeline runs.
• Override inputs at runtime with eve env deploy <env> --ref <sha> --inputs '{"key":"value"}' --repo-dir ./my-app.
• Use --direct flag to bypass pipeline and do direct deploy: eve env deploy <env> --ref <sha> --direct --repo-dir ./my-app.
• Pipeline steps can be action, script, or agent.
• Use action.type: create-pr for PR automation when configured.
• Workflows live under workflows and are invoked via CLI; db_access is honored.

Platform-Injected Environment Variables

Eve automatically injects these into all deployed service containers:

Use EVE_API_URL for backend calls from your container. Use EVE_PUBLIC_API_URL for browser/client-side code. Services can override these in their environment section.

Interpolation and secrets

• Env interpolation: ${ENV_NAME}, ${PROJECT_ID}, ${ORG_ID}, ${ORG_SLUG}, ${COMPONENT_NAME}.
• Secret interpolation: ${secret.KEY} pulls from Eve secrets or .eve/dev-secrets.yaml.
• Managed DB interpolation: ${managed.<service>.<field>} resolves at deploy time.
• Use .eve/dev-secrets.yaml for local overrides; set real secrets via the API for production.

Eve extensions

• Top-level defaults via x-eve.defaults (env, harness, harness_profile, harness_options, hints, git, workspace).
• Top-level agent policy via x-eve.agents (profiles, councils, availability rules).
• Agent packs via x-eve.packs with optional x-eve.install_agents defaults.
• Agent config paths via x-eve.agents.config_path and x-eve.agents.teams_path.
• Chat routing config via x-eve.chat.config_path.
• Service extensions under x-eve (ingress, role, api specs, worker pools, cli, object_store).
• API specs: x-eve.api_spec or x-eve.api_specs (spec URL relative to service by default).
• App CLI: x-eve.cli declares an agent-friendly CLI for the service (see below).
• Toolchains: agent-level toolchains declarations inject on-demand runtimes (see below).
• Cloud FS mounts: configured via integrations, not the manifest (see references/integrations.md).
• Per-org OAuth: each org registers its own OAuth app credentials via eve integrations configure (see eve-auth-and-secrets).

Example:

x-eve:
  agents:
    version: 1
    config_path: agents/agents.yaml
    teams_path: agents/teams.yaml
  chat:
    config_path: agents/chat.yaml
  install_agents: [claude-code, codex]
  packs:
    - source: ./skillpacks/my-pack

App CLI Framework

Recommended for every app with an API. Wrap your service API in a CLI and register it here. Agents strongly prefer CLI commands over raw REST — CLIs handle auth, URL construction, and error formatting transparently. This is the Eve way: coding agents should build a CLI in the repo and register it in the manifest rather than having agents call APIs directly.

The platform auto-discovers services with x-eve.cli or x-eve.api_spec from the manifest and makes them available on $PATH for all agent jobs in the project — no explicit with_apis needed. Just declare the CLI here and all agents get it.

services:
  api:
    x-eve:
      api_spec:
        type: openapi
      cli:
        name: myapp              # Binary name (goes on $PATH)
        bin: cli/bin/myapp       # Path relative to repo root (pre-bundled)

For compiled CLIs, use an image-based distribution:

services:
  api:
    x-eve:
      cli:
        name: myapp
        image: ghcr.io/org/myapp-cli:latest    # Pre-built image

How It Works

1. Manifest sync stores CLI metadata alongside api_spec.
2. Job workspace setup (after clone) runs chmod +x and symlinks the binary to /usr/local/bin/.
3. For image-based CLIs, an init container copies the binary from the image.
4. The CLI reads EVE_APP_API_URL_{SERVICE} and EVE_JOB_TOKEN (already injected) -- no manual auth or URL configuration.

CLI naming rules

• Lowercase alphanumeric with hyphens: [a-z][a-z0-9-]*
• Must be unique per project
• The name becomes the command agents invoke (e.g., eden projects list)

Worker Toolchain Declarations

Agents declare which runtime toolchains they need. The platform injects them as init containers -- no fat worker image required.

# In agents.yaml
agents:
  data-analyst:
    name: Data Analyst
    skill: analyze-data
    harness_profile: claude-sonnet
    toolchains: [python]           # Needs python + uv

  doc-processor:
    name: Document Processor
    skill: process-documents
    harness_profile: claude-sonnet
    toolchains: [media]            # Needs ffmpeg + whisper

Available toolchains: python, media, rust, java, kotlin.

Workflows can override agent defaults:

workflows:
  process-document:
    steps:
      - name: process
        agent: doc-processor
        toolchains: [media, python]  # Override: needs both

Toolchains are mounted at /opt/eve/toolchains/{name}/ with binaries on $PATH. The default worker image is base (~800MB); toolchains add only what each job needs.

Cloud FS Mounts

Google Drive folders can be mounted into the org filesystem via cloud FS integrations. Configuration is through the integrations system, not the manifest.

# Org admin registers Google Drive OAuth app credentials (BYOA)
eve integrations configure google-drive \
  --client-id "xxx.apps.googleusercontent.com" \
  --client-secret "GOCSPX-xxx"

# Connect and mount a Drive folder
eve integrations connect google-drive
eve cloud-fs mount --org org_xxx \
  --provider google-drive \
  --folder-id <drive-folder-id> \
  --label "Shared Drive"

Developers browse mounted content with eve cloud-fs ls and search it with eve cloud-fs search. The mount stores the provider folder ID plus an optional human-readable root-folder path hint; there is no separate CLI --mount-path setting.

App Object Store

Status: Schema exists, provisioning logic pending. The database schema (storage_buckets table) and bucket naming convention are implemented. Automatic provisioning from the manifest is not yet wired.

Declare app-scoped object storage buckets in the manifest. Each bucket is provisioned per environment with credentials injected as environment variables.

services:
  api:
    x-eve:
      object_store:
        buckets:
          - name: uploads
            visibility: private
          - name: avatars
            visibility: public
            cors:
              allowed_origins: ["*"]

Auto-Injected Storage Environment Variables

When object store buckets are provisioned, these env vars are injected into the service container:

Design Rules

• One bucket per concern. Separate uploads from avatars from exports.
• Set visibility intentionally. Only buckets serving public assets should be visibility: public.
• Use CORS for browser uploads. Set cors.allowed_origins when the frontend uploads directly via presigned URLs.
• Bucket names must be unique within a service. The platform derives the physical bucket name from the project, environment, and logical name.

For detailed storage layer documentation, see the eve-read-eve-docs skill: references/object-store-filesystem.md.

Weekly Installs

156

Repository

incept5/eve-skillpacks

First Seen

Feb 8, 2026

Security Audits

Gen Agent Trust HubPassSocketPassSnykPass

Installed on

codex156

gemini-cli156

claude-code154

pi60

opencode35

github-copilot35