|
| 1 | +# Studio AI assistant infrastructure |
| 2 | + |
| 3 | +- Status: Accepted |
| 4 | +- Deciders: Team |
| 5 | +- Date: 07.05.2026 |
| 6 | + |
| 7 | +## Result |
| 8 | + |
| 9 | +A4: The Studio AI assistant (MCP and agent) runs on the same node pool as Designer, with no separate sandboxing for the agent. The agent's resource use is limited and its runtime capabilities are deterministically limited to `git clone`, `git commit`, `git push`, and read/write access to its own internal file system. Revisit if the agent becomes more autonomous, e.g. if it gains the ability to write its own bash commands. |
| 10 | + |
| 11 | +## Problem context |
| 12 | + |
| 13 | +The Studio AI assistant is nearing beta. Before it can be made available in production, operational considerations need to be addressed. |
| 14 | + |
| 15 | +The assistant is composed of two services: |
| 16 | + |
| 17 | +### MCP |
| 18 | + |
| 19 | +- Provides Studio context from internal prompts and docs.altinn.studio. |
| 20 | +- May gather context from service owner apps in the future. |
| 21 | +- Passes context to the agent and other external consumers. |
| 22 | +- Has no editing abilities. It only passes information to consumers. |
| 23 | + |
| 24 | +### Agent |
| 25 | + |
| 26 | +- Can answer general questions or make changes to repos. |
| 27 | +- Gathers Studio context from the MCP. |
| 28 | +- Uses the Designer API key for access through the Gitea proxy. The agent has the same authentication level as a logged-in developer. |
| 29 | +- Currently, it follows a workflow with well-defined steps, but may become more autonomous in the future. |
| 30 | +- Capabilities are limited to predefined `git clone`, `git commit`, `git push` commands and read/write access to its own internal file system. |
| 31 | + |
| 32 | +## Decision drivers |
| 33 | + |
| 34 | +- D1: Resource allocation of the assistant should not affect other services. |
| 35 | +- D2: The agent should be securely locked to its intended scope because it has write access and is exposed to prompt-injection risk. |
| 36 | + |
| 37 | +## Alternatives considered |
| 38 | + |
| 39 | +- A1: Separate node pool and network sandboxing for agent |
| 40 | +- A2: Separate node pool only. No sandboxing. |
| 41 | +- A3: Run on the same node pool as Designer, but use sandboxing for agent. |
| 42 | +- A4: Run on the same node pool as Designer. No sandboxing. |
| 43 | + |
| 44 | +## Pros and cons |
| 45 | + |
| 46 | +### A1: Separate node pool and sandboxing |
| 47 | + |
| 48 | +- Good, isolates resource use (D1) and contains the impact of theoretical unintended agent actions (D2). |
| 49 | +- Bad, operationally heavy. Not justified by the agent's narrow capability surface. |
| 50 | + |
| 51 | +### A2: Separate node pool only |
| 52 | + |
| 53 | +- Good, isolates resource use (D1). |
| 54 | +- Good, narrow capability surface and developer-level auth already limits what the agent can do (D2). |
| 55 | +- Bad, operationally heavier than necessary given the agent's resource use. |
| 56 | + |
| 57 | +### A3: Same node pool, with sandboxing |
| 58 | + |
| 59 | +- Good, contains the impact of theoretical unintended agent actions (D2). |
| 60 | +- Good, resource use is limited and separate node pool is not needed at this scale. |
| 61 | +- Bad, sandboxing complexity not justified by current capabilities. |
| 62 | + |
| 63 | +### A4: Same node pool, no sandboxing |
| 64 | + |
| 65 | +- Good, operationally simple. No extra infrastructure. |
| 66 | +- Good, narrow capability surface and developer-level auth already limits what the agent can do (D2). |
| 67 | +- Good, agent's resource use is limited and separate node pool is not needed at this scale. |
0 commit comments