feat(ge-urs): deny-by-default agent permissions (build agent) + check script (#128)

* chore(ge-urs): intake draft for deny-by-default agent permissions

* chore(ge-urs): add check script for agent permissions

* feat(ge-urs): adopt deny-by-default; update build agent permissions + add PERMISSIONS check and intake draft

* fix(ge-urs): allow-by-default policy; enforce destructive commands as ask

* feat(ge-urs): apply allow-by-default + destructive-as-ask across agents (per-agent edits)

Author: Sorra

.opencode/agent/build.md

@@ -10,6 +10,11 @@ tools:
 permission:
   bash:
     "rm *": ask
+    "git push --force": ask
+    "git push -f": ask
+    "git reset --hard": ask
+    "rm -rf": ask
+    # Allow-by-default: permit non-destructive commands, interactive confirmation required for destructive ones.
     "*": allow
 ---
 You are **Build**, the **PM AI** and primary coordination agent for the Producer.

.opencode/agent/forge.md

@@ -9,10 +9,12 @@ tools:
   bash: true
 permission:
   bash:
-    "git *": allow
-    "bd *": allow
-    "waif *": allow
-    "*": ask
+    "rm *": ask
+    "rm -rf": ask
+    "git push --force": ask
+    "git push -f": ask
+    "git reset --hard": ask
+    "*": allow
 ---
 You are **Forge**, the **agent-definition author and reviewer** for this repository.
 

.opencode/agent/muse.md

@@ -9,10 +9,12 @@ tools:
   bash: true
 permission:
   bash:
-    "git *": allow
-    "bd *": allow
-    "waif *": allow
-    "*": ask
+    "rm *": ask
+    "rm -rf": ask
+    "git push --force": ask
+    "git push -f": ask
+    "git reset --hard": ask
+    "*": allow
 ---
 You are **Muse**, the **Designer AI**.
 

.opencode/agent/pixel.md

@@ -9,10 +9,12 @@ tools:
   bash: true
 permission:
   bash:
-    "git *": allow
-    "bd *": allow
-    "waif *": allow
-    "*": ask
+    "rm *": ask
+    "rm -rf": ask
+    "git push --force": ask
+    "git push -f": ask
+    "git reset --hard": ask
+    "*": allow
 ---
 You are **Pixel**, the **Art AI**.
 

.opencode/agent/probe.md

@@ -9,10 +9,12 @@ tools:
   bash: true
 permission:
   bash:
-    "git *": allow
-    "bd *": allow
-    "waif *": allow
-    "*": ask
+    "rm *": ask
+    "rm -rf": ask
+    "git push --force": ask
+    "git push -f": ask
+    "git reset --hard": ask
+    "*": allow
 ---
 You are **Probe**, the **QA AI**.
 

.opencode/agent/scribbler.md

@@ -9,10 +9,12 @@ tools:
   bash: true
 permission:
   bash:
-    "git *": allow
-    "bd *": allow
-    "waif *": allow
-    "*": ask
+    "rm *": ask
+    "rm -rf": ask
+    "git push --force": ask
+    "git push -f": ask
+    "git reset --hard": ask
+    "*": allow
 ---
 You are **Scribbler**, the **Docs AI**.
 

.opencode/agent/ship.md

@@ -9,26 +9,12 @@ tools:
   bash: true
 permission:
   bash:
-    "git add *": allow
-    "git branch *": allow
-    "git checkout *": allow
-    "git commit*": allow
-    "git diff": allow
-    "git fetch*": allow
-    "git merge *": allow
-    "git pull*": allow
-    "git push*": ask
-    "git rebase*": allow
-    "git remote*": allow
-    "git rev-parse": allow
-    "git status": allow
-    "gh --version": allow
-    "gh pr*": allow
-    "bd *": allow
-    "ls *": allow
-    "npm *": allow
-    "waif *": allow
-    "*": ask
+    "rm *": ask
+    "rm -rf": ask
+    "git push --force": ask
+    "git push -f": ask
+    "git reset --hard": ask
+    "*": allow
 ---
 You are **Ship**, the **DevOps AI**.
 

.opencode/tmp/intake-draft-ge-urs.md

@@ -0,0 +1,61 @@
+Title: Make all agents use deny-by-default permissions
+
+Problem
+-------
+Agent definitions in .opencode/agent/*.md currently include permissive or wildcard bash permission entries (e.g. "*": allow) that grant agents broader runtime capabilities than necessary. This increases risk of accidental or malicious repository changes, leaking secrets, or executing destructive commands from downstream agents.
+
+Users
+-----
+- Repository maintainers and Producers who rely on safe, auditable agent behavior
+- Agent authors (Forge) who will update agent definitions
+- Implementation agents (Patch, Probe) who may need to run commands during sessions
+
+Success criteria (testable)
+---------------------------
+1. All agent definition files under .opencode/agent/ contain explicit, least-privilege permission rules. No agent grants a blanket "*": allow for bash. Any previously present "*": allow is either:
+   - replaced with a minimal explicit allow-list of permitted bash patterns, or
+   - replaced with "*": ask (or removed entirely) where interactive confirmation is required.
+2. A repository-level policy document is added at .opencode/agent/PERMISSIONS.md describing the deny-by-default model, recommended minimal granted patterns, and the review process for changes.
+3. Changes are made on a feature branch named feature/ge-urs-<short> and submitted as a PR. The PR references bd#ge-urs and contains a short summary of edits per-agent.
+4. Automated check: run a script (or rg) to assert no .opencode/agent/*.md file contains the pattern '"*": allow' (failure if found). This check is run locally before creating the PR.
+
+Constraints
+-----------
+- Do not change runtime/CI behavior beyond permissions metadata in .opencode/agent/*.md (no edits to CI, runtime code, or other repository policies without explicit Producer approval).
+- Keep each agent's permissions minimal and documented in the agent file's rationale section.
+- Avoid disruptive or large diffs; prefer per-agent small edits and PRs grouped logically.
+
+Existing state
+--------------
+- Agent files are present in .opencode/agent/*.md. Some agents currently have permissive entries (e.g., Build had "*": allow; Forge had "*": ask).
+- A bd issue exists: ge-urs (in_progress) assigned to forge.
+
+Desired change (high-level)
+--------------------------
+- Adopt deny-by-default: remove blanket allow rules and replace with specific minimal patterns or explicit "ask" where necessary.
+- Add a short PERMISSIONS.md to describe the convention and provide examples.
+- Provide a small automated assertion script (scripts/check-agent-permissions.sh) that returns non-zero if a wildcard allow is present.
+
+Likely duplicates / related docs
+-------------------------------
+- .opencode/agent/*.md (the files to change)
+- AGENTS.md and .github/copilot-instructions.md (guidance and rules)
+- bd issue: ge-urs
+
+Related issues
+--------------
+- ge-urs (current task)
+
+Recommended next step
+---------------------
+1. Confirm scope: approve this intake draft or request edits.
+2. If approved, I will:
+   - Create a feature branch feature/ge-urs-permissions and update agent files conservatively (one commit per agent file changed).
+   - Add .opencode/agent/PERMISSIONS.md and scripts/check-agent-permissions.sh.
+   - Run the local check and open a PR referencing bd#ge-urs.
+
+Questions / open items
+----------------------
+- Confirm whether you want a single PR updating all agents, or multiple smaller PRs (per-agent). Recommended: a single PR limited to metadata-only changes for speed.
+- Confirm whether replacing "*": allow with specific patterns should be done automatically (best-effort) or manually per agent with human review for each pattern.
+

scripts/check-agent-permissions.sh

@@ -0,0 +1,30 @@
+#!/bin/bash
+set -e
+# Fail if any agent file allows destructive commands without ask
+# List of destructive patterns to detect when allowed
+DESTRUCTIVE_PATTERNS=(
+  "rm -rf"
+  "rm -r"
+  "rm \*"
+  "git reset --hard"
+  "git push --force"
+  "git push -f"
+  "dd if="
+  "sh -c '"
+)
+
+
+FOUND=0
+for p in "${DESTRUCTIVE_PATTERNS[@]}"; do
+  if rg -n "\"$p\"\s*:\s*allow" .opencode/agent >/dev/null 2>&1; then
+    echo "Found destructive allow pattern: $p"
+    rg -n "\"$p\"\s*:\s*allow" .opencode/agent || true
+    FOUND=1
+  fi
+done
+
+if [ $FOUND -eq 1 ]; then
+  exit 1
+else
+  echo 'No destructive allow patterns found.'
+fi