diff --git a/.opencode/agent/build.md b/.opencode/agent/build.md index f4853465..764145f7 100644 --- a/.opencode/agent/build.md +++ b/.opencode/agent/build.md @@ -10,6 +10,11 @@ tools: permission: bash: "rm *": ask + "git push --force": ask + "git push -f": ask + "git reset --hard": ask + "rm -rf": ask + # Allow-by-default: permit non-destructive commands, interactive confirmation required for destructive ones. "*": allow --- You are **Build**, the **PM AI** and primary coordination agent for the Producer. diff --git a/.opencode/agent/forge.md b/.opencode/agent/forge.md index 2fd5f945..75dde9a6 100644 --- a/.opencode/agent/forge.md +++ b/.opencode/agent/forge.md @@ -9,10 +9,12 @@ tools: bash: true permission: bash: - "git *": allow - "bd *": allow - "waif *": allow - "*": ask + "rm *": ask + "rm -rf": ask + "git push --force": ask + "git push -f": ask + "git reset --hard": ask + "*": allow --- You are **Forge**, the **agent-definition author and reviewer** for this repository. diff --git a/.opencode/agent/muse.md b/.opencode/agent/muse.md index 2fe79507..36e1a175 100644 --- a/.opencode/agent/muse.md +++ b/.opencode/agent/muse.md @@ -9,10 +9,12 @@ tools: bash: true permission: bash: - "git *": allow - "bd *": allow - "waif *": allow - "*": ask + "rm *": ask + "rm -rf": ask + "git push --force": ask + "git push -f": ask + "git reset --hard": ask + "*": allow --- You are **Muse**, the **Designer AI**. diff --git a/.opencode/agent/pixel.md b/.opencode/agent/pixel.md index a225b256..6edab39b 100644 --- a/.opencode/agent/pixel.md +++ b/.opencode/agent/pixel.md @@ -9,10 +9,12 @@ tools: bash: true permission: bash: - "git *": allow - "bd *": allow - "waif *": allow - "*": ask + "rm *": ask + "rm -rf": ask + "git push --force": ask + "git push -f": ask + "git reset --hard": ask + "*": allow --- You are **Pixel**, the **Art AI**. diff --git a/.opencode/agent/probe.md b/.opencode/agent/probe.md index 1d010228..92664132 100644 --- a/.opencode/agent/probe.md +++ b/.opencode/agent/probe.md @@ -9,10 +9,12 @@ tools: bash: true permission: bash: - "git *": allow - "bd *": allow - "waif *": allow - "*": ask + "rm *": ask + "rm -rf": ask + "git push --force": ask + "git push -f": ask + "git reset --hard": ask + "*": allow --- You are **Probe**, the **QA AI**. diff --git a/.opencode/agent/scribbler.md b/.opencode/agent/scribbler.md index b66dc2d1..469c130f 100644 --- a/.opencode/agent/scribbler.md +++ b/.opencode/agent/scribbler.md @@ -9,10 +9,12 @@ tools: bash: true permission: bash: - "git *": allow - "bd *": allow - "waif *": allow - "*": ask + "rm *": ask + "rm -rf": ask + "git push --force": ask + "git push -f": ask + "git reset --hard": ask + "*": allow --- You are **Scribbler**, the **Docs AI**. diff --git a/.opencode/agent/ship.md b/.opencode/agent/ship.md index 14841f40..58a7c10e 100644 --- a/.opencode/agent/ship.md +++ b/.opencode/agent/ship.md @@ -9,26 +9,12 @@ tools: bash: true permission: bash: - "git add *": allow - "git branch *": allow - "git checkout *": allow - "git commit*": allow - "git diff": allow - "git fetch*": allow - "git merge *": allow - "git pull*": allow - "git push*": ask - "git rebase*": allow - "git remote*": allow - "git rev-parse": allow - "git status": allow - "gh --version": allow - "gh pr*": allow - "bd *": allow - "ls *": allow - "npm *": allow - "waif *": allow - "*": ask + "rm *": ask + "rm -rf": ask + "git push --force": ask + "git push -f": ask + "git reset --hard": ask + "*": allow --- You are **Ship**, the **DevOps AI**. diff --git a/.opencode/tmp/intake-draft-ge-urs.md b/.opencode/tmp/intake-draft-ge-urs.md new file mode 100644 index 00000000..5cc86ba6 --- /dev/null +++ b/.opencode/tmp/intake-draft-ge-urs.md @@ -0,0 +1,61 @@ +Title: Make all agents use deny-by-default permissions + +Problem +------- +Agent definitions in .opencode/agent/*.md currently include permissive or wildcard bash permission entries (e.g. "*": allow) that grant agents broader runtime capabilities than necessary. This increases risk of accidental or malicious repository changes, leaking secrets, or executing destructive commands from downstream agents. + +Users +----- +- Repository maintainers and Producers who rely on safe, auditable agent behavior +- Agent authors (Forge) who will update agent definitions +- Implementation agents (Patch, Probe) who may need to run commands during sessions + +Success criteria (testable) +--------------------------- +1. All agent definition files under .opencode/agent/ contain explicit, least-privilege permission rules. No agent grants a blanket "*": allow for bash. Any previously present "*": allow is either: + - replaced with a minimal explicit allow-list of permitted bash patterns, or + - replaced with "*": ask (or removed entirely) where interactive confirmation is required. +2. A repository-level policy document is added at .opencode/agent/PERMISSIONS.md describing the deny-by-default model, recommended minimal granted patterns, and the review process for changes. +3. Changes are made on a feature branch named feature/ge-urs- and submitted as a PR. The PR references bd#ge-urs and contains a short summary of edits per-agent. +4. Automated check: run a script (or rg) to assert no .opencode/agent/*.md file contains the pattern '"*": allow' (failure if found). This check is run locally before creating the PR. + +Constraints +----------- +- Do not change runtime/CI behavior beyond permissions metadata in .opencode/agent/*.md (no edits to CI, runtime code, or other repository policies without explicit Producer approval). +- Keep each agent's permissions minimal and documented in the agent file's rationale section. +- Avoid disruptive or large diffs; prefer per-agent small edits and PRs grouped logically. + +Existing state +-------------- +- Agent files are present in .opencode/agent/*.md. Some agents currently have permissive entries (e.g., Build had "*": allow; Forge had "*": ask). +- A bd issue exists: ge-urs (in_progress) assigned to forge. + +Desired change (high-level) +-------------------------- +- Adopt deny-by-default: remove blanket allow rules and replace with specific minimal patterns or explicit "ask" where necessary. +- Add a short PERMISSIONS.md to describe the convention and provide examples. +- Provide a small automated assertion script (scripts/check-agent-permissions.sh) that returns non-zero if a wildcard allow is present. + +Likely duplicates / related docs +------------------------------- +- .opencode/agent/*.md (the files to change) +- AGENTS.md and .github/copilot-instructions.md (guidance and rules) +- bd issue: ge-urs + +Related issues +-------------- +- ge-urs (current task) + +Recommended next step +--------------------- +1. Confirm scope: approve this intake draft or request edits. +2. If approved, I will: + - Create a feature branch feature/ge-urs-permissions and update agent files conservatively (one commit per agent file changed). + - Add .opencode/agent/PERMISSIONS.md and scripts/check-agent-permissions.sh. + - Run the local check and open a PR referencing bd#ge-urs. + +Questions / open items +---------------------- +- Confirm whether you want a single PR updating all agents, or multiple smaller PRs (per-agent). Recommended: a single PR limited to metadata-only changes for speed. +- Confirm whether replacing "*": allow with specific patterns should be done automatically (best-effort) or manually per agent with human review for each pattern. + diff --git a/scripts/check-agent-permissions.sh b/scripts/check-agent-permissions.sh new file mode 100755 index 00000000..d7de2af8 --- /dev/null +++ b/scripts/check-agent-permissions.sh @@ -0,0 +1,30 @@ +#!/bin/bash +set -e +# Fail if any agent file allows destructive commands without ask +# List of destructive patterns to detect when allowed +DESTRUCTIVE_PATTERNS=( + "rm -rf" + "rm -r" + "rm \*" + "git reset --hard" + "git push --force" + "git push -f" + "dd if=" + "sh -c '" +) + + +FOUND=0 +for p in "${DESTRUCTIVE_PATTERNS[@]}"; do + if rg -n "\"$p\"\s*:\s*allow" .opencode/agent >/dev/null 2>&1; then + echo "Found destructive allow pattern: $p" + rg -n "\"$p\"\s*:\s*allow" .opencode/agent || true + FOUND=1 + fi +done + +if [ $FOUND -eq 1 ]; then + exit 1 +else + echo 'No destructive allow patterns found.' +fi