Merge pull request #7 from BaseInfinity/v0.10.1-permission-sandboxes

v0.10.1: per-agent permission sandboxing

Author: BaseInfinity

CHANGELOG.md

@@ -2,6 +2,86 @@
 
 All notable changes to opencode-sdlc-wizard.
 
+## [0.10.1] - 2026-05-17
+
+### Added — Per-agent permission sandboxing (`--sandbox-test-writer` + `--sandbox-docs`)
+
+May-2026 community-patterns research: 9/15 surveyed `opencode.json`
+configurations use `agent.<name>.permission.write` to scope what each
+agent can touch. Most-cited patterns:
+
+- `test-writer` locked to test/spec files only
+- `docs` locked to `.md` only
+
+v0.10.1 exposes these as boolean flags on both `pick` and
+`configure-backend.sh`. Users wanting custom glob patterns still edit
+`opencode.json` directly.
+
+```bash
+# Full v0.10.x hybrid in one shot — Mixed-Mode coder/reviewer split
+# plus sandboxed test-writer and docs agents
+npx opencode-sdlc-wizard pick \
+  --tier proprietary --provider anthropic \
+  --reviewer-tier hosted_oss --reviewer-provider cerebras \
+  --sandbox-test-writer --sandbox-docs
+```
+
+Yields:
+
+```json
+{
+  "model": "anthropic/claude-opus-4-7",
+  "provider": {
+    "anthropic": { "options": { "apiKey": "{env:ANTHROPIC_API_KEY}" } },
+    "cerebras":  { "npm": "@ai-sdk/openai-compatible", "options": { ... } }
+  },
+  "agent": {
+    "review": { "model": "cerebras/gpt-oss-120b" },
+    "test-writer": {
+      "permission": { "write": {
+        "**/*.test.*": "allow",
+        "**/*.spec.*": "allow",
+        "*": "deny"
+      } }
+    },
+    "docs": {
+      "permission": { "write": {
+        "**/*.md": "allow",
+        "*": "deny"
+      } }
+    }
+  }
+}
+```
+
+OpenCode enforces the permission patterns at write time — the
+test-writer agent can't accidentally clobber production source even
+if its model attempts to.
+
+### Changed
+
+- `scripts/configure-backend.sh`: new `--sandbox-test-writer` and
+  `--sandbox-docs` boolean flags. The node heredoc deep-merges the
+  canonical permission blocks alongside any v0.10.0 reviewer block,
+  preserving user-set sibling fields.
+- `scripts/pick-backend.sh`: passes both flags through to the
+  configurator unchanged.
+
+### Tests
+
+- `tests/test-backend-picker.sh` adds T35–T38:
+  - T35: `--sandbox-test-writer` writes canonical `agent.test-writer.permission.write`
+  - T36: `--sandbox-docs` writes canonical `agent.docs.permission.write`
+  - T37: both sandboxes compose with `--reviewer-*` (full v0.10.x hybrid)
+  - T38: no flags → no test-writer/docs agent blocks (opt-in regression guard)
+- `tests/test-pick.sh` adds T19–T22 (passthrough + composition + regression guard).
+- **349 tests across 12 suites** (was 341 / 12 in v0.10.0).
+
+### Compat
+
+- Opt-in only. Existing configs unchanged unless the new flags are passed.
+- Composes cleanly with v0.10.0 Mixed-Mode and v0.9.x single-model pick.
+
 ## [0.10.0] - 2026-05-17
 
 ### Added — Mixed-Mode (per-agent model routing) in `pick` + `configure-backend.sh`

package.json

@@ -1,6 +1,6 @@
 {
   "name": "opencode-sdlc-wizard",
-  "version": "0.10.0",
+  "version": "0.10.1",
   "description": "SDLC enforcement for OpenCode CLI — privacy-first, any-backend portability with a four-tier backend picker plus an OSS-tier cross-model-review skill so the full SDLC loop can run with zero Anthropic+OpenAI lock-in. Ships JSON Schemas for review artifacts so any consumer (cross-model-review, ditto, CI) can validate. Install with `npx opencode-sdlc-wizard init`. Sibling of agentic-sdlc-wizard and codex-sdlc-wizard.",
   "bin": {
     "opencode-sdlc-wizard": "cli/bin/opencode-sdlc-wizard.js"

scripts/configure-backend.sh

@@ -33,6 +33,13 @@ PRINT_ONLY=0
 REVIEWER_TIER=""
 REVIEWER_PROVIDER=""
 REVIEWER_MODEL=""
+# v0.10.1 Per-agent permission sandboxing. Boolean flags inject canonical
+# permission.write blocks for the two highest-signal agents from May-2026
+# community-patterns research (9/15 configs use this): test-writer scoped
+# to test/spec files only, docs scoped to .md only. Users wanting custom
+# glob patterns edit opencode.json directly.
+SANDBOX_TEST_WRITER=0
+SANDBOX_DOCS=0
 
 usage() {
   sed -n '2,15p' "$0"
@@ -56,6 +63,8 @@ while [ $# -gt 0 ]; do
     --reviewer-provider=*) REVIEWER_PROVIDER="${1#*=}" ;;
     --reviewer-model) shift; REVIEWER_MODEL="${1:-}" ;;
     --reviewer-model=*) REVIEWER_MODEL="${1#*=}" ;;
+    --sandbox-test-writer) SANDBOX_TEST_WRITER=1 ;;
+    --sandbox-docs) SANDBOX_DOCS=1 ;;
     -h|--help) usage; exit 0 ;;
     *) echo "Unknown arg: $1" >&2; usage >&2; exit 2 ;;
   esac
@@ -84,15 +93,19 @@ CONFIG_PATH="$TARGET_DIR/opencode.json"
 # heredoc-fed node script so we don't have to escape JSON in bash, and so
 # the merge logic stays canonical (sorted keys, 2-space indent, trailing \n).
 node - "$TIER" "$PROVIDER" "$MODEL" "$CONFIG_PATH" "$FORCE" "$PRINT_ONLY" \
-     "$REVIEWER_TIER" "$REVIEWER_PROVIDER" "$REVIEWER_MODEL" <<'NODE'
+     "$REVIEWER_TIER" "$REVIEWER_PROVIDER" "$REVIEWER_MODEL" \
+     "$SANDBOX_TEST_WRITER" "$SANDBOX_DOCS" <<'NODE'
 const fs = require("node:fs");
 const [
   tier, providerArg, model, configPath, forceStr, printOnlyStr,
   reviewerTier, reviewerProviderArg, reviewerModel,
+  sandboxTestWriterStr, sandboxDocsStr,
 ] = process.argv.slice(2);
 const force = forceStr === "1";
 const printOnly = printOnlyStr === "1";
 const mixedMode = Boolean(reviewerTier && reviewerProviderArg && reviewerModel);
+const sandboxTestWriter = sandboxTestWriterStr === "1";
+const sandboxDocs = sandboxDocsStr === "1";
 
 // Canonical provider IDs. Detector emits user-friendly aliases; we accept both
 // and emit the canonical OpenCode/models.dev ID in the written config so model
@@ -399,6 +412,36 @@ if (mixedMode) {
   });
 }
 
+// v0.10.1 Per-agent permission sandboxing. Each flag injects the canonical
+// permission.write pattern for that agent — deep-merged so it composes
+// with Mixed-Mode (--reviewer-*) and any user-set sibling fields. Patterns
+// derived from the most-cited community examples (joelhooks, ppries gists).
+if (sandboxTestWriter || sandboxDocs) {
+  const sandboxAdditions = {};
+  if (sandboxTestWriter) {
+    sandboxAdditions["test-writer"] = {
+      permission: {
+        write: {
+          "**/*.test.*": "allow",
+          "**/*.spec.*": "allow",
+          "*": "deny",
+        },
+      },
+    };
+  }
+  if (sandboxDocs) {
+    sandboxAdditions["docs"] = {
+      permission: {
+        write: {
+          "**/*.md": "allow",
+          "*": "deny",
+        },
+      },
+    };
+  }
+  merged.agent = deepMerge(merged.agent || existing.agent || {}, sandboxAdditions);
+}
+
 // Canonical key ordering for deterministic output (idempotency requirement).
 // Top-level: $schema, model, provider, then everything else alphabetical.
 function sortKeysCanonical(obj, topLevel = false) {

scripts/pick-backend.sh

@@ -53,6 +53,11 @@ FREE_TIER_FIRST=0
 REVIEWER_TIER=""
 REVIEWER_PROVIDER=""
 REVIEWER_MODEL=""
+# v0.10.1 Per-agent permission sandboxing. Passthrough to configure-backend's
+# matching flags — canonical permission.write block per agent (test/spec
+# files for test-writer, .md only for docs).
+SANDBOX_TEST_WRITER=0
+SANDBOX_DOCS=0
 
 while [ $# -gt 0 ]; do
   case "$1" in
@@ -73,6 +78,8 @@ while [ $# -gt 0 ]; do
     --reviewer-provider=*) REVIEWER_PROVIDER="${1#*=}" ;;
     --reviewer-model) shift; REVIEWER_MODEL="${1:-}" ;;
     --reviewer-model=*) REVIEWER_MODEL="${1#*=}" ;;
+    --sandbox-test-writer) SANDBOX_TEST_WRITER=1 ;;
+    --sandbox-docs) SANDBOX_DOCS=1 ;;
     -h|--help) usage; exit 0 ;;
     *) echo "Unknown arg: $1" >&2; usage >&2; exit 2 ;;
   esac
@@ -212,6 +219,8 @@ if [ -n "$REVIEWER_TIER" ]; then
     --reviewer-model "$REVIEWER_MODEL"
   )
 fi
+[ "$SANDBOX_TEST_WRITER" = "1" ] && CONFIGURE_ARGS+=(--sandbox-test-writer)
+[ "$SANDBOX_DOCS" = "1" ]        && CONFIGURE_ARGS+=(--sandbox-docs)
 
 if [ -n "$REVIEWER_TIER" ]; then
   echo "pick: resolved coder $TIER/$PROVIDER → $MODEL + reviewer $REVIEWER_TIER/$REVIEWER_PROVIDER → $REVIEWER_MODEL" >&2

tests/test-backend-picker.sh

@@ -716,6 +716,108 @@ console.log('ok');
   fi
 fi
 
+# --- v0.10.1 Per-agent permission sandboxing. May-2026 community-patterns
+# research: 9/15 surveyed opencode.json files use agent.<name>.permission.write
+# to scope which paths each agent can touch — test-writer locked to test files,
+# docs locked to .md, etc. Maps directly onto the wizard's SDLC steps.
+# configure-backend exposes the two highest-signal sandboxes as boolean flags
+# that inject canonical permission blocks; users wanting custom glob patterns
+# edit opencode.json directly.
+
+# --- T35: --sandbox-test-writer injects agent.test-writer.permission.write
+#         restricting writes to test/spec files only
+if [ -x "$CONFIG" ]; then
+  T="$TMP_ROOT/t35"; mkdir -p "$T"
+  (cd "$T" && "$CONFIG" \
+     --tier private_local --provider ollama --model qwen3-coder:30b \
+     --sandbox-test-writer >/dev/null 2>&1) || true
+  if [ -f "$T/opencode.json" ]; then
+    ok="$(node -e "
+const j=require('$T/opencode.json');
+const tw=j.agent && j.agent['test-writer'];
+if(!tw||!tw.permission||!tw.permission.write){console.log('missing-test-writer-perm');process.exit(1)}
+const w=tw.permission.write;
+if(w['**/*.test.*']!=='allow'){console.log('missing-test-allow');process.exit(1)}
+if(w['**/*.spec.*']!=='allow'){console.log('missing-spec-allow');process.exit(1)}
+if(w['*']!=='deny'){console.log('missing-default-deny');process.exit(1)}
+console.log('ok');
+" 2>/dev/null || echo 'failed')"
+    if [ "$ok" = "ok" ]; then
+      pass "--sandbox-test-writer injects canonical permission.write block"
+    else
+      fail "T35 — $ok"
+    fi
+  fi
+fi
+
+# --- T36: --sandbox-docs injects agent.docs.permission.write
+#         restricting writes to .md only
+if [ -x "$CONFIG" ]; then
+  T="$TMP_ROOT/t36"; mkdir -p "$T"
+  (cd "$T" && "$CONFIG" \
+     --tier private_local --provider ollama --model qwen3-coder:30b \
+     --sandbox-docs >/dev/null 2>&1) || true
+  if [ -f "$T/opencode.json" ]; then
+    ok="$(node -e "
+const j=require('$T/opencode.json');
+const d=j.agent && j.agent.docs;
+if(!d||!d.permission||!d.permission.write){console.log('missing-docs-perm');process.exit(1)}
+const w=d.permission.write;
+if(w['**/*.md']!=='allow'){console.log('missing-md-allow');process.exit(1)}
+if(w['*']!=='deny'){console.log('missing-default-deny');process.exit(1)}
+console.log('ok');
+" 2>/dev/null || echo 'failed')"
+    if [ "$ok" = "ok" ]; then
+      pass "--sandbox-docs injects canonical permission.write block"
+    else
+      fail "T36 — $ok"
+    fi
+  fi
+fi
+
+# --- T37: both sandboxes compose, plus Mixed-Mode reviewer — full v0.10.x
+#         hybrid in one invocation
+if [ -x "$CONFIG" ]; then
+  T="$TMP_ROOT/t37"; mkdir -p "$T"
+  (cd "$T" && "$CONFIG" \
+     --tier proprietary --provider anthropic --model claude-opus-4-7 \
+     --reviewer-tier hosted_oss --reviewer-provider cerebras --reviewer-model gpt-oss-120b \
+     --sandbox-test-writer --sandbox-docs >/dev/null 2>&1) || true
+  if [ -f "$T/opencode.json" ]; then
+    ok="$(node -e "
+const j=require('$T/opencode.json');
+if(j.agent.review.model!=='cerebras/gpt-oss-120b'){console.log('reviewer-wrong');process.exit(1)}
+if(!j.agent['test-writer'].permission.write['**/*.test.*']){console.log('missing-tw-sandbox');process.exit(1)}
+if(!j.agent.docs.permission.write['**/*.md']){console.log('missing-docs-sandbox');process.exit(1)}
+console.log('ok');
+" 2>/dev/null || echo 'failed')"
+    if [ "$ok" = "ok" ]; then
+      pass "v0.10.x hybrid: reviewer + test-writer sandbox + docs sandbox compose"
+    else
+      fail "T37 — $ok"
+    fi
+  fi
+fi
+
+# --- T38: sandbox flags absent → no agent.test-writer / agent.docs blocks
+#         (regression guard — sandbox is opt-in only)
+if [ -x "$CONFIG" ]; then
+  T="$TMP_ROOT/t38"; mkdir -p "$T"
+  (cd "$T" && "$CONFIG" --tier private_local --provider ollama --model qwen3-coder:30b >/dev/null 2>&1) || true
+  if [ -f "$T/opencode.json" ]; then
+    ok="$(node -e "
+const j=require('$T/opencode.json');
+if(j.agent && (j.agent['test-writer']||j.agent.docs)){console.log('unexpected-agent-block');process.exit(1)}
+console.log('ok');
+" 2>/dev/null || echo 'failed')"
+    if [ "$ok" = "ok" ]; then
+      pass "no sandbox flags → no test-writer/docs agent blocks (opt-in only)"
+    else
+      fail "T38 — $ok"
+    fi
+  fi
+fi
+
 echo ""
 echo "=== Results: $PASS passed, $FAIL failed ==="
 [ "$FAIL" -eq 0 ] || exit 1

tests/test-pick.sh

@@ -334,6 +334,71 @@ if [ -x "$SCRIPT" ]; then
   fi
 fi
 
+# v0.10.1 sandbox passthrough — pick must forward --sandbox-test-writer and
+# --sandbox-docs to configure-backend without modification.
+
+# T19: --sandbox-test-writer passthrough
+if [ -x "$SCRIPT" ]; then
+  T="$TMP_ROOT/t19"; make_target "$T" "private_local/ollama"
+  DETECT_STUB_LOG="$T/detect.log"
+  CONFIGURE_STUB_LOG="$T/configure.log"
+  (DETECT_STUB_LOG="$DETECT_STUB_LOG" CONFIGURE_STUB_LOG="$CONFIGURE_STUB_LOG" \
+   PATH="$T/stubs:$PATH" "$SCRIPT" --sandbox-test-writer >/dev/null 2>&1) || true
+  if [ -f "$CONFIGURE_STUB_LOG" ] && grep -q -- "--sandbox-test-writer" "$CONFIGURE_STUB_LOG"; then
+    pass "--sandbox-test-writer passes through to configure-backend"
+  else
+    fail "--sandbox-test-writer was dropped"
+  fi
+fi
+
+# T20: --sandbox-docs passthrough
+if [ -x "$SCRIPT" ]; then
+  T="$TMP_ROOT/t20"; make_target "$T" "private_local/ollama"
+  DETECT_STUB_LOG="$T/detect.log"
+  CONFIGURE_STUB_LOG="$T/configure.log"
+  (DETECT_STUB_LOG="$DETECT_STUB_LOG" CONFIGURE_STUB_LOG="$CONFIGURE_STUB_LOG" \
+   PATH="$T/stubs:$PATH" "$SCRIPT" --sandbox-docs >/dev/null 2>&1) || true
+  if [ -f "$CONFIGURE_STUB_LOG" ] && grep -q -- "--sandbox-docs" "$CONFIGURE_STUB_LOG"; then
+    pass "--sandbox-docs passes through to configure-backend"
+  else
+    fail "--sandbox-docs was dropped"
+  fi
+fi
+
+# T21: sandbox flags compose with Mixed-Mode reviewer in one pick invocation
+if [ -x "$SCRIPT" ]; then
+  T="$TMP_ROOT/t21"; make_target "$T" "private_local/ollama"
+  DETECT_STUB_LOG="$T/detect.log"
+  CONFIGURE_STUB_LOG="$T/configure.log"
+  (DETECT_STUB_LOG="$DETECT_STUB_LOG" CONFIGURE_STUB_LOG="$CONFIGURE_STUB_LOG" \
+   PATH="$T/stubs:$PATH" "$SCRIPT" \
+     --reviewer-tier hosted_oss --reviewer-provider cerebras \
+     --sandbox-test-writer --sandbox-docs >/dev/null 2>&1) || true
+  if [ -f "$CONFIGURE_STUB_LOG" ] \
+     && grep -q -- "--reviewer-provider cerebras" "$CONFIGURE_STUB_LOG" \
+     && grep -q -- "--sandbox-test-writer" "$CONFIGURE_STUB_LOG" \
+     && grep -q -- "--sandbox-docs" "$CONFIGURE_STUB_LOG"; then
+    pass "v0.10.x hybrid: --reviewer-* + --sandbox-* compose in one pick call"
+  else
+    fail "compose failure — reviewer or sandbox args missing"
+    cat "$CONFIGURE_STUB_LOG" 2>/dev/null | head -3 >&2 || true
+  fi
+fi
+
+# T22: no sandbox flags → no sandbox args forwarded (regression guard)
+if [ -x "$SCRIPT" ]; then
+  T="$TMP_ROOT/t22"; make_target "$T" "private_local/ollama"
+  DETECT_STUB_LOG="$T/detect.log"
+  CONFIGURE_STUB_LOG="$T/configure.log"
+  (DETECT_STUB_LOG="$DETECT_STUB_LOG" CONFIGURE_STUB_LOG="$CONFIGURE_STUB_LOG" \
+   PATH="$T/stubs:$PATH" "$SCRIPT" >/dev/null 2>&1) || true
+  if [ -f "$CONFIGURE_STUB_LOG" ] && ! grep -q -- "--sandbox-" "$CONFIGURE_STUB_LOG"; then
+    pass "pick without --sandbox-* flags does NOT forward sandbox args"
+  else
+    fail "pick leaked --sandbox-* args to configure"
+  fi
+fi
+
 echo ""
 echo "=== Results: $PASS passed, $FAIL failed ==="
 [ "$FAIL" -eq 0 ] || exit 1