Update agent modes and refine formatter structure#154
Conversation
…security-auditor configurations; refine opencode.json formatter structure
There was a problem hiding this comment.
Pull request overview
Updates OpenCode configuration by changing reviewer agent modes and restructuring the formatter configuration.
Changes:
- Restructures
opencode.jsonformatter config into a named formatter object with explicit command + extensions. - Updates
.opencode/agents/security-auditor.mdmode fromplantosubagent. - Updates
.opencode/agents/db-reviewer.mdmode fromplantosubagent.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| opencode.json | Reworks formatter configuration; removes previously-defined global permissions. |
| .opencode/agents/security-auditor.md | Switches agent mode to subagent. |
| .opencode/agents/db-reviewer.md | Switches agent mode to subagent. |
| "command": ["biome", "check", "--write", "--unsafe", "{file}"], | ||
| "extensions": ["ts", "tsx", "json"] | ||
| } | ||
| }, |
There was a problem hiding this comment.
The global permissions block (including denies for destructive Bash patterns and secret reads like Read(.env*)) was removed. With the current config, any agent that doesn’t define its own restrictive permissions (e.g. .opencode/agents/test-writer.md has none) may inherit more permissive defaults, and even the read-only reviewer agents no longer deny reading secret-like files. Consider restoring a conservative top-level permissions section or moving the deny patterns into each agent so tool access remains constrained.
| }, | |
| }, | |
| "permissions": { | |
| "fs": [ | |
| "Read(*)", | |
| "Write(*)", | |
| "!Read(.env*)", | |
| "!Read(**/.env*)", | |
| "!Read(*id_rsa*)", | |
| "!Read(**/*id_rsa*)", | |
| "!Read(*id_dsa*)", | |
| "!Read(**/*id_dsa*)", | |
| "!Read(*id_ecdsa*)", | |
| "!Read(**/*id_ecdsa*)", | |
| "!Read(*id_ed25519*)", | |
| "!Read(**/*id_ed25519*)", | |
| "!Read(*secret*)", | |
| "!Read(**/*secret*)", | |
| "!Read(*token*)", | |
| "!Read(**/*token*)", | |
| "!Read(*key*)", | |
| "!Read(**/*key*)", | |
| "!Read(*credentials*)", | |
| "!Read(**/*credentials*)", | |
| "!Read(*config.yml)", | |
| "!Read(**/config.yml)", | |
| "!Read(*config.yaml)", | |
| "!Read(**/config.yaml)", | |
| "!Read(*config.json)", | |
| "!Read(**/config.json)" | |
| ], | |
| "bash": [ | |
| "Run(*)", | |
| "!Run(rm -rf /)", | |
| "!Run(rm -rf /*)", | |
| "!Run(rm -rf *)", | |
| "!Run(rm -r /)", | |
| "!Run(rm -r /*)", | |
| "!Run(rm -r *)", | |
| "!Run(rm *)", | |
| "!Run(:(){ :|:& };:)", | |
| "!Run(*mkfs* /dev/*)", | |
| "!Run(*dd if=* of=/dev/sd*)", | |
| "!Run(*chmod 000 / -R*)", | |
| "!Run(*chown 0:0 / -R*)" | |
| ] | |
| }, |
| description: Review code for security issues in Cloudflare Workers, auth flows, and data handling | ||
| model: claude-sonnet | ||
| mode: plan | ||
| mode: subagent |
There was a problem hiding this comment.
This agent’s mode was changed to subagent, but the repo’s OpenCode reference skill still documents that “Security auditors and code reviewers should have mode: plan” (.opencode/skills/opencode-research/SKILL.md:78). If subagent is now the correct mode, update that documentation to avoid conflicting guidance; otherwise keep mode: plan here for consistency.
| mode: subagent | |
| mode: plan |
| description: Review database schema, migrations, and queries for correctness and performance | ||
| model: claude-sonnet | ||
| mode: plan | ||
| mode: subagent |
There was a problem hiding this comment.
This agent’s mode was changed to subagent, but the repo’s OpenCode reference skill still documents that “Security auditors and code reviewers should have mode: plan” (.opencode/skills/opencode-research/SKILL.md:78). If subagent is now the intended mode, update that documentation to prevent inconsistency; otherwise keep mode: plan here.
| mode: subagent | |
| mode: plan |
Change agent modes from 'plan' to 'subagent' in the db-reviewer and security-auditor configurations. Improve the structure of the opencode.json formatter for better clarity and functionality.