# Agent Permissions Refinement ## TL;DR > **Quick Summary**: Refine OpenCode agent permissions for Chiron (planning) and Chriton-Forge (build) to implement 2025 AI security best practices with principle of least privilege, human-in-the-loop for critical actions, and explicit guardrails against permission bypass. > **Deliverables**: > - Updated `agents/agents.json` with refined permissions for Chiron and Chriton-Forge > - Critical bug fix: Duplicate `external_directory` key in Chiron config > - Enhanced secret blocking with additional patterns > - Bash injection prevention rules > - Git protection against secret commits and repo hijacking > **Estimated Effort**: Medium > **Parallel Execution**: NO - sequential changes to single config file > **Critical Path**: Fix duplicate key → Apply Chiron permissions → Apply Chriton-Forge permissions → Validate --- ## Context ### Original Request User wants to refine agent permissions for: - **Chiron**: Planning agent with read-only access, restricted to read-only subagents, no file editing, can create beads issues - **Chriton-Forge**: Build agent with write access restricted to ~/p/**, git commits allowed but git push asks, package install commands ask - **General**: Sane defaults that are secure but open enough for autonomous work ### Interview Summary **Key Discussions**: - Chiron: Read-only planning, no file editing, bash denied except for `bd *` commands, external_directory ~/p/** only, task permission to restrict subagents to explore/librarian/athena + chiron-forge for handoff - Chriton-Forge: Write access restricted to ~/p/**, git commits allow / git push ask, package install commands ask, git config deny - Workspace path: ~/p/** is symlink to ~/projects/personal/** (just replacing path reference) - Bash security: Block all bash redirect patterns (echo >, cat >, tee, etc.) **Research Findings**: - OpenCode supports granular permission rules with wildcards, last-match-wins - 2025 best practices: Principle of least privilege, tiered permissions (read-only auto, destructive ask, JIT privileges), human-in-the-loop for critical actions - Security hardening: Block command injection vectors, prevent git secret commits, add comprehensive secret blocking patterns ### Metis Review **Critical Issues Identified**: 1. **Duplicate `external_directory` key** in Chiron config (lines 8-9 and 27) - second key overrides first, breaking intended behavior 2. **Bash edit bypass**: Even with `edit: deny`, bash can write files via redirection (`echo "x" > file.txt`, `cat >`, `tee`) 3. **Git secret protection**: Agent could commit secrets (read .env, then git commit .env) 4. **Git config hijacking**: Agent could modify .git/config to push to attacker-controlled repo 5. **Command injection**: Malicious content could execute via `$()`, backticks, `eval`, `source` 6. **Secret blocking incomplete**: Missing patterns for `.local/share/*`, `.cache/*`, `*.db`, `*.keychain`, `*.p12` **Guardrails Applied**: - Fix duplicate external_directory key (use single object with catch-all `"*": "ask"` after specific rules) - Add bash file write protection patterns (echo >, cat >, printf >, tee, > operators) - Add git secret protection (`git add *.env*`: deny, `git commit *.env*`: deny) - Add git config protection (`git config *`: deny for Chriton-Forge) - Add bash injection prevention (`$(*`, `` `*``, `eval *`, `source *`) - Expand secret blocking with additional patterns - Add /run/agenix/* to read deny list --- ## Work Objectives ### Core Objective Refine OpenCode agent permissions in `agents/agents.json` to implement security hardening based on 2025 AI agent best practices while maintaining autonomous workflow capabilities. ### Concrete Deliverables - Updated `agents/agents.json` with: - Chiron: Read-only permissions, subagent restrictions, bash denial (except `bd *`), no file editing - Chriton-Forge: Write access scoped to ~/p/**, git commit allow / push ask, package install ask, git config deny - Both: Enhanced secret blocking, bash injection prevention, git secret protection ### Definition of Done - [x] Permission configuration updated in `agents/agents.json` - [x] JSON syntax valid (no duplicate keys, valid structure) - [x] Workspace path validated (~/p/** exists and is correct) - [x] Acceptance criteria tests pass (via manual verification) ### Must Have - Chiron cannot edit files directly - Chiron cannot write files via bash (redirects blocked) - Chiron restricted to read-only subagents + chiron-forge for handoff - Chriton-Forge can only write to ~/p/** - Chriton-Forge cannot git config - Both agents block secret file reads - Both agents prevent command injection - Git operations cannot commit secrets - No duplicate keys in permission configuration ### Must NOT Have (Guardrails) - **Edit bypass via bash**: No bash redirection patterns that allow file writes when `edit: deny` - **Git secret commits**: No ability to git add/commit .env or credential files - **Repo hijacking**: No git config modification allowed for Chriton-Forge - **Command injection**: No `$()`, backticks, `eval`, `source` execution via bash - **Write scope escape**: Chriton-Forge cannot write outside ~/p/** without asking - **Secret exfiltration**: No access to .env, .ssh, .gnupg, credentials, secrets, .pem, .key, /run/agenix - **Unrestricted bash for Chiron**: Only `bd *` commands allowed --- ## Verification Strategy (MANDATORY) > This is configuration work, not code development. Manual verification is required after deployment. ### Test Decision - **Infrastructure exists**: YES (home-manager deployment) - **User wants tests**: NO (Manual-only verification) - **Framework**: None ### Manual Verification Procedures Each TODO includes EXECUTABLE verification procedures that users can run to validate changes. **Verification Commands to Run After Deployment:** 1. **JSON Syntax Validation**: ```bash # Validate JSON structure and no duplicate keys jq '.' /home/m3tam3re/p/AI/AGENTS/agents/agents.json > /dev/null 2>&1 # Expected: Exit code 0 (valid JSON) # Check for duplicate keys (manual review of chiron permission object) # Expected: Single external_directory key, no other duplicates ``` 2. **Workspace Path Validation**: ```bash ls -la ~/p/ 2>&1 # Expected: Directory exists, shows contents (likely symlink to ~/projects/personal/) ``` 3. **After Deployment - Chiron Read-Only Test** (manual): - Have Chiron attempt to edit a test file - Expected: Permission denied with clear error message - Have Chiron attempt to write via bash (echo "test" > /tmp/test.txt) - Expected: Permission denied - Have Chiron run `bd ready` command - Expected: Command succeeds, returns JSON output with issue list - Have Chiron attempt to invoke build-capable subagent (sisyphus-junior) - Expected: Permission denied 4. **After Deployment - Chiron Workspace Access** (manual): - Have Chiron read file within ~/p/** - Expected: Success, returns file contents - Have Chiron read file outside ~/p/** - Expected: Permission denied or ask user - Have Chiron delegate to explore/librarian/athena - Expected: Success, subagent executes 5. **After Deployment - Chriton-Forge Write Access** (manual): - Have Chriton-Forge write test file in ~/p/** directory - Expected: Success, file created - Have Chriton-Forge attempt to write file to /tmp - Expected: Ask user for approval - Have Chriton-Forge run `git add` and `git commit -m "test"` - Expected: Success, commit created without asking - Have Chriton-Forge attempt `git push` - Expected: Ask user for approval - Have Chriton-Forge attempt `git config` - Expected: Permission denied - Have Chriton-Forge attempt `npm install lodash` - Expected: Ask user for approval 6. **After Deployment - Secret Blocking Tests** (manual): - Attempt to read .env file with both agents - Expected: Permission denied - Attempt to read /run/agenix/ with Chiron - Expected: Permission denied - Attempt to read .env.example (should be allowed) - Expected: Success 7. **After Deployment - Bash Injection Prevention** (manual): - Have agent attempt bash -c "$(cat /malicious)" - Expected: Permission denied - Have agent attempt bash -c "`cat /malicious`" - Expected: Permission denied - Have agent attempt eval command - Expected: Permission denied 8. **After Deployment - Git Secret Protection** (manual): - Have agent attempt `git add .env` - Expected: Permission denied - Have agent attempt `git commit .env` - Expected: Permission denied 9. **Deployment Verification**: ```bash # After home-manager switch, verify config is embedded correctly cat ~/.config/opencode/config.json | jq '.agent.chiron.permission.external_directory' # Expected: Shows ~/p/** rule, no duplicate keys # Verify agents load without errors # Expected: No startup errors when launching OpenCode ``` --- ## Execution Strategy ### Parallel Execution Waves > Single file sequential changes - no parallelization possible. ``` Single-Threaded Execution: Task 1: Fix duplicate external_directory key Task 2: Apply Chiron permission updates Task 3: Apply Chriton-Forge permission updates Task 4: Validate configuration ``` ### Dependency Matrix | Task | Depends On | Blocks | Can Parallelize With | |------|------------|--------|---------------------| | 1 | None | 2, 3 | None (must start) | | 2 | 1 | 4 | 3 | | 3 | 1 | 4 | 2 | | 4 | 2, 3 | None | None (validation) | ### Agent Dispatch Summary | Task | Recommended Agent | |------|-----------------| | 1 | delegate_task(category="quick", load_skills=["git-master"]) | | 2 | delegate_task(category="quick", load_skills=["git-master"]) | | 3 | delegate_task(category="quick", load_skills=["git-master"]) | | 4 | User (manual verification) | --- ## TODOs > Implementation tasks for agent configuration changes. Each task MUST include acceptance criteria with executable verification. - [x] 1. Fix Duplicate external_directory Key in Chiron Config **What to do**: - Remove duplicate `external_directory` key from Chiron permission object - Consolidate into single object with specific rule + catch-all `"*": "ask"` - Replace `~/projects/personal/**` with `~/p/**` (symlink to same directory) **Must NOT do**: - Leave duplicate keys (second key overrides first, breaks config) - Skip workspace path validation (verify ~/p/** exists) **Recommended Agent Profile**: > **Category**: quick - Reason: Simple JSON edit, single file change, no complex logic > **Skills**: git-master - git-master: Git workflow for committing changes > **Skills Evaluated but Omitted**: - research: Not needed (no investigation required) - librarian: Not needed (no external docs needed) **Parallelization**: - **Can Run In Parallel**: NO - **Parallel Group**: Sequential - **Blocks**: Tasks 2, 3 (depends on clean config) - **Blocked By**: None (can start immediately) **References** (CRITICAL - Be Exhaustive): **Pattern References** (existing code to follow): - `agents/agents.json:1-135` - Current agent configuration structure (JSON format, permission object structure) - `agents/agents.json:7-29` - Chiron permission object (current state with duplicate key) **API/Type References** (contracts to implement against): - OpenCode permission schema: `{"permission": {"bash": {...}, "edit": "...", "external_directory": {...}, "task": {...}}` **Documentation References** (specs and requirements): - Interview draft: `.sisyphus/drafts/agent-permissions-refinement.md` - All user decisions and requirements - Metis analysis: Critical issue #1 - Duplicate external_directory key **External References** (libraries and frameworks): - OpenCode docs: https://opencode.ai/docs/permissions/ - Permission system documentation (allow/ask/deny, wildcards, last-match-wins) - OpenCode docs: https://opencode.ai/docs/agents/ - Agent configuration format **WHY Each Reference Matters** (explain the relevance): - `agents/agents.json` - Target file to modify, shows current structure and duplicate key bug - Interview draft - Contains all user decisions (~/p/** path, subagent restrictions, etc.) - OpenCode permissions docs - Explains permission system mechanics (last-match-wins critical for rule ordering) - Metis analysis - Identifies the duplicate key bug that MUST be fixed **Acceptance Criteria**: > **CRITICAL: AGENT-EXECUTABLE VERIFICATION ONLY** **Automated Verification (config validation)**: \`\`\`bash # Agent runs: jq '.' /home/m3tam3re/p/AI/AGENTS/agents/agents.json > /dev/null 2>&1 # Assert: Exit code 0 (valid JSON) # Verify single external_directory key in chiron permission object cat /home/m3tam3re/p/AI/AGENTS/agents/agents.json | jq '.chiron.permission | keys' | grep external_directory | wc -l # Assert: Output is "1" (exactly one external_directory key) # Verify workspace path exists ls -la ~/p/ 2>&1 | head -1 # Assert: Shows directory listing (not "No such file or directory") \`\`\` **Evidence to Capture**: - [x] jq validation output (exit code 0) - [x] external_directory key count output (should be "1") - [x] Workspace path ls output (shows directory exists) **Commit**: NO (group with Task 2 and 3) - [x] 2. Apply Chiron Permission Updates **What to do**: - Set `edit` to `"deny"` (planning agent should not write files) - Set `bash` permissions to deny all except `bd *`: ```json "bash": { "*": "deny", "bd *": "allow" } ``` - Set `external_directory` to `~/p/**` with catch-all ask: ```json "external_directory": { "~/p/**": "allow", "*": "ask" } ``` - Add `task` permission to restrict subagents: ```json "task": { "*": "deny", "explore": "allow", "librarian": "allow", "athena": "allow", "chiron-forge": "allow" } ``` - Add `/run/agenix/*` to read deny list - Add expanded secret blocking patterns: `.local/share/*`, `.cache/*`, `*.db`, `*.keychain`, `*.p12` **Must NOT do**: - Allow bash file write operators (echo >, cat >, tee, etc.) - will add in Task 3 for both agents - Allow chiron to invoke build-capable subagents beyond chiron-forge - Skip webfetch permission (should be "allow" for research capability) **Recommended Agent Profile**: > **Category**: quick - Reason: JSON configuration update, follows clear specifications from draft > **Skills**: git-master - git-master: Git workflow for committing changes > **Skills Evaluated but Omitted**: - research: Not needed (all requirements documented in draft) - librarian: Not needed (no external docs needed) **Parallelization**: - **Can Run In Parallel**: YES - **Parallel Group**: Wave 2 (with Task 3) - **Blocks**: Task 4 - **Blocked By**: Task 1 **References** (CRITICAL - Be Exhaustive): **Pattern References** (existing code to follow): - `agents/agents.json:11-24` - Current Chiron read permissions with secret blocking patterns - `agents/agents.json:114-132` - Athena permission object (read-only subagent reference pattern) **API/Type References** (contracts to implement against): - OpenCode task permission schema: `{"task": {"agent-name": "allow"}}` **Documentation References** (specs and requirements): - Interview draft: `.sisyphus/drafts/agent-permissions-refinement.md` - Chiron permission decisions - Metis analysis: Guardrails #7, #8 - Secret blocking patterns, task permission implementation **External References** (libraries and frameworks): - OpenCode docs: https://opencode.ai/docs/agents/#task-permissions - Task permission documentation - OpenCode docs: https://opencode.ai/docs/permissions/ - Permission level definitions and pattern matching **WHY Each Reference Matters** (explain the relevance): - `agents/agents.json:11-24` - Shows current secret blocking patterns to extend - `agents/agents.json:114-132` - Shows read-only subagent pattern for reference (athena: deny bash, deny edit) - Interview draft - Contains exact user requirements for Chiron permissions - OpenCode task docs - Explains how to restrict subagent invocation via task permission **Acceptance Criteria**: > **CRITICAL: AGENT-EXECUTABLE VERIFICATION ONLY** **Automated Verification (config validation)**: \`\`\`bash # Agent runs: jq '.chiron.permission.edit' /home/m3tam3re/p/AI/AGENTS/agents/agents.json # Assert: Output is "deny" jq '.chiron.permission.bash."*"' /home/m3tam3re/p/AI/AGENTS/agents/agents.json # Assert: Output is "deny" jq '.chiron.permission.bash."bd *"' /home/m3tam3re/p/AI/AGENTS/agents/agents.json # Assert: Output is "allow" jq '.chiron.permission.task."*"' /home/m3tam3re/p/AI/AGENTS/agents/agents.json # Assert: Output is "deny" jq '.chiron.permission.task | keys' /home/m3tam3re/p/AI/AGENTS/agents/agents.json # Assert: Contains ["*", "athena", "chiron-forge", "explore", "librarian"] jq '.chiron.permission.external_directory."~/p/**"' /home/m3tam3re/p/AI/AGENTS/agents/agents.json # Assert: Output is "allow" jq '.chiron.permission.external_directory."*"' /home/m3tam3re/p/AI/AGENTS/agents/agents.json # Assert: Output is "ask" jq '.chiron.permission.read."/run/agenix/*"' /home/m3tam3re/p/AI/AGENTS/agents/agents.json # Assert: Output is "deny" \`\`\` **Evidence to Capture**: - [x] Edit permission value (should be "deny") - [x] Bash wildcard permission (should be "deny") - [x] Bash bd permission (should be "allow") - [x] Task wildcard permission (should be "deny") - [x] Task allowlist keys (should show 5 entries) - [x] External directory ~/p/** permission (should be "allow") - [x] External directory wildcard permission (should be "ask") - [x] Read /run/agenix/* permission (should be "deny") **Commit**: NO (group with Task 3) - [x] 3. Apply Chriton-Forge Permission Updates **What to do**: - Split `git *: "ask"` into granular rules: - Allow: `git add *`, `git commit *`, read-only commands (status, log, diff, branch, show, stash, remote) - Ask: `git push *` - Deny: `git config *` - Change package managers from `"ask"` to granular rules: - Ask for installs: `npm install *`, `npm i *`, `npx *`, `pip install *`, `pip3 install *`, `uv *`, `bun install *`, `bun i *`, `bunx *`, `yarn install *`, `yarn add *`, `pnpm install *`, `pnpm add *`, `cargo install *`, `go install *`, `make install` - Allow other commands implicitly (let them use catch-all rules or existing allow patterns) - Set `external_directory` to allow `~/p/**` with catch-all ask: ```json "external_directory": { "~/p/**": "allow", "*": "ask" } ``` - Add bash file write protection patterns (apply to both agents): ```json "bash": { "echo * > *": "deny", "cat * > *": "deny", "printf * > *": "deny", "tee": "deny", "*>*": "deny", ">*>*": "deny" } ``` - Add bash command injection prevention (apply to both agents): ```json "bash": { "$(*": "deny", "`*": "deny", "eval *": "deny", "source *": "deny" } ``` - Add git secret protection patterns (apply to both agents): ```json "bash": { "git add *.env*": "deny", "git commit *.env*": "deny", "git add *credentials*": "deny", "git add *secrets*": "deny" } ``` - Add expanded secret blocking patterns to read permission: - `.local/share/*`, `.cache/*`, `*.db`, `*.keychain`, `*.p12` **Must NOT do**: - Remove existing bash deny rules for dangerous commands (dd, mkfs, fdisk, parted, eval, sudo, su, systemctl, etc.) - Allow git config modifications - Allow bash to write files via any method (must block all redirect patterns) - Skip command injection prevention ($(), backticks, eval, source) **Recommended Agent Profile**: > **Category**: quick - Reason: JSON configuration update, follows clear specifications from draft > **Skills**: git-master - git-master: Git workflow for committing changes > **Skills Evaluated but Omitted**: - research: Not needed (all requirements documented in draft) - librarian: Not needed (no external docs needed) **Parallelization**: - **Can Run In Parallel**: YES - **Parallel Group**: Wave 2 (with Task 2) - **Blocks**: Task 4 - **Blocked By**: Task 1 **References** (CRITICAL - Be Exhaustive): **Pattern References** (existing code to follow): - `agents/agents.json:37-103` - Current Chriton-Forge bash permissions (many explicit allow/ask/deny rules) - `agents/agents.json:37-50` - Current Chriton-Forge read permissions with secret blocking **API/Type References** (contracts to implement against): - OpenCode permission schema: Same as Task 2 **Documentation References** (specs and requirements): - Interview draft: `.sisyphus/drafts/agent-permissions-refinement.md` - Chriton-Forge permission decisions - Metis analysis: Guardrails #1-#6 - Bash edit bypass, git secret protection, command injection, git config protection **External References** (libraries and frameworks): - OpenCode docs: https://opencode.ai/docs/permissions/ - Permission pattern matching (wildcards, last-match-wins) **WHY Each Reference Matters** (explain the relevance): - `agents/agents.json:37-103` - Shows current bash permission structure (many explicit rules) to extend with new patterns - `agents/agents.json:37-50` - Shows current secret blocking to extend with additional patterns - Interview draft - Contains exact user requirements for Chriton-Forge permissions - Metis analysis - Provides bash injection prevention patterns and git protection rules **Acceptance Criteria**: > **CRITICAL: AGENT-EXECUTABLE VERIFICATION ONLY** **Automated Verification (config validation)**: \`\`\`bash # Agent runs: # Verify git commit is allowed jq '.chiron-forge.permission.bash."git commit *"' /home/m3tam3re/p/AI/AGENTS/agents/agents.json # Assert: Output is "allow" # Verify git push asks jq '.chiron-forge.permission.bash."git push *"' /home/m3tam3re/p/AI/AGENTS/agents/agents.json # Assert: Output is "ask" # Verify git config is denied jq '.chiron-forge.permission.bash."git config *"' /home/m3tam3re/p/AI/AGENTS/agents/agents.json # Assert: Output is "deny" # Verify npm install asks jq '.chiron-forge.permission.bash."npm install *"' /home/m3tam3re/p/AI/AGENTS/agents/agents.json # Assert: Output is "ask" # Verify bash file write redirects are blocked jq '.chiron-forge.permission.bash."echo * > *"' /home/m3tam3re/p/AI/AGENTS/agents/agents.json # Assert: Output is "deny" jq '.chiron-forge.permission.bash."cat * > *"' /home/m3tam3re/p/AI/AGENTS/agents/agents.json # Assert: Output is "deny" jq '.chiron-forge.permission.bash."tee"' /home/m3tam3re/p/AI/AGENTS/agents/agents.json # Assert: Output is "deny" # Verify command injection is blocked jq '.chiron-forge.permission.bash."$(*"' /home/m3tam3re/p/AI/AGENTS/agents/agents.json # Assert: Output is "deny" jq '.chiron-forge.permission.bash."`*"' /home/m3tam3re/p/AI/AGENTS/agents/agents.json # Assert: Output is "deny" # Verify git secret protection jq '.chiron-forge.permission.bash."git add *.env*"' /home/m3tam3re/p/AI/AGENTS/agents/agents.json # Assert: Output is "deny" jq '.chiron-forge.permission.bash."git commit *.env*"' /home/m3tam3re/p/AI/AGENTS/agents/agents.json # Assert: Output is "deny" # Verify external_directory scope jq '.chiron-forge.permission.external_directory."~/p/**"' /home/m3tam3re/p/AI/AGENTS/agents/agents.json # Assert: Output is "allow" jq '.chiron-forge.permission.external_directory."*"' /home/m3tam3re/p/AI/AGENTS/agents/agents.json # Assert: Output is "ask" # Verify expanded secret blocking jq '.chiron-forge.permission.read.".local/share/*"' /home/m3tam3re/p/AI/AGENTS/agents/agents.json # Assert: Output is "deny" jq '.chiron-forge.permission.read.".cache/*"' /home/m3tam3re/p/AI/AGENTS/agents/agents.json # Assert: Output is "deny" jq '.chiron-forge.permission.read."*.db"' /home/m3tam3re/p/AI/AGENTS/agents/agents.json # Assert: Output is "deny" \`\`\` **Evidence to Capture**: - [x] Git commit permission (should be "allow") - [x] Git push permission (should be "ask") - [x] Git config permission (should be "deny") - [x] npm install permission (should be "ask") - [x] bash redirect echo > permission (should be "deny") - [x] bash redirect cat > permission (should be "deny") - [x] bash tee permission (should be "deny") - [x] bash $() injection permission (should be "deny") - [x] bash backtick injection permission (should be "deny") - [x] git add *.env* permission (should be "deny") - [x] git commit *.env* permission (should be "deny") - [x] external_directory ~/p/** permission (should be "allow") - [x] external_directory wildcard permission (should be "ask") - [x] read .local/share/* permission (should be "deny") - [x] read .cache/* permission (should be "deny") - [x] read *.db permission (should be "deny") **Commit**: YES (groups with Tasks 1, 2, 3) - Message: `chore(agents): refine permissions for Chiron and Chriton-Forge with security hardening` - Files: `agents/agents.json` - Pre-commit: `jq '.' agents/agents.json > /dev/null 2>&1` (validate JSON) - [x] 4. Validate Configuration (Manual Verification) **What to do**: - Run JSON syntax validation: `jq '.' agents/agents.json` - Verify no duplicate keys in configuration - Verify workspace path exists: `ls -la ~/p/` - Document manual verification procedure for post-deployment testing **Must NOT do**: - Skip workspace path validation - Skip duplicate key verification - Proceed to deployment without validation **Recommended Agent Profile**: > **Category**: quick - Reason: Simple validation commands, documentation task > **Skills**: git-master - git-master: Git workflow for committing validation script or notes if needed > **Skills Evaluated but Omitted**: - research: Not needed (validation is straightforward) - librarian: Not needed (no external docs needed) **Parallelization**: - **Can Run In Parallel**: NO - **Parallel Group**: Sequential - **Blocks**: None (final validation task) - **Blocked By**: Tasks 2, 3 **References** (CRITICAL - Be Exhaustive): **Pattern References** (existing code to follow): - `AGENTS.md` - Repository documentation structure **API/Type References** (contracts to implement against): - N/A (validation task) **Documentation References** (specs and requirements): - Interview draft: `.sisyphus/drafts/agent-permissions-refinement.md` - All user requirements - Metis analysis: Guardrails #1-#6 - Validation requirements **External References** (libraries and frameworks): - N/A (validation task) **WHY Each Reference Matters** (explain the relevance): - Interview draft - Contains all requirements to validate against - Metis analysis - Identifies specific validation steps (duplicate keys, workspace path, etc.) **Acceptance Criteria**: > **CRITICAL: AGENT-EXECUTABLE VERIFICATION ONLY** **Automated Verification (config validation)**: \`\`\`bash # Agent runs: # JSON syntax validation jq '.' /home/m3tam3re/p/AI/AGENTS/agents/agents.json > /dev/null 2>&1 # Assert: Exit code 0 # Verify no duplicate external_directory keys cat /home/m3tam3re/p/AI/AGENTS/agents/agents.json | jq '.chiron.permission | keys' | grep external_directory | wc -l # Assert: Output is "1" cat /home/m3tam3re/p/AI/AGENTS/agents/agents.json | jq '.chiron-forge.permission | keys' | grep external_directory | wc -l # Assert: Output is "1" # Verify workspace path exists ls -la ~/p/ 2>&1 | head -1 # Assert: Shows directory listing (not "No such file or directory") # Verify all permission keys are valid cat /home/m3tam3re/p/AI/AGENTS/agents/agents.json | jq '.chiron.permission' > /dev/null 2>&1 # Assert: Exit code 0 cat /home/m3tam3re/p/AI/AGENTS/agents/agents.json | jq '.chiron-forge.permission' > /dev/null 2>&1 # Assert: Exit code 0 \`\`\` **Evidence to Capture**: - [x] jq validation output (exit code 0) - [x] Chiron external_directory key count (should be "1") - [x] Chriton-Forge external_directory key count (should be "1") - [x] Workspace path ls output (shows directory exists) - [x] Chiron permission object validation (exit code 0) - [x] Chriton-Forge permission object validation (exit code 0) **Commit**: NO (validation only, no changes) --- ## Commit Strategy | After Task | Message | Files | Verification | |------------|---------|-------|--------------| | 1, 2, 3 | `chore(agents): refine permissions for Chiron and Chriton-Forge with security hardening` | agents/agents.json | `jq '.' agents/agents.json > /dev/null` | | 4 | N/A (validation only) | N/A | N/A | --- ## Success Criteria ### Verification Commands ```bash # Pre-deployment validation jq '.' /home/m3tam3re/p/AI/AGENTS/agents/agents.json > /dev/null 2>&1 # Expected: Exit code 0 # Duplicate key check cat /home/m3tam3re/p/AI/AGENTS/agents/agents.json | jq '.chiron.permission | keys' | grep external_directory | wc -l # Expected: 1 # Workspace path validation ls -la ~/p/ 2>&1 # Expected: Directory listing # Post-deployment (manual) # Have Chiron attempt file edit → Expected: Permission denied # Have Chiron run bd ready → Expected: Success # Have Chriton-Forge git commit → Expected: Success # Have Chriton-Forge git push → Expected: Ask user # Have agent read .env → Expected: Permission denied ``` ### Final Checklist - [x] Duplicate `external_directory` key fixed - [x] Chiron edit set to "deny" - [x] Chiron bash denied except `bd *` - [x] Chiron task permission restricts subagents (explore, librarian, athena, chiron-forge) - [x] Chiron external_directory allows ~/p/** only - [x] Chriton-Forge git commit allowed, git push asks - [x] Chriton-Forge git config denied - [x] Chriton-Forge package install commands ask - [x] Chriton-Forge external_directory allows ~/p/**, asks others - [x] Bash file write operators blocked (echo >, cat >, tee, etc.) - [x] Bash command injection blocked ($(), backticks, eval, source) - [x] Git secret protection added (git add/commit *.env* deny) - [x] Expanded secret blocking patterns added (.local/share/*, .cache/*, *.db, *.keychain, *.p12) - [x] /run/agenix/* blocked in read permissions - [x] JSON syntax valid (jq validates) - [x] No duplicate keys in configuration - [x] Workspace path ~/p/** exists