Opencode permissions + agent configs

flake.lock

@@ -21,6 +21,19 @@
         "type": "github"
       }
     },
+    "agents": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1767685523,
+        "narHash": "sha256-shTEa+ekFgzB7G+V8ijvQx1N4OKXIEMjlCgtQxL+jqs=",
+        "path": "/home/m3tam3re/p/MISC/AGENTS",
+        "type": "path"
+      },
+      "original": {
+        "path": "/home/m3tam3re/p/MISC/AGENTS",
+        "type": "path"
+      }
+    },
     "base16-schemes": {
       "flake": false,
       "locked": {
@@ -505,6 +518,7 @@
     "root": {
       "inputs": {
         "agenix": "agenix",
+        "agents": "agents",
         "disko": "disko",
         "home-manager": "home-manager_2",
         "hyprpanel": "hyprpanel",

flake.nix

@@ -22,8 +22,8 @@
     nixpkgs-9e58ed7.url = "github:nixos/nixpkgs/9e58ed7ba759d81c98f033b7f5eba21ca68f53b0";
     nixpkgs-master.url = "github:nixos/nixpkgs/master";
 
-    # m3ta-nixpkgs.url = "git+https://code.m3ta.dev/m3tam3re/nixpkgs";
+    m3ta-nixpkgs.url = "git+https://code.m3ta.dev/m3tam3re/nixpkgs";
-    m3ta-nixpkgs.url = "path:/home/m3tam3re/p/NIX/nixpkgs";
+    # m3ta-nixpkgs.url = "path:/home/m3tam3re/p/NIX/nixpkgs";
     #
     nur = {
       url = "github:nix-community/NUR";
@@ -43,6 +43,12 @@
     hyprpanel.url = "github:Jas-SinghFSU/HyprPanel";
     rose-pine-hyprcursor.url = "github:ndom91/rose-pine-hyprcursor";
     nix-colors.url = "github:misterio77/nix-colors";
+
+    agents = {
+      # url = "path:/home/m3tam3re/p/MISC/AGENTS";
+      url = "git+https://code.m3ta.dev/m3tam3re/AGENTS";
+      flake = false;
+    };
   };
 
   outputs = {

home/features/coding/opencode.nix

@@ -1,9 +1,29 @@
-{
+{inputs, ...}: {
+  xdg.configFile = {
+    "opencode/command" = {
+      source = "${inputs.agents}/command";
+      recursive = true;
+    };
+    "opencode/context" = {
+      source = "${inputs.agents}/context";
+      recursive = true;
+    };
+    "opencode/prompts" = {
+      source = "${inputs.agents}/prompts";
+      recursive = true;
+    };
+    "opencode/skill" = {
+      source = "${inputs.agents}/skill";
+      recursive = true;
+    };
+  };
+
   programs.opencode = {
     enable = true;
     settings = {
       theme = "opencode";
       plugin = ["oh-my-opencode"];
+      agent = builtins.fromJSON (builtins.readFile "${inputs.agents}/agent/agents.json");
       formatter = {
         alejandra = {
           command = ["alejandra" "-q" "-"];
@@ -28,37 +48,138 @@
             "OPENAPI_MCP_HEADERS=$(cat /run/agenix/anytype-key) exec bunx @anyproto/anytype-mcp"
           ];
         };
+        Exa = {
+          type = "local";
+          command = [
+            "sh"
+            "-c"
+            "EXA_API_KEY=$(cat /run/agenix/exa-key) exec bunx exa-mcp-server@latest tools=web_search_exa"
+          ];
+          enabled = true;
+        };
       };
     };
   };
 
-  home.file.".config/opencode/oh-my-opencode.json".text = ''
+  home.file.".config/opencode/oh-my-opencode.json".text = builtins.toJSON {
-    {
+    "$schema" = "https://raw.githubusercontent.com/code-yeongyu/oh-my-opencode/master/assets/oh-my-opencode.schema.json";
-      "$schema": "https://raw.githubusercontent.com/code-yeongyu/oh-my-opencode/master/assets/oh-my-opencode.schema.json",
+    agents = {
-      "agents": {
+      Sisyphus = {
-        "Sisyphus": {
+        model = "anthropic/claude-opus-4-5";
-          "model": "anthropic/claude-opus-4-5"
+        permission = {
-        },
+          edit = "allow";
-        "librarian": {
+          bash = {
-          "model": "anthropic/claude-sonnet-4-5"
+            "*" = "allow";
-        },
+            "rm *" = "ask";
-        "explore": {
+            "rmdir *" = "ask";
-          "model": "opencode/big-pickle"
+            "mv *" = "ask";
-        },
+            "chmod *" = "ask";
-        "oracle": {
+            "chown *" = "ask";
-          "model": "anthropic/claude-sonnet-4-5"
+            "git *" = "ask";
-        },
+            "git status*" = "allow";
-        "frontend-ui-ux-engineer": {
+            "git log*" = "allow";
-          "model": "anthropic/claude-opus-4-5"
+            "git diff*" = "allow";
-        },
+            "git branch*" = "allow";
-        "document-writer": {
+            "git show*" = "allow";
-          "model": "anthropic/claude-opus-4-5"
+            "git stash list*" = "allow";
-        },
+            "git remote -v" = "allow";
-        "multimodal-looker": {
+            "git add *" = "allow";
-          "model": "anthropic/claude-opus-4-5"
+            "git commit *" = "allow";
-        }
+            "jj *" = "ask";
-      },
+            "jj status" = "allow";
-      "disabled_mcps": ["context7"]
+            "jj log*" = "allow";
-    }
+            "jj diff*" = "allow";
-  '';
+            "jj show*" = "allow";
+            "npm *" = "ask";
+            "npx *" = "ask";
+            "bun *" = "ask";
+            "bunx *" = "ask";
+            "uv *" = "ask";
+            "pip *" = "ask";
+            "pip3 *" = "ask";
+            "yarn *" = "ask";
+            "pnpm *" = "ask";
+            "cargo *" = "ask";
+            "go *" = "ask";
+            "make *" = "ask";
+            "dd *" = "deny";
+            "mkfs*" = "deny";
+            "fdisk *" = "deny";
+            "parted *" = "deny";
+            "eval *" = "deny";
+            "source *" = "deny";
+            "curl *|*sh" = "deny";
+            "wget *|*sh" = "deny";
+            "sudo *" = "deny";
+            "su *" = "deny";
+            "systemctl *" = "deny";
+            "service *" = "deny";
+            "shutdown *" = "deny";
+            "reboot*" = "deny";
+            "init *" = "deny";
+            "> /dev/*" = "deny";
+            "cat * > /dev/*" = "deny";
+          };
+          external_directory = "ask";
+          doom_loop = "ask";
+        };
+      };
+      librarian = {
+        model = "anthropic/claude-sonnet-4-5";
+        permission = {
+          edit = "deny";
+          bash = "deny";
+        };
+      };
+      explore = {
+        model = "opencode/big-pickle";
+        permission = {
+          edit = "deny";
+          bash = "deny";
+        };
+      };
+      oracle = {
+        model = "anthropic/claude-sonnet-4-5";
+        permission = {
+          edit = "deny";
+          bash = "deny";
+        };
+      };
+      frontend-ui-ux-engineer = {
+        model = "anthropic/claude-opus-4-5";
+        permission = {
+          edit = "allow";
+          bash = {
+            "*" = "ask";
+            "npm *" = "ask";
+            "npx *" = "ask";
+            "bun *" = "ask";
+            "bunx *" = "ask";
+            "rm *" = "ask";
+            "mv *" = "ask";
+            "dd *" = "deny";
+            "mkfs*" = "deny";
+            "sudo *" = "deny";
+            "curl *|*sh" = "deny";
+            "wget *|*sh" = "deny";
+          };
+        };
+      };
+      document-writer = {
+        model = "anthropic/claude-opus-4-5";
+        permission = {
+          edit = "allow";
+          bash = "deny";
+        };
+      };
+      multimodal-looker = {
+        model = "anthropic/claude-opus-4-5";
+        permission = {
+          edit = "deny";
+          bash = "deny";
+        };
+      };
+    };
+    disabled_mcps = ["context7"];
+  };
 }

hosts/m3-ares/secrets.nix

@@ -25,6 +25,10 @@
         file = ../../secrets/ref-key.age;
         owner = "m3tam3re";
       };
+      exa-key = {
+        file = ../../secrets/exa-key.age;
+        owner = "m3tam3re";
+      };
       tailscale-key.file = ../../secrets/tailscale-key.age;
       m3tam3re-secrets = {
         file = ../../secrets/m3tam3re-secrets.age;

hosts/m3-kratos/secrets.nix

@@ -36,6 +36,10 @@
         file = ../../secrets/ref-key.age;
         owner = "m3tam3re";
       };
+      exa-key = {
+        file = ../../secrets/exa-key.age;
+        owner = "m3tam3re";
+      };
     };
   };
 }

secrets.nix

@@ -29,6 +29,7 @@ in {
   "secrets/n8n-env.age".publicKeys = systems ++ users;
   "secrets/paperless-key.age".publicKeys = systems ++ users;
   "secrets/ref-key.age".publicKeys = systems ++ users;
+  "secrets/exa-key.age".publicKeys = systems ++ users;
   "secrets/restreamer-env.age".publicKeys = systems ++ users;
   "secrets/searx.age".publicKeys = systems ++ users;
   "secrets/tailscale-key.age".publicKeys = systems ++ users;

secrets/exa-key.age

@@ -0,0 +1,21 @@
+age-encryption.org/v1
+-> ssh-ed25519 4NLKrw BJ2iDD2cLf/qP+VxEHz6Y+8GJ4s4I2wP92uBMG2ttQc
+Nea+eK5CELL0eBq8+xuT+qDEbPyRzUgjnhDY+Mk8bjA
+-> ssh-ed25519 5kwcsA kpzfRai9rtonBkKVpYkD5kSYTsxbpwAliLO6WnyAgx8
+BXG4c2yGwkaXPCkKAiOqrNJknz/tN1jOXmTuj6mJvzA
+-> ssh-ed25519 9d4YIQ fRuLFIYDaY7JdtZs9BP4xm7zwDdBYGrzuueuQgS+QWo
+YM65b3HG43cP7EvcbX+WIn76a9I427MaeI0kJm0ZjHA
+-> ssh-ed25519 3Bcr1w /zGBacmchTtDaaCykhuJkMatDzuo7Hi8iefvnqYDyEg
+bK+aCK8cN7gDqLo15z6BC7WaWA+xXXSjP/eoe3ch71M
+-> ssh-rsa DQlE7w
+JRj461Gh8JYOykv4J2ce6W+q0y4imNfJgAF8r/1FvIy1VYSpDPtPqX6zIldKZ4Fs
+dcTpL4AFyQHysrLlMeTuOf7+91vWxBAPqMUR4DtEqxrnYKDpDMy6Addonx7ZhmwZ
+gl1dnfx7W9OxGrYZm3YsV5q4lvK1rwzDIswFduOky/kH65SUzdLl5nm8AcSQbKjy
+k2jR57/0+z2wmHdxrjY4aEredqTXZNfWRbrX3RQc3xlzka4qajVKAuq4V6EsV3h0
+SjQfRgMTnqMyTxqbURl2L5juZrLSj3UAFvYLi7nLCfKjBeRmezG5zZ58eJPnq3co
+A5Dy884MXuciLhc8nDUcTCSJap50P9HlyETq6ptzBV8JAF9TSpxY/gzbMt77VZFb
+MKf+3gtUIOaXzmzkFp6u90XLN+0n6kM+eJw6PMAPHxHfRDHTtPXE7ZMxRt/TKv1D
+Pi/Aqmi5Q9t79TfcNsIT7DcspefCSf4NdTrggxOxo0jmKNw4mdN5SLVqnZ/Ij72R
+
+--- gwpY8yhU+VJSvw2xbmfKHrp8lJpb/0LuGaFDRIA7ORI
+¥.ÑÉ®ŸùL,rð’RjmÚê<ûo