@zhijiewang/openharness 2.36.0 → 2.37.0

package/README.md

@@ -574,6 +574,8 @@ Agent({ subagent_type: 'security-auditor', prompt: '...', permission_mode: 'deny
 
 If a less-restrictive mode is requested (e.g. parent is `ask`, subagent requests `trust`), the harness silently clamps to the parent — a model can never use a sub-agent to escape user-approval gates.
 
+**Read-only roles default to `plan` automatically.** `code-reviewer`, `evaluator`, `security-auditor`, `architect`, and `planner` ship with `permissionMode: 'plan'` — spawn them under any parent and they're statically read-only, no `permission_mode` override needed. Markdown-defined agents in `.oh/agents/*.md` can set their own default with `permissionMode: plan` (or `permission-mode: plan`) frontmatter.
+
 ## Headless Mode
 
 Run a single prompt without interactive UI — perfect for CI/CD and scripting:

package/README.zh-CN.md

@@ -574,6 +574,8 @@ Agent({ subagent_type: 'security-auditor', prompt: '...', permission_mode: 'deny
 
 如果请求的模式比父级更宽松（比如父级 `ask`、子代理请求 `trust`），harness 会静默回退到父级的模式 —— 模型永远不能借助子代理绕过用户的批准门。
 
+**只读角色自动默认 `plan` 模式。** `code-reviewer`、`evaluator`、`security-auditor`、`architect`、`planner` 内置 `permissionMode: 'plan'` —— 在任何父级权限下启动它们都是静态只读，无需在调用处再传 `permission_mode`。`.oh/agents/*.md` 里自定义的 markdown agent 也可以在 frontmatter 写 `permissionMode: plan`（或 `permission-mode: plan`）来设默认。
+
 ## 无头模式
 
 跑一次提示词，不走交互 UI —— 适合 CI/CD 和脚本化：

package/dist/agents/roles.d.ts

@@ -21,6 +21,20 @@ export type AgentRole = {
     model?: string;
     /** Isolation mode for sub-agent execution. Default: inherits parent. */
     isolation?: "none" | "worktree";
+    /**
+     * Default permission mode for this role. When the AgentTool caller doesn't
+     * pass `permission_mode`, this value is used. Always passes through the
+     * narrowing-only safety clamp (v2.36): a role marked `plan` can't loosen
+     * the parent's stricter mode, only set the floor when the parent is looser.
+     *
+     * Use cases:
+     *   - `plan` for read-only roles (code-reviewer, evaluator, security-auditor,
+     *     architect, planner) — locks them as read-only even when the parent
+     *     is in `trust`, so the review pass can't accidentally write anything.
+     *   - Leave undefined for roles that mutate (editor, migrator, refactorer,
+     *     test-writer, debugger) — they need the parent's mode to do their job.
+     */
+    permissionMode?: import("../types/permissions.js").PermissionMode;
     /** Per-agent MCP servers injected only when this agent runs (parsed via raw passthrough; dispatcher wiring is a future task). */
     mcpServers?: Record<string, unknown>;
     /** Per-agent hooks (parsed via raw passthrough; dispatcher wiring is a future task). */

package/dist/agents/roles.js

@@ -22,6 +22,7 @@ const roles = [
 
 Be specific: cite file paths, line numbers, and code snippets. Prioritize issues by severity (critical > major > minor). Don't mention things that look fine — focus on problems.`,
         suggestedTools: ["Read", "Glob", "Grep", "LS"],
+        permissionMode: "plan",
     },
     {
         id: "test-writer",
@@ -99,6 +100,7 @@ Do NOT add new features or change behavior. The refactored code must be function
 
 Report findings with severity (Critical/High/Medium/Low), affected file:line, and recommended fix.`,
         suggestedTools: ["Read", "Glob", "Grep", "Bash"],
+        permissionMode: "plan",
     },
     {
         id: "evaluator",
@@ -113,6 +115,7 @@ Report findings with severity (Critical/High/Medium/Low), affected file:line, an
 
 You CANNOT modify files. Only read, search, and run test/lint commands to evaluate.`,
         suggestedTools: ["Read", "Glob", "Grep", "LS", "Bash", "Diagnostics"],
+        permissionMode: "plan",
     },
     {
         id: "planner",
@@ -127,6 +130,7 @@ You CANNOT modify files. Only read, search, and run test/lint commands to evalua
 
 Do NOT implement anything. Your output is a plan document, not code. Read widely before planning.`,
         suggestedTools: ["Read", "Glob", "Grep", "LS", "Bash"],
+        permissionMode: "plan",
     },
     {
         id: "architect",
@@ -152,6 +156,7 @@ When you've finished planning, output a structured "Plan" the editor can apply m
 
 Keep each step small enough that an editor (a cheaper model) can apply it without re-deriving your reasoning. Group related edits together; surface dependencies between steps.`,
         suggestedTools: ["Read", "Glob", "Grep", "LS"],
+        permissionMode: "plan",
     },
     {
         id: "editor",
@@ -238,6 +243,7 @@ function parseAgentMarkdown(raw, filePath) {
     const disallowedMatch = fm.match(/^disallowedTools:\s*(.+)$/m) ?? fm.match(/^disallowed-tools:\s*(.+)$/m);
     const modelMatch = fm.match(/^model:\s*(.+)$/m);
     const isolationMatch = fm.match(/^isolation:\s*(.+)$/m);
+    const permModeMatch = fm.match(/^permissionMode:\s*(.+)$/m) ?? fm.match(/^permission-mode:\s*(.+)$/m);
     const fmEnd = raw.indexOf("---", raw.indexOf("---") + 3);
     const content = fmEnd > 0 ? raw.slice(fmEnd + 3).trim() : "";
     const id = basename(filePath, ".md")
@@ -245,6 +251,14 @@ function parseAgentMarkdown(raw, filePath) {
         .replace(/[^a-z0-9]+/g, "-");
     const isolation = isolationMatch?.[1]?.trim().replace(/^["']|["']$/g, "");
     const validIsolation = isolation === "worktree" || isolation === "none" ? isolation : undefined;
+    // permissionMode: only honor known values; silently drop typos. Same
+    // pattern as `isolation` above — we'd rather a misspelled mode produce
+    // "no override" than a runtime crash.
+    const permModeRaw = permModeMatch?.[1]?.trim().replace(/^["']|["']$/g, "");
+    const validModes = ["ask", "trust", "deny", "acceptEdits", "plan", "auto", "bypassPermissions"];
+    const validPermissionMode = validModes.includes(permModeRaw)
+        ? permModeRaw
+        : undefined;
     // Parse optional inline-JSON fields (mcpServers, hooks). These are block fields in
     // Anthropic's YAML but we support single-line JSON for lightweight frontmatter use.
     const mcpServersMatch = fm.match(/^mcpServers:\s*(\{[\s\S]*?\})\s*$/m);
@@ -258,6 +272,7 @@ function parseAgentMarkdown(raw, filePath) {
         disallowedTools: disallowedMatch ? parseAgentList(disallowedMatch[1]) : undefined,
         model: modelMatch?.[1]?.trim().replace(/^["']|["']$/g, ""),
         isolation: validIsolation,
+        permissionMode: validPermissionMode,
         mcpServers: mcpServersMatch ? tryParseJson(mcpServersMatch[1]) : undefined,
         hooks: hooksMatch ? tryParseJson(hooksMatch[1]) : undefined,
     };

package/dist/tools/AgentTool/index.js

@@ -109,8 +109,16 @@ export const AgentTool = {
         // Permission mode override — narrowing-only. Subagent can be same-or-stricter
         // than parent; a less-restrictive request silently clamps to the parent so a
         // model in `ask` can't spawn a `trust`-mode subagent to bypass user approval.
+        //
+        // Resolution order, most-specific-wins:
+        //   1. input.permission_mode (the call site's explicit choice)
+        //   2. role.permissionMode (the role's documented default — e.g.
+        //      code-reviewer / security-auditor / planner default to "plan")
+        //   3. parent's mode (no narrowing — current default)
+        // The clamp applies in all cases so #1 and #2 can only narrow, not loosen.
         const parentMode = context.permissionMode ?? "trust";
-        const subagentMode = clampSubagentPermissionMode(parentMode, input.permission_mode);
+        const requestedMode = input.permission_mode ?? role?.permissionMode;
+        const subagentMode = clampSubagentPermissionMode(parentMode, requestedMode);
         const config = {
             provider: context.provider,
             tools: agentTools,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@zhijiewang/openharness",
-  "version": "2.36.0",
+  "version": "2.37.0",
   "description": "Open-source terminal coding agent. Works with any LLM.",
   "type": "module",
   "bin": {