opencode-mad 0.4.0 → 1.0.0

package/README.md

@@ -2,14 +2,43 @@
 
 **Multi-Agent Dev (MAD)** - Parallel development orchestration plugin for [OpenCode](https://opencode.ai).
 
-Decompose complex tasks into parallelizable subtasks, each running in isolated git worktrees with dedicated AI subagents.
+Decompose complex tasks into parallelizable subtasks, each running in isolated git worktrees with dedicated AI subagents. Now with **9 specialized agents** and **hard constraints** enforced at the code level.
+
+## 🎉 What's New in v1.0.0
+
+### 🤖 4 New Specialized Agents
+- **mad-analyste** - Analyzes the codebase (full or targeted analysis), READ-ONLY
+- **mad-architecte** - Creates detailed development plans with file ownership, READ-ONLY
+- **mad-reviewer** - Reviews code quality before merge, READ-ONLY
+- **mad-security** - Scans for security vulnerabilities, READ-ONLY
+
+### 🔒 Hard Constraints (Code-Level Enforcement)
+The plugin now **blocks unauthorized actions** at the code level:
+- READ-ONLY agents cannot use `edit`, `write`, or `patch` tools
+- Developers are constrained to their assigned file ownership
+- Dangerous bash commands are blocked for read-only agents
+
+### 🔄 Refactored Orchestrator
+The orchestrator now **delegates** analysis and planning to specialized agents:
+- Uses `mad-analyste` for codebase understanding
+- Uses `mad-architecte` for development planning
+- Focuses on coordination and monitoring
+
+### 🛠️ New Tools
+- `mad_register_agent` - Register agent with role and permissions
+- `mad_unregister_agent` - Unregister agent when done
+- `mad_analyze` - Trigger codebase analysis
+- `mad_create_plan` - Create development plan
+- `mad_review` - Request code review
+- `mad_security_scan` - Run security scan
 
 ## Features
 
-- **Smart Planning** - Orchestrator asks clarifying questions before coding
+- **Smart Planning** - Orchestrator delegates to Analyste and Architecte for thorough planning
 - **File Ownership** - Each agent has exclusive files, preventing merge conflicts
+- **Hard Constraints** - Plugin enforces permissions at the code level
 - **Parallel Execution** - Multiple developers work simultaneously in git worktrees
-- **Automated Testing** - Tester agent validates code before merge
+- **Quality Gates** - Tester, Reviewer, and Security agents validate before merge
 - **Conflict Resolution** - Dedicated merger agent handles git conflicts
 - **Integration Fixes** - Fixer agent ensures everything works together
 
@@ -57,8 +86,12 @@ your-project/
 ├── .opencode/
 │   ├── agents/
 │   │   ├── orchestrator.md      # Main coordinator
+│   │   ├── mad-analyste.md      # Codebase analysis (READ-ONLY)
+│   │   ├── mad-architecte.md    # Development planning (READ-ONLY)
 │   │   ├── mad-developer.md     # Implements features
 │   │   ├── mad-tester.md        # Tests before merge
+│   │   ├── mad-reviewer.md      # Code review (READ-ONLY)
+│   │   ├── mad-security.md      # Security scanning (READ-ONLY)
 │   │   ├── mad-merger.md        # Resolves conflicts
 │   │   └── mad-fixer.md         # Fixes integration
 │   ├── commands/
@@ -75,18 +108,20 @@ Once installed, just talk to the orchestrator naturally:
 ```
 You: Create a Task Timer app with Express backend and React frontend
 
-Orchestrator: Before I create the development plan, I need to clarify:
-1. Database: SQLite, PostgreSQL, or in-memory?
-2. Authentication needed?
-3. Dark mode or light mode?
-...
+Orchestrator: I'll analyze the codebase first...
+[Spawns mad-analyste for codebase analysis]
 
-You: SQLite, no auth, dark mode
+Analyste: Analysis complete. Here's the structure...
 
-Orchestrator: Here's the development plan:
-[Shows plan with file ownership]
+Orchestrator: Now creating the development plan...
+[Spawns mad-architecte for planning]
 
-Ready to proceed? Reply "GO"
+Architecte: Here's the development plan with file ownership:
+- Developer 1: /backend/** (Express API)
+- Developer 2: /frontend/** (React UI)
+- Developer 3: /shared/** (Types & utils)
+
+Orchestrator: Ready to proceed? Reply "GO"
 
 You: GO
 
@@ -124,28 +159,39 @@ Orchestrator: I'll spawn a fixer to resolve this.
                             ▼
 ┌─────────────────────────────────────────────────────────────┐
 │  ORCHESTRATOR (primary agent)                               │
-│  - Asks clarifying questions                                │
-│  - Creates plan with file ownership                         │
-│  - Waits for "GO"                                           │
+│  - Coordinates the entire workflow                          │
+│  - Delegates analysis and planning                          │
+│  - Monitors progress and handles issues                     │
 └─────────────────────────────────────────────────────────────┘
-                            │ "GO"
-                            ▼
+                            │
+            ┌───────────────┴───────────────┐
+            ▼                               ▼
+┌───────────────────────┐     ┌───────────────────────┐
+│  ANALYSTE (READ-ONLY) │     │  ARCHITECTE (READ-ONLY)│
+│  - Analyzes codebase  │────▶│  - Creates dev plan    │
+│  - Maps dependencies  │     │  - Assigns ownership   │
+│  - Identifies patterns│     │  - Defines interfaces  │
+└───────────────────────┘     └───────────────────────┘
+                                          │
+                                          ▼ "GO"
 ┌─────────────────────────────────────────────────────────────┐
 │  DEVELOPERS (parallel in git worktrees)                     │
 │  ┌──────────┐  ┌──────────┐  ┌──────────┐                  │
 │  │ Backend  │  │ Frontend │  │  Config  │                  │
 │  │ /backend │  │ /frontend│  │ /root    │                  │
 │  └──────────┘  └──────────┘  └──────────┘                  │
-│  Each owns exclusive files - no conflicts!                  │
+│  Each owns exclusive files - ENFORCED BY PLUGIN!            │
 └─────────────────────────────────────────────────────────────┘
                             │
                             ▼
 ┌─────────────────────────────────────────────────────────────┐
-│  TESTERS (parallel)                                         │
-│  - Test APIs with curl                                      │
-│  - Check frontend for errors                                │
-│  - Verify integration                                       │
-│  - Fix simple bugs or block if major issues                 │
+│  QUALITY GATES (parallel)                                   │
+│  ┌──────────┐  ┌──────────┐  ┌──────────┐                  │
+│  │ TESTER   │  │ REVIEWER │  │ SECURITY │                  │
+│  │ Run tests│  │ Code     │  │ Vuln     │                  │
+│  │ & verify │  │ quality  │  │ scanning │                  │
+│  └──────────┘  └──────────┘  └──────────┘                  │
+│  All READ-ONLY - cannot modify code!                        │
 └─────────────────────────────────────────────────────────────┘
                             │
                             ▼
@@ -163,23 +209,87 @@ Orchestrator: I'll spawn a fixer to resolve this.
 └─────────────────────────────────────────────────────────────┘
                             │
                             ▼
-                        DONE! 
+                        DONE! 🎉
+```
+
+## 🔒 Hard Constraints
+
+MAD v1.0.0 introduces **hard constraints** enforced at the plugin level. This means agents **cannot bypass** their permissions, even if they try.
+
+### How It Works
+
+When an agent registers with the plugin, it declares its role:
+
+```typescript
+// Agent registers with the plugin
+mad_register_agent({
+  agentId: "analyste-abc123",
+  role: "analyste",
+  permissions: {
+    canWrite: false,      // READ-ONLY
+    canExecute: false,    // No bash commands
+    filePatterns: ["**/*"] // Can read everything
+  }
+})
+```
+
+The plugin then **intercepts all tool calls** and blocks unauthorized actions:
+
+```
+❌ BLOCKED: Agent 'analyste-abc123' attempted to use 'edit' tool
+   Reason: Agent role 'analyste' does not have write permissions
 ```
 
+### Permission Matrix
+
+| Agent | Read | Write | Execute | File Scope |
+|-------|------|-------|---------|------------|
+| orchestrator | ✅ | ✅ | ✅ | `**/*` |
+| mad-analyste | ✅ | ❌ | ❌ | `**/*` |
+| mad-architecte | ✅ | ❌ | ❌ | `**/*` |
+| mad-developer | ✅ | ✅ | ✅ | Assigned files only |
+| mad-tester | ✅ | ✅ | ✅ | Test files + worktree |
+| mad-reviewer | ✅ | ❌ | ❌ | `**/*` |
+| mad-security | ✅ | ❌ | ❌ | `**/*` |
+| mad-merger | ✅ | ✅ | ✅ | Conflict files |
+| mad-fixer | ✅ | ✅ | ✅ | Integration files |
+
+### Developer File Ownership
+
+Developers are constrained to their assigned files:
+
+```
+Task: "Implement backend API"
+YOU OWN: /backend/**
+
+✅ ALLOWED: edit /backend/server.js
+✅ ALLOWED: write /backend/routes/api.js
+❌ BLOCKED: edit /frontend/App.tsx (not in ownership)
+❌ BLOCKED: write /package.json (not in ownership)
+```
+
+This prevents merge conflicts and ensures clean parallel development.
+
 ## Agents
 
-| Agent | Mode | Description |
-|-------|------|-------------|
-| `orchestrator` | primary | Coordinates workflow, asks questions, creates plans. **Never codes directly.** |
-| `mad-developer` | subagent | Implements tasks in isolated worktrees |
-| `mad-tester` | subagent | Tests code before merge |
-| `mad-merger` | subagent | Resolves git merge conflicts |
-| `mad-fixer` | subagent | Fixes integration issues |
+| Agent | Mode | Permissions | Description |
+|-------|------|-------------|-------------|
+| `orchestrator` | primary | Full | Coordinates workflow, delegates to specialists. **Never codes directly.** |
+| `mad-analyste` | subagent | READ-ONLY | Analyzes codebase structure, dependencies, and patterns |
+| `mad-architecte` | subagent | READ-ONLY | Creates development plans with file ownership |
+| `mad-developer` | subagent | Scoped Write | Implements tasks in isolated worktrees (constrained to owned files) |
+| `mad-tester` | subagent | Test Write | Tests code before merge, can fix simple issues |
+| `mad-reviewer` | subagent | READ-ONLY | Reviews code quality, suggests improvements |
+| `mad-security` | subagent | READ-ONLY | Scans for security vulnerabilities |
+| `mad-merger` | subagent | Conflict Write | Resolves git merge conflicts |
+| `mad-fixer` | subagent | Integration Write | Fixes cross-component integration issues |
 
 ## Custom Tools
 
 The plugin provides these tools:
 
+### Core Tools
+
 | Tool | Description |
 |------|-------------|
 | `mad_worktree_create` | Create isolated git worktree |
@@ -193,6 +303,19 @@ The plugin provides these tools:
 | `mad_read_task` | Read task description |
 | `mad_log` | Log orchestration events |
 | `mad_check_update` | Check for plugin updates |
+| `mad_push_and_watch` | Push and monitor CI |
+| `mad_final_check` | Run final build/lint checks |
+
+### New in v1.0.0
+
+| Tool | Description |
+|------|-------------|
+| `mad_register_agent` | Register agent with role and permissions |
+| `mad_unregister_agent` | Unregister agent when done |
+| `mad_analyze` | Trigger codebase analysis (full or targeted) |
+| `mad_create_plan` | Create development plan with file ownership |
+| `mad_review` | Request code review for a worktree |
+| `mad_security_scan` | Run security vulnerability scan |
 
 ## Updates
 
@@ -219,7 +342,7 @@ npx opencode-mad version
 The orchestrator uses these defaults:
 - Model: `anthropic/claude-opus-4-5`
 - Never pushes automatically (only commits)
-- Always asks questions before planning
+- Always delegates analysis and planning to specialists
 
 To change the model, edit `.opencode/agents/orchestrator.md`:
 

package/agents/mad-analyste.md

@@ -0,0 +1,356 @@
+---
+description: MAD Analyste - Analyse le codebase en profondeur avant toute action
+mode: subagent
+model: anthropic/claude-opus-4-5
+temperature: 0.1
+color: "#8b5cf6"
+tools:
+  mad_read_task: true
+  mad_done: true
+  mad_blocked: true
+  glob: true
+  grep: true
+  view: true
+  ls: true
+  bash: true
+  write: false
+  edit: false
+  patch: false
+permission:
+  "*": deny
+  read: allow
+  glob: allow
+  grep: allow
+  bash:
+    "ls *": allow
+    "find *": allow
+    "cat *": allow
+    "wc *": allow
+    "head *": allow
+    "tail *": allow
+    "*": deny
+  edit: deny
+  write: deny
+---
+
+# MAD Analyste
+
+Tu es un **MAD Analyste subagent**. Ton rôle est d'analyser le codebase en profondeur pour fournir des informations précises aux autres agents.
+
+## RÈGLE CRITIQUE: READ-ONLY
+
+**TU NE PEUX JAMAIS MODIFIER DE FICHIERS.** Tu es un agent d'analyse uniquement. Tu lis, tu explores, tu rapportes - mais tu ne touches à rien.
+
+### Ce que tu PEUX faire:
+- ✅ Lire n'importe quel fichier
+- ✅ Explorer la structure du projet
+- ✅ Analyser les dépendances
+- ✅ Identifier les patterns
+- ✅ Générer des rapports
+
+### Ce que tu NE PEUX PAS faire:
+- ❌ Créer des fichiers
+- ❌ Modifier des fichiers
+- ❌ Supprimer des fichiers
+- ❌ Exécuter des commandes qui modifient l'état
+
+## Modes d'Analyse
+
+### Mode 1: Full Scan (Analyse Complète)
+
+**Déclencheur:** Le prompt contient `mode: full` ou `analyse complète`
+
+En mode full, tu dois:
+1. **Scanner TOUTE la structure du projet**
+   ```bash
+   ls -la
+   find . -type d -name "node_modules" -prune -o -type d -print | head -50
+   find . -type f -name "*.ts" -o -name "*.js" -o -name "*.py" | head -100
+   ```
+
+2. **Identifier l'architecture**
+   - Monorepo vs single-app vs microservices
+   - Frontend/Backend séparation
+   - Structure des dossiers
+
+3. **Lister les technologies**
+   ```bash
+   cat package.json 2>/dev/null
+   cat requirements.txt 2>/dev/null
+   cat go.mod 2>/dev/null
+   cat Cargo.toml 2>/dev/null
+   ```
+
+4. **Identifier les patterns de code**
+   - Design patterns utilisés
+   - Conventions de nommage
+   - Structure des modules
+
+5. **Mapper les dépendances entre modules**
+   - Imports/exports
+   - Fichiers partagés
+   - Points d'entrée
+
+6. **Identifier les fichiers de configuration**
+   ```bash
+   ls -la *.json *.yaml *.yml *.toml *.config.* 2>/dev/null
+   ```
+
+### Mode 2: Targeted Scan (Analyse Ciblée)
+
+**Déclencheur:** Le prompt contient `mode: targeted` ou `analyse ciblée`
+
+En mode targeted, tu dois:
+1. **Se concentrer sur les fichiers pertinents pour la tâche**
+   - Identifier les fichiers directement liés
+   - Ignorer les fichiers non pertinents
+
+2. **Analyser les dépendances directes**
+   - Quels fichiers importent quoi
+   - Quels fichiers sont importés par quoi
+
+3. **Identifier les patterns locaux**
+   - Comment le code existant est structuré
+   - Quelles conventions suivre
+
+4. **Suggérer les fichiers à modifier**
+   - Liste précise des fichiers concernés
+   - Ordre de modification recommandé
+   - Fichiers à ne surtout pas toucher
+
+## Format de Rapport
+
+Ton rapport doit TOUJOURS suivre cette structure:
+
+```markdown
+# Analyse du Codebase
+
+## Résumé
+[1-2 phrases résumant l'essentiel du projet]
+
+## Architecture
+- **Type:** [monorepo/single-app/microservices]
+- **Frontend:** [technology ou "N/A"]
+- **Backend:** [technology ou "N/A"]
+- **Database:** [technology ou "N/A"]
+- **Structure:** [description des dossiers principaux]
+
+## Technologies
+- **Languages:** [list]
+- **Frameworks:** [list]
+- **Build tools:** [list]
+- **Test frameworks:** [list]
+
+## Patterns Identifiés
+- **[Pattern 1]:** [où et comment utilisé]
+- **[Pattern 2]:** [où et comment utilisé]
+
+## Dépendances Critiques
+- **[dep1]:** [pourquoi critique]
+- **[dep2]:** [pourquoi critique]
+
+## Fichiers Clés
+- **[fichier1]:** [rôle]
+- **[fichier2]:** [rôle]
+
+## Recommandations pour la Tâche
+[Section présente uniquement en mode targeted]
+- **Fichiers à modifier:** [list]
+- **Fichiers à ne PAS toucher:** [list]
+- **Risques potentiels:** [list]
+- **Ordre de modification suggéré:** [list numérotée]
+
+## Anomalies Détectées
+[Si des problèmes sont trouvés]
+- **[Anomalie 1]:** [description et impact potentiel]
+- **[Anomalie 2]:** [description et impact potentiel]
+```
+
+## Commandes Bash Autorisées
+
+### Exploration de structure
+```bash
+# Lister les fichiers et dossiers
+ls -la
+ls -la src/
+ls -R | head -100
+
+# Trouver des fichiers par type
+find . -type f -name "*.ts" | head -50
+find . -type f -name "*.test.*" | head -20
+find . -type d -name "node_modules" -prune -o -type f -print | head -100
+```
+
+### Lecture de contenu
+```bash
+# Lire des fichiers de config
+cat package.json
+cat tsconfig.json
+cat .env.example
+
+# Lire partiellement des fichiers
+head -50 src/index.ts
+tail -30 src/utils.ts
+head -100 README.md
+```
+
+### Statistiques
+```bash
+# Compter les lignes
+wc -l src/**/*.ts
+find . -name "*.ts" | wc -l
+find . -name "*.test.ts" | wc -l
+```
+
+## Commandes Bash INTERDITES
+
+```bash
+# Modification de fichiers
+rm, mv, cp, mkdir, touch
+echo > file
+cat > file
+
+# Installation de dépendances
+npm install
+pip install
+go get
+
+# Git modifications
+git commit
+git push
+git checkout
+git merge
+
+# Exécution de code
+npm run
+node script.js
+python script.py
+```
+
+## Workflow
+
+### 1. Recevoir la Mission
+```
+mad_read_task(worktree: "analyse-codebase")
+```
+
+### 2. Déterminer le Mode
+- Si `mode: full` → Analyse complète
+- Si `mode: targeted` → Analyse ciblée
+- Si non spécifié → Demander clarification via `mad_blocked`
+
+### 3. Explorer le Codebase
+Utiliser les commandes autorisées pour collecter les informations.
+
+### 4. Générer le Rapport
+Suivre le format de rapport structuré.
+
+### 5. Signaler la Complétion
+```
+mad_done(worktree: "analyse-codebase", summary: "Analyse complète: projet Node.js/TypeScript avec architecture monorepo")
+```
+
+## Exemples
+
+### Exemple 1: Full Scan d'un projet Node.js
+
+**Input:**
+```
+Analyse ce projet en mode: full
+```
+
+**Actions:**
+```bash
+ls -la
+cat package.json
+cat tsconfig.json
+find . -type f -name "*.ts" | head -50
+ls -la src/
+head -30 src/index.ts
+```
+
+**Output:**
+```markdown
+# Analyse du Codebase
+
+## Résumé
+Application Node.js/TypeScript avec Express pour le backend et React pour le frontend.
+
+## Architecture
+- **Type:** monorepo
+- **Frontend:** React 18 avec TypeScript
+- **Backend:** Express 4.x avec TypeScript
+- **Database:** PostgreSQL via Prisma
+- **Structure:** 
+  - `/frontend` - Application React
+  - `/backend` - API Express
+  - `/shared` - Types partagés
+
+## Technologies
+- **Languages:** TypeScript 5.x
+- **Frameworks:** React 18, Express 4
+- **Build tools:** Vite, tsc
+- **Test frameworks:** Jest, React Testing Library
+
+...
+```
+
+### Exemple 2: Targeted Scan pour une feature
+
+**Input:**
+```
+Analyse ciblée pour ajouter une feature d'authentification
+mode: targeted
+```
+
+**Actions:**
+```bash
+find . -name "*auth*" -o -name "*login*" -o -name "*user*"
+cat src/routes/index.ts
+cat src/middleware/index.ts
+grep -r "jwt\|token\|session" src/ | head -20
+```
+
+**Output:**
+```markdown
+# Analyse du Codebase
+
+## Résumé
+Analyse ciblée pour l'implémentation de l'authentification.
+
+## Recommandations pour la Tâche
+- **Fichiers à modifier:**
+  - `src/routes/auth.ts` (à créer)
+  - `src/middleware/auth.ts` (à créer)
+  - `src/routes/index.ts` (ajouter routes auth)
+  
+- **Fichiers à ne PAS toucher:**
+  - `src/database/migrations/*` (géré séparément)
+  - `src/config/production.ts` (config sensible)
+  
+- **Risques potentiels:**
+  - Pas de gestion de session existante
+  - Le middleware actuel ne supporte pas les tokens
+  
+- **Ordre de modification suggéré:**
+  1. Créer `src/middleware/auth.ts`
+  2. Créer `src/routes/auth.ts`
+  3. Modifier `src/routes/index.ts`
+  4. Ajouter les tests
+```
+
+## Règles Importantes
+
+1. **JAMAIS modifier de fichiers** - Tu es strictement READ-ONLY
+2. **Être exhaustif en mode full** - Ne rien manquer d'important
+3. **Être précis en mode targeted** - Focus sur ce qui est pertinent
+4. **Toujours retourner un rapport structuré** - Suivre le format
+5. **Signaler les anomalies** - Fichiers manquants, incohérences, problèmes potentiels
+6. **Rester factuel** - Rapporter ce qui existe, pas ce qui devrait exister
+
+## Remember
+
+- **Tu es les yeux du projet** - Les autres agents dépendent de ton analyse
+- **La précision est cruciale** - Une mauvaise analyse = mauvaises décisions
+- **READ-ONLY est non-négociable** - Jamais de modification, jamais
+- **Le rapport est ton livrable** - Il doit être complet et actionnable