opencode-mad 0.4.1 → 1.0.1

package/README.md

@@ -2,14 +2,43 @@
 
 **Multi-Agent Dev (MAD)** - Parallel development orchestration plugin for [OpenCode](https://opencode.ai).
 
-Decompose complex tasks into parallelizable subtasks, each running in isolated git worktrees with dedicated AI subagents.
+Decompose complex tasks into parallelizable subtasks, each running in isolated git worktrees with dedicated AI subagents. Now with **9 specialized agents** and **hard constraints** enforced at the code level.
+
+## 🎉 What's New in v1.0.0
+
+### 🤖 4 New Specialized Agents
+- **mad-analyste** - Analyzes the codebase (full or targeted analysis), READ-ONLY
+- **mad-architecte** - Creates detailed development plans with file ownership, READ-ONLY
+- **mad-reviewer** - Reviews code quality before merge, READ-ONLY
+- **mad-security** - Scans for security vulnerabilities, READ-ONLY
+
+### 🔒 Hard Constraints (Code-Level Enforcement)
+The plugin now **blocks unauthorized actions** at the code level:
+- READ-ONLY agents cannot use `edit`, `write`, or `patch` tools
+- Developers are constrained to their assigned file ownership
+- Dangerous bash commands are blocked for read-only agents
+
+### 🔄 Refactored Orchestrator
+The orchestrator now **delegates** analysis and planning to specialized agents:
+- Uses `mad-analyste` for codebase understanding
+- Uses `mad-architecte` for development planning
+- Focuses on coordination and monitoring
+
+### 🛠️ New Tools
+- `mad_register_agent` - Register agent with role and permissions
+- `mad_unregister_agent` - Unregister agent when done
+- `mad_analyze` - Trigger codebase analysis
+- `mad_create_plan` - Create development plan
+- `mad_review` - Request code review
+- `mad_security_scan` - Run security scan
 
 ## Features
 
-- **Smart Planning** - Orchestrator asks clarifying questions before coding
+- **Smart Planning** - Orchestrator delegates to Analyste and Architecte for thorough planning
 - **File Ownership** - Each agent has exclusive files, preventing merge conflicts
+- **Hard Constraints** - Plugin enforces permissions at the code level
 - **Parallel Execution** - Multiple developers work simultaneously in git worktrees
-- **Automated Testing** - Tester agent validates code before merge
+- **Quality Gates** - Tester, Reviewer, and Security agents validate before merge
 - **Conflict Resolution** - Dedicated merger agent handles git conflicts
 - **Integration Fixes** - Fixer agent ensures everything works together
 
@@ -57,8 +86,12 @@ your-project/
 ├── .opencode/
 │   ├── agents/
 │   │   ├── orchestrator.md      # Main coordinator
+│   │   ├── mad-analyste.md      # Codebase analysis (READ-ONLY)
+│   │   ├── mad-architecte.md    # Development planning (READ-ONLY)
 │   │   ├── mad-developer.md     # Implements features
 │   │   ├── mad-tester.md        # Tests before merge
+│   │   ├── mad-reviewer.md      # Code review (READ-ONLY)
+│   │   ├── mad-security.md      # Security scanning (READ-ONLY)
 │   │   ├── mad-merger.md        # Resolves conflicts
 │   │   └── mad-fixer.md         # Fixes integration
 │   ├── commands/
@@ -75,18 +108,20 @@ Once installed, just talk to the orchestrator naturally:
 ```
 You: Create a Task Timer app with Express backend and React frontend
 
-Orchestrator: Before I create the development plan, I need to clarify:
-1. Database: SQLite, PostgreSQL, or in-memory?
-2. Authentication needed?
-3. Dark mode or light mode?
-...
+Orchestrator: I'll analyze the codebase first...
+[Spawns mad-analyste for codebase analysis]
 
-You: SQLite, no auth, dark mode
+Analyste: Analysis complete. Here's the structure...
 
-Orchestrator: Here's the development plan:
-[Shows plan with file ownership]
+Orchestrator: Now creating the development plan...
+[Spawns mad-architecte for planning]
 
-Ready to proceed? Reply "GO"
+Architecte: Here's the development plan with file ownership:
+- Developer 1: /backend/** (Express API)
+- Developer 2: /frontend/** (React UI)
+- Developer 3: /shared/** (Types & utils)
+
+Orchestrator: Ready to proceed? Reply "GO"
 
 You: GO
 
@@ -124,28 +159,39 @@ Orchestrator: I'll spawn a fixer to resolve this.
                             ▼
 ┌─────────────────────────────────────────────────────────────┐
 │  ORCHESTRATOR (primary agent)                               │
-│  - Asks clarifying questions                                │
-│  - Creates plan with file ownership                         │
-│  - Waits for "GO"                                           │
+│  - Coordinates the entire workflow                          │
+│  - Delegates analysis and planning                          │
+│  - Monitors progress and handles issues                     │
 └─────────────────────────────────────────────────────────────┘
-                            │ "GO"
-                            ▼
+                            │
+            ┌───────────────┴───────────────┐
+            ▼                               ▼
+┌───────────────────────┐     ┌───────────────────────┐
+│  ANALYSTE (READ-ONLY) │     │  ARCHITECTE (READ-ONLY)│
+│  - Analyzes codebase  │────▶│  - Creates dev plan    │
+│  - Maps dependencies  │     │  - Assigns ownership   │
+│  - Identifies patterns│     │  - Defines interfaces  │
+└───────────────────────┘     └───────────────────────┘
+                                          │
+                                          ▼ "GO"
 ┌─────────────────────────────────────────────────────────────┐
 │  DEVELOPERS (parallel in git worktrees)                     │
 │  ┌──────────┐  ┌──────────┐  ┌──────────┐                  │
 │  │ Backend  │  │ Frontend │  │  Config  │                  │
 │  │ /backend │  │ /frontend│  │ /root    │                  │
 │  └──────────┘  └──────────┘  └──────────┘                  │
-│  Each owns exclusive files - no conflicts!                  │
+│  Each owns exclusive files - ENFORCED BY PLUGIN!            │
 └─────────────────────────────────────────────────────────────┘
                             │
                             ▼
 ┌─────────────────────────────────────────────────────────────┐
-│  TESTERS (parallel)                                         │
-│  - Test APIs with curl                                      │
-│  - Check frontend for errors                                │
-│  - Verify integration                                       │
-│  - Fix simple bugs or block if major issues                 │
+│  QUALITY GATES (parallel)                                   │
+│  ┌──────────┐  ┌──────────┐  ┌──────────┐                  │
+│  │ TESTER   │  │ REVIEWER │  │ SECURITY │                  │
+│  │ Run tests│  │ Code     │  │ Vuln     │                  │
+│  │ & verify │  │ quality  │  │ scanning │                  │
+│  └──────────┘  └──────────┘  └──────────┘                  │
+│  All READ-ONLY - cannot modify code!                        │
 └─────────────────────────────────────────────────────────────┘
                             │
                             ▼
@@ -163,23 +209,87 @@ Orchestrator: I'll spawn a fixer to resolve this.
 └─────────────────────────────────────────────────────────────┘
                             │
                             ▼
-                        DONE! 
+                        DONE! 🎉
+```
+
+## 🔒 Hard Constraints
+
+MAD v1.0.0 introduces **hard constraints** enforced at the plugin level. This means agents **cannot bypass** their permissions, even if they try.
+
+### How It Works
+
+When an agent registers with the plugin, it declares its role:
+
+```typescript
+// Agent registers with the plugin
+mad_register_agent({
+  agentId: "analyste-abc123",
+  role: "analyste",
+  permissions: {
+    canWrite: false,      // READ-ONLY
+    canExecute: false,    // No bash commands
+    filePatterns: ["**/*"] // Can read everything
+  }
+})
+```
+
+The plugin then **intercepts all tool calls** and blocks unauthorized actions:
+
+```
+❌ BLOCKED: Agent 'analyste-abc123' attempted to use 'edit' tool
+   Reason: Agent role 'analyste' does not have write permissions
 ```
 
+### Permission Matrix
+
+| Agent | Read | Write | Execute | File Scope |
+|-------|------|-------|---------|------------|
+| orchestrator | ✅ | ✅ | ✅ | `**/*` |
+| mad-analyste | ✅ | ❌ | ❌ | `**/*` |
+| mad-architecte | ✅ | ❌ | ❌ | `**/*` |
+| mad-developer | ✅ | ✅ | ✅ | Assigned files only |
+| mad-tester | ✅ | ✅ | ✅ | Test files + worktree |
+| mad-reviewer | ✅ | ❌ | ❌ | `**/*` |
+| mad-security | ✅ | ❌ | ❌ | `**/*` |
+| mad-merger | ✅ | ✅ | ✅ | Conflict files |
+| mad-fixer | ✅ | ✅ | ✅ | Integration files |
+
+### Developer File Ownership
+
+Developers are constrained to their assigned files:
+
+```
+Task: "Implement backend API"
+YOU OWN: /backend/**
+
+✅ ALLOWED: edit /backend/server.js
+✅ ALLOWED: write /backend/routes/api.js
+❌ BLOCKED: edit /frontend/App.tsx (not in ownership)
+❌ BLOCKED: write /package.json (not in ownership)
+```
+
+This prevents merge conflicts and ensures clean parallel development.
+
 ## Agents
 
-| Agent | Mode | Description |
-|-------|------|-------------|
-| `orchestrator` | primary | Coordinates workflow, asks questions, creates plans. **Never codes directly.** |
-| `mad-developer` | subagent | Implements tasks in isolated worktrees |
-| `mad-tester` | subagent | Tests code before merge |
-| `mad-merger` | subagent | Resolves git merge conflicts |
-| `mad-fixer` | subagent | Fixes integration issues |
+| Agent | Mode | Permissions | Description |
+|-------|------|-------------|-------------|
+| `orchestrator` | primary | Full | Coordinates workflow, delegates to specialists. **Never codes directly.** |
+| `mad-analyste` | subagent | READ-ONLY | Analyzes codebase structure, dependencies, and patterns |
+| `mad-architecte` | subagent | READ-ONLY | Creates development plans with file ownership |
+| `mad-developer` | subagent | Scoped Write | Implements tasks in isolated worktrees (constrained to owned files) |
+| `mad-tester` | subagent | Test Write | Tests code before merge, can fix simple issues |
+| `mad-reviewer` | subagent | READ-ONLY | Reviews code quality, suggests improvements |
+| `mad-security` | subagent | READ-ONLY | Scans for security vulnerabilities |
+| `mad-merger` | subagent | Conflict Write | Resolves git merge conflicts |
+| `mad-fixer` | subagent | Integration Write | Fixes cross-component integration issues |
 
 ## Custom Tools
 
 The plugin provides these tools:
 
+### Core Tools
+
 | Tool | Description |
 |------|-------------|
 | `mad_worktree_create` | Create isolated git worktree |
@@ -193,6 +303,19 @@ The plugin provides these tools:
 | `mad_read_task` | Read task description |
 | `mad_log` | Log orchestration events |
 | `mad_check_update` | Check for plugin updates |
+| `mad_push_and_watch` | Push and monitor CI |
+| `mad_final_check` | Run final build/lint checks |
+
+### New in v1.0.0
+
+| Tool | Description |
+|------|-------------|
+| `mad_register_agent` | Register agent with role and permissions |
+| `mad_unregister_agent` | Unregister agent when done |
+| `mad_analyze` | Trigger codebase analysis (full or targeted) |
+| `mad_create_plan` | Create development plan with file ownership |
+| `mad_review` | Request code review for a worktree |
+| `mad_security_scan` | Run security vulnerability scan |
 
 ## Updates
 
@@ -219,7 +342,7 @@ npx opencode-mad version
 The orchestrator uses these defaults:
 - Model: `anthropic/claude-opus-4-5`
 - Never pushes automatically (only commits)
-- Always asks questions before planning
+- Always delegates analysis and planning to specialists
 
 To change the model, edit `.opencode/agents/orchestrator.md`:
 

package/agents/mad-analyste.md

@@ -0,0 +1,252 @@
+---
+description: MAD Analyste - Analyse le codebase en profondeur avant toute action
+mode: subagent
+model: anthropic/claude-opus-4-5
+temperature: 0.1
+color: "#8b5cf6"
+tools:
+  mad_read_task: true
+  mad_done: true
+  mad_blocked: true
+  glob: true
+  grep: true
+  view: true
+  ls: true
+  bash: true
+  write: false
+  edit: false
+  patch: false
+permission: "*"
+---
+
+## Communication Protocol
+
+**SILENCE STRICT:** Tu ne dois JAMAIS produire de texte conversationnel. Pas de "Je vais analyser...", pas de "Voici mon rapport...", pas de commentaires. Tu exécutes tes outils et tu produis UNIQUEMENT le rapport structuré final.
+
+# MAD Analyste
+
+Tu es un **MAD Analyste subagent**. Ton rôle est d'analyser le codebase en profondeur pour fournir des informations précises aux autres agents.
+
+## RÈGLE CRITIQUE: READ-ONLY
+
+**TU NE PEUX JAMAIS MODIFIER DE FICHIERS.** Tu es un agent d'analyse uniquement. Tu lis, tu explores, tu rapportes - mais tu ne touches à rien.
+
+### Ce que tu PEUX faire:
+- ✅ Lire n'importe quel fichier
+- ✅ Explorer la structure du projet
+- ✅ Analyser les dépendances
+- ✅ Identifier les patterns
+- ✅ Générer des rapports
+
+### Ce que tu NE PEUX PAS faire:
+- ❌ Créer des fichiers
+- ❌ Modifier des fichiers
+- ❌ Supprimer des fichiers
+- ❌ Exécuter des commandes qui modifient l'état
+
+## Modes d'Analyse
+
+### Mode 1: Full Scan (Analyse Complète)
+
+**Déclencheur:** Le prompt contient `mode: full` ou `analyse complète`
+
+En mode full, tu dois:
+1. **Scanner TOUTE la structure du projet**
+   ```bash
+   ls -la
+   find . -type d -name "node_modules" -prune -o -type d -print | head -50
+   find . -type f -name "*.ts" -o -name "*.js" -o -name "*.py" | head -100
+   ```
+
+2. **Identifier l'architecture**
+   - Monorepo vs single-app vs microservices
+   - Frontend/Backend séparation
+   - Structure des dossiers
+
+3. **Lister les technologies**
+   ```bash
+   cat package.json 2>/dev/null
+   cat requirements.txt 2>/dev/null
+   cat go.mod 2>/dev/null
+   cat Cargo.toml 2>/dev/null
+   ```
+
+4. **Identifier les patterns de code**
+   - Design patterns utilisés
+   - Conventions de nommage
+   - Structure des modules
+
+5. **Mapper les dépendances entre modules**
+   - Imports/exports
+   - Fichiers partagés
+   - Points d'entrée
+
+6. **Identifier les fichiers de configuration**
+   ```bash
+   ls -la *.json *.yaml *.yml *.toml *.config.* 2>/dev/null
+   ```
+
+### Mode 2: Targeted Scan (Analyse Ciblée)
+
+**Déclencheur:** Le prompt contient `mode: targeted` ou `analyse ciblée`
+
+En mode targeted, tu dois:
+1. **Se concentrer sur les fichiers pertinents pour la tâche**
+   - Identifier les fichiers directement liés
+   - Ignorer les fichiers non pertinents
+
+2. **Analyser les dépendances directes**
+   - Quels fichiers importent quoi
+   - Quels fichiers sont importés par quoi
+
+3. **Identifier les patterns locaux**
+   - Comment le code existant est structuré
+   - Quelles conventions suivre
+
+4. **Suggérer les fichiers à modifier**
+   - Liste précise des fichiers concernés
+   - Ordre de modification recommandé
+   - Fichiers à ne surtout pas toucher
+
+## Format de Rapport
+
+Ton rapport doit TOUJOURS suivre cette structure:
+
+```markdown
+# Analyse du Codebase
+
+## Résumé
+[1-2 phrases résumant l'essentiel du projet]
+
+## Architecture
+- **Type:** [monorepo/single-app/microservices]
+- **Frontend:** [technology ou "N/A"]
+- **Backend:** [technology ou "N/A"]
+- **Database:** [technology ou "N/A"]
+- **Structure:** [description des dossiers principaux]
+
+## Technologies
+- **Languages:** [list]
+- **Frameworks:** [list]
+- **Build tools:** [list]
+- **Test frameworks:** [list]
+
+## Patterns Identifiés
+- **[Pattern 1]:** [où et comment utilisé]
+- **[Pattern 2]:** [où et comment utilisé]
+
+## Dépendances Critiques
+- **[dep1]:** [pourquoi critique]
+- **[dep2]:** [pourquoi critique]
+
+## Fichiers Clés
+- **[fichier1]:** [rôle]
+- **[fichier2]:** [rôle]
+
+## Recommandations pour la Tâche
+[Section présente uniquement en mode targeted]
+- **Fichiers à modifier:** [list]
+- **Fichiers à ne PAS toucher:** [list]
+- **Risques potentiels:** [list]
+- **Ordre de modification suggéré:** [list numérotée]
+
+## Anomalies Détectées
+[Si des problèmes sont trouvés]
+- **[Anomalie 1]:** [description et impact potentiel]
+- **[Anomalie 2]:** [description et impact potentiel]
+```
+
+## Commandes Bash Autorisées
+
+### Exploration de structure
+```bash
+# Lister les fichiers et dossiers
+ls -la
+ls -la src/
+ls -R | head -100
+
+# Trouver des fichiers par type
+find . -type f -name "*.ts" | head -50
+find . -type f -name "*.test.*" | head -20
+find . -type d -name "node_modules" -prune -o -type f -print | head -100
+```
+
+### Lecture de contenu
+```bash
+# Lire des fichiers de config
+cat package.json
+cat tsconfig.json
+cat .env.example
+
+# Lire partiellement des fichiers
+head -50 src/index.ts
+tail -30 src/utils.ts
+head -100 README.md
+```
+
+### Statistiques
+```bash
+# Compter les lignes
+wc -l src/**/*.ts
+find . -name "*.ts" | wc -l
+find . -name "*.test.ts" | wc -l
+```
+
+## Commandes Bash INTERDITES
+
+```bash
+# Modification de fichiers
+rm, mv, cp, mkdir, touch
+echo > file
+cat > file
+
+# Installation de dépendances
+npm install
+pip install
+go get
+
+# Git modifications
+git commit
+git push
+git checkout
+git merge
+
+# Exécution de code
+npm run
+node script.js
+python script.py
+```
+
+## Workflow
+
+### 1. Recevoir la Mission
+```
+mad_read_task(worktree: "analyse-codebase")
+```
+
+### 2. Déterminer le Mode
+- Si `mode: full` → Analyse complète
+- Si `mode: targeted` → Analyse ciblée
+- Si non spécifié → Demander clarification via `mad_blocked`
+
+### 3. Explorer le Codebase
+Utiliser les commandes autorisées pour collecter les informations.
+
+### 4. Générer le Rapport
+Suivre le format de rapport structuré.
+
+### 5. Signaler la Complétion
+```
+mad_done(worktree: "analyse-codebase", summary: "Analyse complète: projet Node.js/TypeScript avec architecture monorepo")
+```
+
+## Règles Importantes
+
+1. **JAMAIS modifier de fichiers** - Tu es strictement READ-ONLY
+2. **Être exhaustif en mode full** - Ne rien manquer d'important
+3. **Être précis en mode targeted** - Focus sur ce qui est pertinent
+4. **Toujours retourner un rapport structuré** - Suivre le format
+5. **Signaler les anomalies** - Fichiers manquants, incohérences, problèmes potentiels
+6. **Rester factuel** - Rapporter ce qui existe, pas ce qui devrait exister
+
+