opencode-swarm 6.45.1 → 6.46.0

package/README.md

@@ -601,6 +601,117 @@ Per-agent overrides:
 
 </details>
 
+<details>
+<summary><strong>File Authority (Per-Agent Write Permissions)</strong></summary>
+
+Swarm enforces per-agent file write authority — each agent can only write to specific paths. By default, these rules are hardcoded, but you can override them via config.
+
+### Default Rules
+
+| Agent | Can Write | Blocked | Zones |
+|-------|-----------|---------|-------|
+| `architect` | Everything (except plan files) | `.swarm/plan.md`, `.swarm/plan.json` | `generated` |
+| `coder` | `src/`, `tests/`, `docs/`, `scripts/` | `.swarm/` (entire directory) | `generated`, `config` |
+| `reviewer` | `.swarm/evidence/`, `.swarm/outputs/` | `src/`, `.swarm/plan.md`, `.swarm/plan.json` | `generated` |
+| `test_engineer` | `tests/`, `.swarm/evidence/` | `src/`, `.swarm/plan.md`, `.swarm/plan.json` | `generated` |
+| `explorer` | Read-only | Everything | — |
+| `sme` | Read-only | Everything | — |
+| `docs` | `docs/`, `.swarm/outputs/` | — | `generated` |
+| `designer` | `docs/`, `.swarm/outputs/` | — | `generated` |
+| `critic` | `.swarm/evidence/` | — | `generated` |
+
+### Prefixed Agents
+
+Prefixed agents (e.g., `paid_coder`, `mega_reviewer`, `local_architect`) inherit defaults from their canonical base agent via `stripKnownSwarmPrefix`. The lookup order is:
+
+1. Exact match for the prefixed name (if explicitly defined in user config)
+2. Fall back to the canonical agent's defaults (e.g., `paid_coder` → `coder`)
+
+```json
+{
+  "authority": {
+    "rules": {
+      "coder": { "allowedPrefix": ["src/", "lib/"] },
+      "paid_coder": { "allowedPrefix": ["vendor/", "plugins/"] }
+    }
+  }
+}
+```
+
+In this example, `paid_coder` gets its own explicit rule, while other prefixed coders (e.g., `mega_coder`) fall back to `coder`.
+
+### Runtime Enforcement
+
+Architect direct writes are enforced at runtime via `toolBefore` hook. This tracks writes to source code paths outside `.swarm/` and protects `.swarm/plan.md` and `.swarm/plan.json` from direct modification.
+
+### Configuration
+
+Override default rules in `.opencode/opencode-swarm.json`:
+
+```json
+{
+  "authority": {
+    "enabled": true,
+    "rules": {
+      "coder": {
+        "allowedPrefix": ["src/", "lib/", "scripts/"],
+        "blockedPrefix": [".swarm/"],
+        "blockedZones": ["generated"]
+      },
+      "explorer": {
+        "readOnly": false,
+        "allowedPrefix": ["notes/", "scratch/"]
+      }
+    }
+  }
+}
+```
+
+### Rule Fields
+
+| Field | Type | Description |
+|-------|------|-------------|
+| `readOnly` | boolean | If `true`, agent cannot write anywhere |
+| `blockedExact` | string[] | Exact file paths that are blocked |
+| `blockedPrefix` | string[] | Path prefixes that are blocked (e.g., `.swarm/`) |
+| `allowedPrefix` | string[] | Only these path prefixes are allowed. Omit to remove restriction; set `[]` to deny all |
+| `blockedZones` | string[] | File zones to block: `production`, `test`, `config`, `generated`, `docs`, `build` |
+
+### Merge Behavior
+
+- User rules **override** hardcoded defaults for the specified agent
+- Scalar fields (`readOnly`) — user value replaces default
+- Array fields (`blockedPrefix`, `allowedPrefix`, etc.) — user array **replaces** entirely (not merged)
+- If a field is omitted in the user rule for a **known agent** (one with hardcoded defaults), the default value for that field is preserved
+- If a field is omitted in the user rule for a **custom agent** (not in the defaults list), that field is `undefined` — there are no defaults to inherit
+- `allowedPrefix: []` explicitly denies all writes; omitting `allowedPrefix` entirely means no allowlist restriction is applied (all paths are evaluated against blocklist rules only)
+- Setting `enabled: false` ignores all custom rules and uses hardcoded defaults
+
+### Custom Agents
+
+Custom agents (not in the defaults list) start with no rules. Their write authority depends entirely on what you configure:
+
+- **Not in config at all** — agent is denied with `Unknown agent` (no rule exists; this is not the same as "blocked from all writes")
+- **In config without `allowedPrefix`** — no allowlist restriction applies; only any `blockedPrefix`, `blockedZones`, or `readOnly` rules you explicitly set will enforce limits
+- **In config with `allowedPrefix: []`** — all writes are denied
+
+To safely restrict a custom agent, always set `allowedPrefix` explicitly:
+
+```json
+{
+  "authority": {
+    "rules": {
+      "my_custom_agent": {
+        "allowedPrefix": ["plugins/", "extensions/"],
+        "blockedZones": ["generated"]
+      }
+    }
+  }
+}
+```
+
+</details>
+
 <details>
 <summary><strong>Context Budget Guard</strong></summary>
 
@@ -780,6 +891,16 @@ Config file location: `~/.config/opencode/opencode-swarm.json` (global) or `.ope
       "coder": { "max_tool_calls": 500 }
     }
   },
+  "authority": {
+    "enabled": true,
+    "rules": {
+      "coder": {
+        "allowedPrefix": ["src/", "lib/"],
+        "blockedPrefix": [".swarm/"],
+        "blockedZones": ["generated"]
+      }
+    }
+  },
   "review_passes": {
     "always_security_review": false,
     "security_globs": ["**/*auth*", "**/*crypto*", "**/*session*"]

package/dist/cli/index.js

@@ -18649,6 +18649,17 @@ var CompactionConfigSchema = exports_external.object({
   emergencyThreshold: exports_external.number().min(1).max(99).default(80),
   preserveLastNTurns: exports_external.number().int().min(1).default(5)
 });
+var AgentAuthorityRuleSchema = exports_external.object({
+  readOnly: exports_external.boolean().optional(),
+  blockedExact: exports_external.array(exports_external.string()).optional(),
+  blockedPrefix: exports_external.array(exports_external.string()).optional(),
+  allowedPrefix: exports_external.array(exports_external.string()).optional(),
+  blockedZones: exports_external.array(exports_external.enum(["production", "test", "config", "generated", "docs", "build"])).optional()
+});
+var AuthorityConfigSchema = exports_external.object({
+  enabled: exports_external.boolean().default(true),
+  rules: exports_external.record(exports_external.string(), AgentAuthorityRuleSchema).default({})
+});
 var PluginConfigSchema = exports_external.object({
   agents: exports_external.record(exports_external.string(), AgentOverrideConfigSchema).optional(),
   swarms: exports_external.record(exports_external.string(), SwarmConfigSchema).optional(),
@@ -18665,6 +18676,7 @@ var PluginConfigSchema = exports_external.object({
   watchdog: WatchdogConfigSchema.optional(),
   self_review: SelfReviewConfigSchema.optional(),
   tool_filter: ToolFilterConfigSchema.optional(),
+  authority: AuthorityConfigSchema.optional(),
   plan_cursor: PlanCursorConfigSchema.optional(),
   evidence: EvidenceConfigSchema.optional(),
   summaries: SummaryConfigSchema.optional(),

package/dist/config/evidence-schema.d.ts

@@ -8,6 +8,7 @@ export declare const EvidenceTypeSchema: z.ZodEnum<{
     quality_budget: "quality_budget";
     placeholder: "placeholder";
     test: "test";
+    build: "build";
     review: "review";
     approval: "approval";
     note: "note";
@@ -15,7 +16,6 @@ export declare const EvidenceTypeSchema: z.ZodEnum<{
     syntax: "syntax";
     sast: "sast";
     sbom: "sbom";
-    build: "build";
 }>;
 export type EvidenceType = z.infer<typeof EvidenceTypeSchema>;
 export declare const EvidenceVerdictSchema: z.ZodEnum<{
@@ -34,6 +34,7 @@ export declare const BaseEvidenceSchema: z.ZodObject<{
         quality_budget: "quality_budget";
         placeholder: "placeholder";
         test: "test";
+        build: "build";
         review: "review";
         approval: "approval";
         note: "note";
@@ -41,7 +42,6 @@ export declare const BaseEvidenceSchema: z.ZodObject<{
         syntax: "syntax";
         sast: "sast";
         sbom: "sbom";
-        build: "build";
     }>;
     timestamp: z.ZodString;
     agent: z.ZodString;

package/dist/config/schema.d.ts

@@ -468,6 +468,39 @@ export declare const CompactionConfigSchema: z.ZodObject<{
     preserveLastNTurns: z.ZodDefault<z.ZodNumber>;
 }, z.core.$strip>;
 export type CompactionConfig = z.infer<typeof CompactionConfigSchema>;
+export declare const AgentAuthorityRuleSchema: z.ZodObject<{
+    readOnly: z.ZodOptional<z.ZodBoolean>;
+    blockedExact: z.ZodOptional<z.ZodArray<z.ZodString>>;
+    blockedPrefix: z.ZodOptional<z.ZodArray<z.ZodString>>;
+    allowedPrefix: z.ZodOptional<z.ZodArray<z.ZodString>>;
+    blockedZones: z.ZodOptional<z.ZodArray<z.ZodEnum<{
+        docs: "docs";
+        production: "production";
+        test: "test";
+        config: "config";
+        generated: "generated";
+        build: "build";
+    }>>>;
+}, z.core.$strip>;
+export type AgentAuthorityRule = z.infer<typeof AgentAuthorityRuleSchema>;
+export declare const AuthorityConfigSchema: z.ZodObject<{
+    enabled: z.ZodDefault<z.ZodBoolean>;
+    rules: z.ZodDefault<z.ZodRecord<z.ZodString, z.ZodObject<{
+        readOnly: z.ZodOptional<z.ZodBoolean>;
+        blockedExact: z.ZodOptional<z.ZodArray<z.ZodString>>;
+        blockedPrefix: z.ZodOptional<z.ZodArray<z.ZodString>>;
+        allowedPrefix: z.ZodOptional<z.ZodArray<z.ZodString>>;
+        blockedZones: z.ZodOptional<z.ZodArray<z.ZodEnum<{
+            docs: "docs";
+            production: "production";
+            test: "test";
+            config: "config";
+            generated: "generated";
+            build: "build";
+        }>>>;
+    }, z.core.$strip>>>;
+}, z.core.$strip>;
+export type AuthorityConfig = z.infer<typeof AuthorityConfigSchema>;
 export declare const PluginConfigSchema: z.ZodObject<{
     agents: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodObject<{
         model: z.ZodOptional<z.ZodString>;
@@ -627,6 +660,23 @@ export declare const PluginConfigSchema: z.ZodObject<{
         enabled: z.ZodDefault<z.ZodBoolean>;
         overrides: z.ZodDefault<z.ZodRecord<z.ZodString, z.ZodArray<z.ZodString>>>;
     }, z.core.$strip>>;
+    authority: z.ZodOptional<z.ZodObject<{
+        enabled: z.ZodDefault<z.ZodBoolean>;
+        rules: z.ZodDefault<z.ZodRecord<z.ZodString, z.ZodObject<{
+            readOnly: z.ZodOptional<z.ZodBoolean>;
+            blockedExact: z.ZodOptional<z.ZodArray<z.ZodString>>;
+            blockedPrefix: z.ZodOptional<z.ZodArray<z.ZodString>>;
+            allowedPrefix: z.ZodOptional<z.ZodArray<z.ZodString>>;
+            blockedZones: z.ZodOptional<z.ZodArray<z.ZodEnum<{
+                docs: "docs";
+                production: "production";
+                test: "test";
+                config: "config";
+                generated: "generated";
+                build: "build";
+            }>>>;
+        }, z.core.$strip>>>;
+    }, z.core.$strip>>;
     plan_cursor: z.ZodOptional<z.ZodObject<{
         enabled: z.ZodDefault<z.ZodBoolean>;
         max_tokens: z.ZodDefault<z.ZodNumber>;

package/dist/hooks/guardrails.d.ts

@@ -6,7 +6,7 @@
  * - Layer 1 (Soft Warning @ warning_threshold): Sets warning flag for messagesTransform to inject warning
  * - Layer 2 (Hard Block @ 100%): Throws error in toolBefore to block further calls, injects STOP message
  */
-import { type GuardrailsConfig } from '../config/schema';
+import { type AuthorityConfig, type GuardrailsConfig } from '../config/schema';
 import { type FileZone } from '../context/zone-classifier';
 /**
  * Retrieves stored input args for a given callID.
@@ -34,7 +34,7 @@ export declare function deleteStoredInputArgs(callID: string): void;
  * @param config Guardrails configuration (optional)
  * @returns Tool before/after hooks and messages transform hook
  */
-export declare function createGuardrailsHooks(directory: string, directoryOrConfig?: string | GuardrailsConfig, config?: GuardrailsConfig): {
+export declare function createGuardrailsHooks(directory: string, directoryOrConfig?: string | GuardrailsConfig, config?: GuardrailsConfig, authorityConfig?: AuthorityConfig): {
     toolBefore: (input: {
         tool: string;
         sessionID: string;
@@ -103,13 +103,22 @@ export declare function validateAndRecordAttestation(dir: string, findingId: str
     valid: false;
     reason: string;
 }>;
+type AgentRule = {
+    readOnly?: boolean;
+    blockedExact?: string[];
+    blockedPrefix?: string[];
+    allowedPrefix?: string[];
+    blockedZones?: FileZone[];
+};
+export declare const DEFAULT_AGENT_AUTHORITY_RULES: Record<string, AgentRule>;
 /**
  * Checks whether the given agent is authorised to write to the given file path.
  */
-export declare function checkFileAuthority(agentName: string, filePath: string, cwd: string): {
+export declare function checkFileAuthority(agentName: string, filePath: string, cwd: string, authorityConfig?: AuthorityConfig): {
     allowed: true;
 } | {
     allowed: false;
     reason: string;
     zone?: FileZone;
 };
+export {};

package/dist/hooks/index.d.ts

@@ -6,7 +6,7 @@ export { createDelegationGateHook } from './delegation-gate';
 export { createDelegationSanitizerHook } from './delegation-sanitizer';
 export { createDelegationTrackerHook } from './delegation-tracker';
 export { extractCurrentPhase, extractCurrentPhaseFromPlan, extractCurrentTask, extractCurrentTaskFromPlan, extractDecisions, extractIncompleteTasks, extractIncompleteTasksFromPlan, extractPatterns, } from './extractors';
-export { createGuardrailsHooks } from './guardrails';
+export { checkFileAuthority, createGuardrailsHooks, DEFAULT_AGENT_AUTHORITY_RULES, } from './guardrails';
 export { classifyMessage, classifyMessages, containsPlanContent, isDuplicateToolRead, isStaleError, isToolResult, MessagePriority, type MessagePriorityType, type MessageWithParts, } from './message-priority';
 export { consolidateSystemMessages } from './messages-transform';
 export { extractModelInfo, NATIVE_MODEL_LIMITS, PROVIDER_CAPS, resolveModelLimit, } from './model-limits';

package/dist/index.js

@@ -14573,7 +14573,7 @@ function resolveGuardrailsConfig(config2, agentName) {
   };
   return resolved;
 }
-var KNOWN_SWARM_PREFIXES, SEPARATORS, AgentOverrideConfigSchema, SwarmConfigSchema, HooksConfigSchema, ScoringWeightsSchema, DecisionDecaySchema, TokenRatiosSchema, ScoringConfigSchema, ContextBudgetConfigSchema, EvidenceConfigSchema, GateFeatureSchema, PlaceholderScanConfigSchema, QualityBudgetConfigSchema, GateConfigSchema, PipelineConfigSchema, PhaseCompleteConfigSchema, SummaryConfigSchema, ReviewPassesConfigSchema, AdversarialDetectionConfigSchema, AdversarialTestingConfigSchemaBase, AdversarialTestingConfigSchema, IntegrationAnalysisConfigSchema, DocsConfigSchema, UIReviewConfigSchema, CompactionAdvisoryConfigSchema, LintConfigSchema, SecretscanConfigSchema, GuardrailsProfileSchema, DEFAULT_AGENT_PROFILES, DEFAULT_ARCHITECT_PROFILE, GuardrailsConfigSchema, WatchdogConfigSchema, SelfReviewConfigSchema, ToolFilterConfigSchema, PlanCursorConfigSchema, CheckpointConfigSchema, AutomationModeSchema, AutomationCapabilitiesSchema, AutomationConfigSchemaBase, AutomationConfigSchema, KnowledgeConfigSchema, CuratorConfigSchema, SlopDetectorConfigSchema, IncrementalVerifyConfigSchema, CompactionConfigSchema, PluginConfigSchema;
+var KNOWN_SWARM_PREFIXES, SEPARATORS, AgentOverrideConfigSchema, SwarmConfigSchema, HooksConfigSchema, ScoringWeightsSchema, DecisionDecaySchema, TokenRatiosSchema, ScoringConfigSchema, ContextBudgetConfigSchema, EvidenceConfigSchema, GateFeatureSchema, PlaceholderScanConfigSchema, QualityBudgetConfigSchema, GateConfigSchema, PipelineConfigSchema, PhaseCompleteConfigSchema, SummaryConfigSchema, ReviewPassesConfigSchema, AdversarialDetectionConfigSchema, AdversarialTestingConfigSchemaBase, AdversarialTestingConfigSchema, IntegrationAnalysisConfigSchema, DocsConfigSchema, UIReviewConfigSchema, CompactionAdvisoryConfigSchema, LintConfigSchema, SecretscanConfigSchema, GuardrailsProfileSchema, DEFAULT_AGENT_PROFILES, DEFAULT_ARCHITECT_PROFILE, GuardrailsConfigSchema, WatchdogConfigSchema, SelfReviewConfigSchema, ToolFilterConfigSchema, PlanCursorConfigSchema, CheckpointConfigSchema, AutomationModeSchema, AutomationCapabilitiesSchema, AutomationConfigSchemaBase, AutomationConfigSchema, KnowledgeConfigSchema, CuratorConfigSchema, SlopDetectorConfigSchema, IncrementalVerifyConfigSchema, CompactionConfigSchema, AgentAuthorityRuleSchema, AuthorityConfigSchema, PluginConfigSchema;
 var init_schema = __esm(() => {
   init_zod();
   init_constants();
@@ -15047,6 +15047,17 @@ var init_schema = __esm(() => {
     emergencyThreshold: exports_external.number().min(1).max(99).default(80),
     preserveLastNTurns: exports_external.number().int().min(1).default(5)
   });
+  AgentAuthorityRuleSchema = exports_external.object({
+    readOnly: exports_external.boolean().optional(),
+    blockedExact: exports_external.array(exports_external.string()).optional(),
+    blockedPrefix: exports_external.array(exports_external.string()).optional(),
+    allowedPrefix: exports_external.array(exports_external.string()).optional(),
+    blockedZones: exports_external.array(exports_external.enum(["production", "test", "config", "generated", "docs", "build"])).optional()
+  });
+  AuthorityConfigSchema = exports_external.object({
+    enabled: exports_external.boolean().default(true),
+    rules: exports_external.record(exports_external.string(), AgentAuthorityRuleSchema).default({})
+  });
   PluginConfigSchema = exports_external.object({
     agents: exports_external.record(exports_external.string(), AgentOverrideConfigSchema).optional(),
     swarms: exports_external.record(exports_external.string(), SwarmConfigSchema).optional(),
@@ -15063,6 +15074,7 @@ var init_schema = __esm(() => {
     watchdog: WatchdogConfigSchema.optional(),
     self_review: SelfReviewConfigSchema.optional(),
     tool_filter: ToolFilterConfigSchema.optional(),
+    authority: AuthorityConfigSchema.optional(),
     plan_cursor: PlanCursorConfigSchema.optional(),
     evidence: EvidenceConfigSchema.optional(),
     summaries: SummaryConfigSchema.optional(),
@@ -53558,7 +53570,7 @@ function isInDeclaredScope(filePath, scopeEntries, cwd) {
     return rel.length > 0 && !rel.startsWith("..") && !path35.isAbsolute(rel);
   });
 }
-function createGuardrailsHooks(directory, directoryOrConfig, config3) {
+function createGuardrailsHooks(directory, directoryOrConfig, config3, authorityConfig) {
   let guardrailsConfig;
   if (directory && typeof directory === "object" && "enabled" in directory) {
     console.warn("[guardrails] Legacy call without directory, falling back to process.cwd()");
@@ -53576,6 +53588,7 @@ function createGuardrailsHooks(directory, directoryOrConfig, config3) {
       messagesTransform: async () => {}
     };
   }
+  const precomputedAuthorityRules = buildEffectiveRules(authorityConfig);
   const cfg = guardrailsConfig;
   const requiredQaGates = cfg.qa_gates?.required_tools ?? [
     "diff",
@@ -53670,7 +53683,7 @@ function createGuardrailsHooks(directory, directoryOrConfig, config3) {
         if (typeof delegTargetPath === "string" && delegTargetPath.length > 0) {
           const agentName = swarmState.activeAgent.get(sessionID) ?? "unknown";
           const cwd = effectiveDirectory;
-          const authorityCheck = checkFileAuthority(agentName, delegTargetPath, cwd);
+          const authorityCheck = checkFileAuthorityWithRules(agentName, delegTargetPath, cwd, precomputedAuthorityRules);
           if (!authorityCheck.allowed) {
             throw new Error(`WRITE BLOCKED: Agent "${agentName}" is not authorised to write "${delegTargetPath}". Reason: ${authorityCheck.reason}`);
           }
@@ -53679,6 +53692,19 @@ function createGuardrailsHooks(directory, directoryOrConfig, config3) {
           }
         }
       }
+      if (tool3 === "apply_patch" || tool3 === "patch") {
+        const agentName = swarmState.activeAgent.get(sessionID) ?? "unknown";
+        const cwd = effectiveDirectory;
+        for (const p of extractPatchTargetPaths(tool3, args2)) {
+          const authorityCheck = checkFileAuthorityWithRules(agentName, p, cwd, precomputedAuthorityRules);
+          if (!authorityCheck.allowed) {
+            throw new Error(`WRITE BLOCKED: Agent "${agentName}" is not authorised to write "${p}" (via patch). Reason: ${authorityCheck.reason}`);
+          }
+          if (!currentSession.modifiedFilesThisCoderTask.includes(p)) {
+            currentSession.modifiedFilesThisCoderTask.push(p);
+          }
+        }
+      }
     } else if (isArchitect(sessionID)) {
       const coderDelegArgs = args2;
       const rawSubagentType = coderDelegArgs?.subagent_type;
@@ -53747,6 +53773,55 @@ function createGuardrailsHooks(directory, directoryOrConfig, config3) {
       }
     }
   }
+  function extractPatchTargetPaths(tool3, args2) {
+    if (tool3 !== "apply_patch" && tool3 !== "patch")
+      return [];
+    const toolArgs = args2;
+    const patchText = toolArgs?.input ?? toolArgs?.patch ?? (Array.isArray(toolArgs?.cmd) ? toolArgs.cmd[1] : undefined);
+    if (typeof patchText !== "string")
+      return [];
+    if (patchText.length > 1e6) {
+      throw new Error("WRITE BLOCKED: Patch payload exceeds 1 MB \u2014 authority cannot be verified for all modified paths. Split into smaller patches.");
+    }
+    const paths = new Set;
+    const patchPathPattern = /\*\*\*\s+(?:Update|Add|Delete)\s+File:\s*(.+)/gi;
+    const diffPathPattern = /\+\+\+\s+b\/(.+)/gm;
+    const gitDiffPathPattern = /^diff --git a\/(.+?) b\/(.+?)$/gm;
+    const minusPathPattern = /^---\s+a\/(.+)$/gm;
+    const traditionalMinusPattern = /^---\s+([^\s].+?)(?:\t.*)?$/gm;
+    const traditionalPlusPattern = /^\+\+\+\s+([^\s].+?)(?:\t.*)?$/gm;
+    for (const match of patchText.matchAll(patchPathPattern))
+      paths.add(match[1].trim());
+    for (const match of patchText.matchAll(diffPathPattern)) {
+      const p = match[1].trim();
+      if (p !== "/dev/null")
+        paths.add(p);
+    }
+    for (const match of patchText.matchAll(gitDiffPathPattern)) {
+      const aPath = match[1].trim();
+      const bPath = match[2].trim();
+      if (aPath !== "/dev/null")
+        paths.add(aPath);
+      if (bPath !== "/dev/null")
+        paths.add(bPath);
+    }
+    for (const match of patchText.matchAll(minusPathPattern)) {
+      const p = match[1].trim();
+      if (p !== "/dev/null")
+        paths.add(p);
+    }
+    for (const match of patchText.matchAll(traditionalMinusPattern)) {
+      const p = match[1].trim();
+      if (p !== "/dev/null" && !p.startsWith("a/") && !p.startsWith("b/"))
+        paths.add(p);
+    }
+    for (const match of patchText.matchAll(traditionalPlusPattern)) {
+      const p = match[1].trim();
+      if (p !== "/dev/null" && !p.startsWith("a/") && !p.startsWith("b/"))
+        paths.add(p);
+    }
+    return Array.from(paths);
+  }
   function handlePlanAndScopeProtection(sessionID, tool3, args2) {
     const toolArgs = args2;
     const targetPath = toolArgs?.filePath ?? toolArgs?.path ?? toolArgs?.file ?? toolArgs?.target;
@@ -53759,68 +53834,25 @@ function createGuardrailsHooks(directory, directoryOrConfig, config3) {
       }
     }
     if (!targetPath && (tool3 === "apply_patch" || tool3 === "patch")) {
-      const patchText = toolArgs?.input ?? toolArgs?.patch ?? (Array.isArray(toolArgs?.cmd) ? toolArgs.cmd[1] : undefined);
-      if (typeof patchText === "string" && patchText.length <= 1e6) {
-        const patchPathPattern = /\*\*\*\s+(?:Update|Add|Delete)\s+File:\s*(.+)/gi;
-        const diffPathPattern = /\+\+\+\s+b\/(.+)/gm;
-        const paths = new Set;
-        for (const match of patchText.matchAll(patchPathPattern)) {
-          paths.add(match[1].trim());
-        }
-        for (const match of patchText.matchAll(diffPathPattern)) {
-          const p = match[1].trim();
-          if (p !== "/dev/null")
-            paths.add(p);
-        }
-        const gitDiffPathPattern = /^diff --git a\/(.+?) b\/(.+?)$/gm;
-        for (const match of patchText.matchAll(gitDiffPathPattern)) {
-          const aPath = match[1].trim();
-          const bPath = match[2].trim();
-          if (aPath !== "/dev/null")
-            paths.add(aPath);
-          if (bPath !== "/dev/null")
-            paths.add(bPath);
-        }
-        const minusPathPattern = /^---\s+a\/(.+)$/gm;
-        for (const match of patchText.matchAll(minusPathPattern)) {
-          const p = match[1].trim();
-          if (p !== "/dev/null")
-            paths.add(p);
-        }
-        const traditionalMinusPattern = /^---\s+([^\s].+?)(?:\t.*)?$/gm;
-        const traditionalPlusPattern = /^\+\+\+\s+([^\s].+?)(?:\t.*)?$/gm;
-        for (const match of patchText.matchAll(traditionalMinusPattern)) {
-          const p = match[1].trim();
-          if (p !== "/dev/null" && !p.startsWith("a/") && !p.startsWith("b/")) {
-            paths.add(p);
-          }
-        }
-        for (const match of patchText.matchAll(traditionalPlusPattern)) {
-          const p = match[1].trim();
-          if (p !== "/dev/null" && !p.startsWith("a/") && !p.startsWith("b/")) {
-            paths.add(p);
-          }
-        }
-        for (const p of paths) {
-          const resolvedP = path35.resolve(effectiveDirectory, p);
-          const planMdPath = path35.resolve(effectiveDirectory, ".swarm", "plan.md").toLowerCase();
-          const planJsonPath = path35.resolve(effectiveDirectory, ".swarm", "plan.json").toLowerCase();
-          if (resolvedP.toLowerCase() === planMdPath || resolvedP.toLowerCase() === planJsonPath) {
-            throw new Error("PLAN STATE VIOLATION: Direct writes to .swarm/plan.md and .swarm/plan.json are blocked. " + "plan.md is auto-regenerated from plan.json by PlanSyncWorker. " + "Use update_task_status() to mark tasks complete, " + "phase_complete() for phase transitions, or " + "save_plan to create/restructure plans.");
-          }
-          if (isOutsideSwarmDir(p, effectiveDirectory) && (isSourceCodePath(p) || hasTraversalSegments(p))) {
-            const session = swarmState.agentSessions.get(sessionID);
-            if (session) {
-              session.architectWriteCount++;
-              warn("Architect direct code edit detected via apply_patch", {
-                tool: tool3,
-                sessionID,
-                targetPath: p,
-                writeCount: session.architectWriteCount
-              });
-            }
-            break;
+      for (const p of extractPatchTargetPaths(tool3, args2)) {
+        const resolvedP = path35.resolve(effectiveDirectory, p);
+        const planMdPath = path35.resolve(effectiveDirectory, ".swarm", "plan.md").toLowerCase();
+        const planJsonPath = path35.resolve(effectiveDirectory, ".swarm", "plan.json").toLowerCase();
+        if (resolvedP.toLowerCase() === planMdPath || resolvedP.toLowerCase() === planJsonPath) {
+          throw new Error("PLAN STATE VIOLATION: Direct writes to .swarm/plan.md and .swarm/plan.json are blocked. " + "plan.md is auto-regenerated from plan.json by PlanSyncWorker. " + "Use update_task_status() to mark tasks complete, " + "phase_complete() for phase transitions, or " + "save_plan to create/restructure plans.");
+        }
+        if (isOutsideSwarmDir(p, effectiveDirectory) && (isSourceCodePath(p) || hasTraversalSegments(p))) {
+          const session = swarmState.agentSessions.get(sessionID);
+          if (session) {
+            session.architectWriteCount++;
+            warn("Architect direct code edit detected via apply_patch", {
+              tool: tool3,
+              sessionID,
+              targetPath: p,
+              writeCount: session.architectWriteCount
+            });
           }
+          break;
         }
       }
     }
@@ -53917,6 +53949,24 @@ function createGuardrailsHooks(directory, directoryOrConfig, config3) {
       handleTestSuiteBlocking(input.tool, output.args);
       if (isArchitect(input.sessionID) && isWriteTool(input.tool)) {
         handlePlanAndScopeProtection(input.sessionID, input.tool, output.args);
+        const toolArgs = output.args;
+        const targetPath = toolArgs?.filePath ?? toolArgs?.path ?? toolArgs?.file ?? toolArgs?.target;
+        if (typeof targetPath === "string" && targetPath.length > 0) {
+          const agentName = swarmState.activeAgent.get(input.sessionID) ?? "architect";
+          const authorityCheck = checkFileAuthorityWithRules(agentName, targetPath, effectiveDirectory, precomputedAuthorityRules);
+          if (!authorityCheck.allowed) {
+            throw new Error(`WRITE BLOCKED: Agent "${agentName}" is not authorised to write "${targetPath}". Reason: ${authorityCheck.reason}`);
+          }
+        }
+      }
+      if (input.tool === "apply_patch" || input.tool === "patch") {
+        const agentName = swarmState.activeAgent.get(input.sessionID) ?? "architect";
+        for (const p of extractPatchTargetPaths(input.tool, output.args)) {
+          const authorityCheck = checkFileAuthorityWithRules(agentName, p, effectiveDirectory, precomputedAuthorityRules);
+          if (!authorityCheck.allowed) {
+            throw new Error(`WRITE BLOCKED: Agent "${agentName}" is not authorised to write "${p}" (via patch). Reason: ${authorityCheck.reason}`);
+          }
+        }
       }
       const resolved = resolveSessionAndWindow(input.sessionID);
       if (!resolved)
@@ -54411,7 +54461,7 @@ function hashArgs(args2) {
     return 0;
   }
 }
-var AGENT_AUTHORITY_RULES = {
+var DEFAULT_AGENT_AUTHORITY_RULES = {
   architect: {
     blockedExact: [".swarm/plan.md", ".swarm/plan.json"],
     blockedZones: ["generated"]
@@ -54452,12 +54502,38 @@ var AGENT_AUTHORITY_RULES = {
     blockedZones: ["generated"]
   }
 };
-function checkFileAuthority(agentName, filePath, cwd) {
+function buildEffectiveRules(authorityConfig) {
+  if (authorityConfig?.enabled === false || !authorityConfig?.rules) {
+    return DEFAULT_AGENT_AUTHORITY_RULES;
+  }
+  const entries = Object.entries(authorityConfig.rules);
+  if (entries.length === 0) {
+    return DEFAULT_AGENT_AUTHORITY_RULES;
+  }
+  const merged = {
+    ...DEFAULT_AGENT_AUTHORITY_RULES
+  };
+  for (const [agent, userRule] of entries) {
+    const normalizedRuleKey = agent.toLowerCase();
+    const existing = merged[normalizedRuleKey] ?? {};
+    merged[normalizedRuleKey] = {
+      ...existing,
+      ...userRule,
+      blockedExact: userRule.blockedExact ?? existing.blockedExact,
+      blockedPrefix: userRule.blockedPrefix ?? existing.blockedPrefix,
+      allowedPrefix: userRule.allowedPrefix ?? existing.allowedPrefix,
+      blockedZones: userRule.blockedZones ?? existing.blockedZones
+    };
+  }
+  return merged;
+}
+function checkFileAuthorityWithRules(agentName, filePath, cwd, effectiveRules) {
   const normalizedAgent = agentName.toLowerCase();
+  const strippedAgent = stripKnownSwarmPrefix(agentName).toLowerCase();
   const dir = cwd || process.cwd();
   const resolved = path35.resolve(dir, filePath);
   const normalizedPath = path35.relative(dir, resolved).replace(/\\/g, "/");
-  const rules = AGENT_AUTHORITY_RULES[normalizedAgent];
+  const rules = effectiveRules[normalizedAgent] ?? effectiveRules[strippedAgent];
   if (!rules) {
     return { allowed: false, reason: `Unknown agent: ${agentName}` };
   }
@@ -54484,8 +54560,8 @@ function checkFileAuthority(agentName, filePath, cwd) {
       }
     }
   }
-  if (rules.allowedPrefix && rules.allowedPrefix.length > 0) {
-    const isAllowed = rules.allowedPrefix.some((prefix) => normalizedPath.startsWith(prefix));
+  if (rules.allowedPrefix != null) {
+    const isAllowed = rules.allowedPrefix.length > 0 ? rules.allowedPrefix.some((prefix) => normalizedPath.startsWith(prefix)) : false;
     if (!isAllowed) {
       return {
         allowed: false,
@@ -70013,7 +70089,8 @@ var OpenCodeSwarm = async (ctx) => {
     console.warn("");
   }
   const delegationHandler = createDelegationTrackerHook(config3, guardrailsConfig.enabled);
-  const guardrailsHooks = createGuardrailsHooks(ctx.directory, undefined, guardrailsConfig);
+  const authorityConfig = AuthorityConfigSchema.parse(config3.authority ?? {});
+  const guardrailsHooks = createGuardrailsHooks(ctx.directory, undefined, guardrailsConfig, authorityConfig);
   const watchdogConfig = WatchdogConfigSchema.parse(config3.watchdog ?? {});
   const advisoryInjector = (sessionId, message) => {
     const s = swarmState.agentSessions.get(sessionId);

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "opencode-swarm",
-	"version": "6.45.1",
+	"version": "6.46.0",
 	"description": "Architect-centric agentic swarm plugin for OpenCode - hub-and-spoke orchestration with SME consultation, code generation, and QA review",
 	"main": "dist/index.js",
 	"types": "dist/index.d.ts",