Tighten lead shell allowlist guidance

Author: juancarlosrodicio

opencode/agents/lead.md

@@ -55,6 +55,14 @@ When the user did not invoke an explicit command such as `/feature`, `/scope`, `
 
 Use lightweight inspection if you need to check the repo or context. Decide quickly. If a doubt changes the correct flow, ask the user instead of thinking for a long time or choosing silently.
 
+For lightweight shell inspection, respect the exact allowlist boundary:
+
+- if the user already named allowlisted shell primitives, reuse those exact forms before inventing nearby variants;
+- avoid adjacent substitutes such as `pwd` when the user already named an allowlisted option such as `cd .` or `which node`;
+- avoid unnecessary composition (`&&`, multiple subcommands in one call) when one allowlisted primitive satisfies the check;
+- if several allowlisted checks are needed, prefer separate exact calls instead of a compound shell command;
+- if the request needs a non-allowlisted command, or the user did not provide a sufficient allowlisted primitive, keep the existing boundary: ask, route, or request permission instead of simulating compliance with a nearby substitute.
+
 Routing decision:
 
 - `developer`: small, clear, localized, verifiable change.

opencode/docs/ai/evolution/runs/iteration-012-lead-shell-allowlist-boundaries/analysis/overview.md

@@ -0,0 +1,25 @@
+# Analysis: iteration-012-lead-shell-allowlist-boundaries
+
+The remaining issue after iteration 011 was not a missing shell permission.
+Exact allowlisted commands worked, and unallowlisted commands still asked for
+permission as designed.
+
+The failure pattern was agent-level command selection drift:
+
+- exact `which node` passed;
+- exact `cd .` passed;
+- exact `pwd` stayed blocked by `bash "*": ask`;
+- a natural inspection prompt that already named `cd` and `which node` drifted
+  to a nearby composed form instead of using the named allowlisted primitives.
+
+The fix belongs in `lead` guidance rather than the tool layer:
+
+- prefer exact allowlisted primitives already named by the user;
+- avoid nearby substitutes such as `pwd` when an allowlisted primitive already
+  satisfies the check;
+- avoid compound shell calls when separate exact calls preserve the boundary;
+- keep `bash "*": ask` unchanged.
+
+The post-change replay confirmed the targeted behavior: the natural inspection
+case used separate allowlisted calls and no permission request, while `pwd`
+remained outside the allowlist.

opencode/docs/ai/evolution/runs/iteration-012-lead-shell-allowlist-boundaries/change_evaluation.json

@@ -0,0 +1,28 @@
+{
+  "iteration": 12,
+  "evaluates_iteration": 12,
+  "results": [
+    {
+      "change_id": "chg-1-lead-allowlisted-shell-preference",
+      "predicted_fixes_confirmed": [
+        "lead-reuses-user-named-allowlisted-shell-primitives",
+        "lead-avoids-unneeded-compound-shell-inspection",
+        "unknown-bash-commands-still-ask"
+      ],
+      "predicted_fixes_not_confirmed": [],
+      "risk_tasks_regressed": [],
+      "risk_tasks_not_regressed": [
+        "do-not-broaden-bash-allowlist",
+        "preserve-lead-edit-deny"
+      ],
+      "unpredicted_regressions": [],
+      "decision": "keep",
+      "evidence": [
+        "docs/ai/evolution/runs/iteration-012-lead-shell-allowlist-boundaries/evaluation.md",
+        "docs/ai/evolution/runs/iteration-012-lead-shell-allowlist-boundaries/analysis/overview.md",
+        "docs/ai/evolution/runs/iteration-011-lead-cd-which-permissions/change_evaluation.json"
+      ],
+      "notes": "The public record keeps the behavior summary and omits raw transcripts with machine-local paths. The change remains scoped to lead guidance; permissions and provider configuration are unchanged."
+    }
+  ]
+}

opencode/docs/ai/evolution/runs/iteration-012-lead-shell-allowlist-boundaries/change_manifest.json

@@ -0,0 +1,31 @@
+{
+  "iteration": 12,
+  "changes": [
+    {
+      "id": "chg-1-lead-allowlisted-shell-preference",
+      "type": "improvement",
+      "description": "Tighten the lead agent contract so natural lightweight inspection prefers exact allowlisted shell primitives already named by the user and avoids adjacent substitutes or compound shell composition when one allowlisted command is sufficient.",
+      "files": [
+        "agents/lead.md",
+        "docs/ai/harness/agents.md"
+      ],
+      "failure_pattern": "Natural inspection prompts that fit the narrow shell allowlist can still drift to adjacent or compound shell forms, causing avoidable permission requests.",
+      "evidence": [
+        "docs/ai/evolution/runs/iteration-012-lead-shell-allowlist-boundaries/evaluation.md",
+        "docs/ai/evolution/runs/iteration-012-lead-shell-allowlist-boundaries/analysis/overview.md"
+      ],
+      "predicted_fixes": [
+        "lead-reuses-user-named-allowlisted-shell-primitives",
+        "lead-avoids-unneeded-compound-shell-inspection",
+        "unknown-bash-commands-still-ask"
+      ],
+      "risk_tasks": [
+        "do-not-broaden-bash-allowlist",
+        "preserve-lead-edit-deny",
+        "avoid-benchmark-specific-wording"
+      ],
+      "constraint_level": "agent",
+      "why_this_component": "The tool layer already allows exact cd and which commands and still blocks unknown bash commands. The observed failure happens earlier, in lead command selection."
+    }
+  ]
+}

opencode/docs/ai/evolution/runs/iteration-012-lead-shell-allowlist-boundaries/evaluation.md

@@ -0,0 +1,22 @@
+# Evaluation: iteration-012-lead-shell-allowlist-boundaries
+
+## Objective
+
+Reduce approval drift after iteration 011 by guiding `lead` to reuse exact
+allowlisted shell primitives during lightweight repo inspection.
+
+## Evidence
+
+- `transcript_replay`: exact `which node` and `cd .` runs succeeded without a
+  permission request.
+- `transcript_replay`: exact `pwd` still requested permission, preserving the
+  fallback boundary.
+- `transcript_replay`: a natural inspection prompt that named `cd` and
+  `which node` originally drifted to a nearby compound command form, causing an
+  avoidable permission request.
+
+## Result
+
+Keep the tool allowlist unchanged and tighten the `lead` contract at the agent
+level. The intended behavior is selection discipline, not broader shell
+authority.

opencode/docs/ai/harness/agents.md

@@ -21,6 +21,9 @@
 - `lead` must not force the full flow for small free-form messages.
 - `lead` does not edit files; if implementation or correction requires repo
   changes, delegate to `developer`.
+- During lightweight shell inspection, `lead` should prefer exact allowlisted
+  primitives already named by the user, without drifting to nearby substitutes
+  or compound shell commands when a single call is enough.
 - `developer` executes direct mode when `lead` delegates a small, clear, verifiable task.
 - Once `developer` receives an implementation task, later adjustments for that
   same free-form request go back to `developer`; `lead` only consolidates,