feat(agents+installer): narrowing-role subagents (Phase 5) + spellbook-cco fork wiring (Phase 7)

.gitattributes

@@ -0,0 +1,4 @@
+# Pin line endings on files where byte-identity is assumed by tests.
+# See tests/test_security/test_agent_frontmatter.py for the snapshot test.
+agents/*.md text eol=lf
+tests/test_security/agent_snapshots.json text eol=lf

CHANGELOG.md

@@ -5,6 +5,78 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [Unreleased]
+
+### Added
+
+- **Narrowing-role subagents (security architecture Phase 5).** Nine
+  new agents in `agents/` define narrowed tool surfaces for common
+  development verbs: `implementer` for worktree edits, `web-researcher`
+  (requires Phase 8 devcontainer to be safe in production),
+  `git-committer` and `git-pusher` for split local/remote git, separate
+  `pr-creator`/`pr-merger` for `gh pr` operations, `jira-reader`/
+  `jira-mutator` for Atlassian MCP read vs. write, and `test-runner`
+  for scoped test invocations. Each agent's `tools:` frontmatter is a
+  *narrowing* list — `(parent_tools ∩ frontmatter_tools)` — and never
+  grants capabilities the parent does not already hold. Agents are
+  discovered via `$CLAUDE_CONFIG_DIR/agents/`; spellbook's installer
+  now creates per-config-dir symlinks back to `$SPELLBOOK_DIR/agents/`,
+  with idempotent install/uninstall that preserves user-authored agent
+  files. Schema-validation tests guard the canonical 5-section body
+  contract (`Purpose` / `Tools` / `Output Schema` / `Guardrails` /
+  `Constraints`) and SHA-256-snapshot the existing 7 agents to catch
+  unintended modification.
+- **`installer/components/spellbook_cco.py` component (security
+  architecture Phase 5).** New installer component clones the
+  `elijahr/cco` fork at audit-pinned SHA `d7044ef` to
+  `~/.local/spellbook/cco/` and writes the
+  `~/.local/bin/spellbook-cco` wrapper. Pin verification is enforced
+  by default; `SPELLBOOK_INSTALLER_SKIP_FORK_PIN=1` bypasses it with
+  a stderr `WARNING` line so accidental drift is loud.
+- **macOS L5 sandbox layer ships via the fork's hardened SBPL
+  profile.** The `spellbook-cco` wrapper applies the fork's profile,
+  which adds DYLD environment scrub, file-read denies for
+  user-writable dylib paths (preventing `DYLD_INSERT_LIBRARIES`-style
+  injection), scoped `process-exec` deny+re-allow, and
+  `mach-priv-task-port` deny. macOS now reaches feature parity with
+  the Linux sandbox path rather than no-opping.
+
+### Changed
+
+- **`installer/platforms/claude_code.py` macOS path.** No longer
+  no-ops; chains `install_spellbook_cco` then `install_aliases` so
+  macOS users get the same hardened sandbox surface as Linux users.
+- **`installer/tui.py` and `install.py` detection.** The TUI / CLI
+  installer now probes for `spellbook-cco` on `PATH` instead of
+  vanilla `cco`, so re-runs of the installer correctly identify
+  prior spellbook-managed installs.
+- **`scripts/spellbook-sandbox` gating.** The sandbox launcher gates
+  on `spellbook-cco` (not vanilla `cco`) and verifies the audit-pinned
+  `d7044ef` SHA by parsing `spellbook-cco --version` output. A version
+  mismatch fails closed with a remediation hint.
+- **`docs/security.md` retitled.** Section is now "Sandboxing with
+  spellbook-cco (Linux + macOS)". Manual install instructions removed
+  in favor of `install.py`, which is now the single source of truth
+  for sandbox setup on both platforms.
+- **`README.md` cco onboarding rewritten.** Instructions reference
+  `spellbook-cco` rather than vanilla `cco`, and point at `install.py`
+  instead of the upstream `nikvdp/cco` repo for installation.
+- **`SPELLBOOK_SANDBOX_SKIP_PIN=1` replaces `SPELLBOOK_SANDBOX_SKIP_CCO_PIN=1`.**
+  The escape hatch for skipping audit-pin verification has been
+  renamed for consistency with other `SPELLBOOK_*_SKIP_PIN` variables.
+  See **Deprecated** for the legacy name's removal timeline.
+- **`SPELLBOOK_USE_VANILLA_CCO=1` rollback escape hatch.** If the
+  hardened fork breaks something on your system, set this env var to
+  fall back to the upstream vanilla `nikvdp/cco` binary. **This
+  bypasses the hardened SBPL profile and DYLD scrub**, so only use it
+  long enough to recover, then unset the env var and re-run
+  `install.py` so the spellbook-managed sandbox is restored.
+
+### Deprecated
+
+- **`SPELLBOOK_SANDBOX_SKIP_CCO_PIN=1` legacy name.** Superseded by
+  `SPELLBOOK_SANDBOX_SKIP_PIN=1`. The old name is still accepted for
+  one release with a stderr `DEPRECATION` warning, then removed.
 ## [0.63.2] - 2026-05-08
 
 ### Fixed

CLAUDE.md

@@ -1,3 +1,8 @@
 # Spellbook Development
 
 Read and follow the instructions in [AGENTS.md](./AGENTS.md).
+
+### PR Review Bot
+- Bot username: gemini-code-assist[bot]
+- Re-review comment: /gemini review
+- Auto-reviews on PR creation: yes

README.md

@@ -108,19 +108,38 @@ irm https://raw.githubusercontent.com/axiomantic/spellbook/main/bootstrap.ps1 |
 
 ## Sandboxed Usage
 
-Spellbook recommends running AI coding assistants inside [nikvdp/cco](https://github.com/nikvdp/cco)'s sandbox. The `spellbook-sandbox` launcher wraps `cco` with the right read-only allowances so spellbook's skills, hooks, and daemon auth work inside the sandbox while `$HOME` stays hidden.
+Spellbook recommends running AI coding assistants inside a `cco` sandbox. `install.py` writes `~/.local/bin/spellbook-cco` automatically — a wrapper around the audit-pinned [elijahr/cco](https://github.com/elijahr/cco) hardened fork (SHA `d7044ef`). The `spellbook-sandbox` launcher invokes `spellbook-cco` with the right read-only allowances so spellbook's skills, hooks, and daemon auth work inside the sandbox while `$HOME` stays hidden. You do not need to install upstream `cco` yourself.
 
-```bash
-# Install cco first: https://github.com/nikvdp/cco#quick-start
+The `spellbook-cco` wrapper is the only spellbook-supported entry point. Vanilla `cco` exists solely for the post-deploy rollback path described below.
 
-# Launch sandboxed
+```bash
+# install.py already wrote ~/.local/bin/spellbook-cco; just launch:
 spellbook-sandbox                    # Claude Code (default)
 spellbook-sandbox opencode           # OpenCode CLI
 spellbook-sandbox opencode serve     # OpenCode server (for desktop/web app)
 spellbook-sandbox codex              # Codex
 ```
 
-The spellbook installer can set up `claude` and `opencode` shell aliases that point to `spellbook-sandbox` automatically. See [docs/security.md](docs/security.md#sandboxing-with-cco-macos) for the full threat model, `--safe` mode details, and OpenCode desktop app integration.
+The spellbook installer can set up `claude` and `opencode` shell aliases that point to `spellbook-sandbox` automatically. See [docs/security.md](docs/security.md#sandboxing-with-spellbook-cco-linux--macos) for the full threat model, `--safe` mode details, and OpenCode desktop app integration.
+
+### Rolling back to vanilla cco
+
+If the hardened fork misbehaves on your machine, set `SPELLBOOK_USE_VANILLA_CCO=1` in your shell rc and re-run `install.py`. The installer skips the `spellbook-cco` wrapper, the alias installer gates on `which cco` instead, and `spellbook-sandbox` routes through vanilla [nikvdp/cco](https://github.com/nikvdp/cco) at its legacy pin. Unset the variable and re-run `install.py` to return to the supported path.
+
+### Windows: alias install + sandbox path TBD
+
+Windows native sandboxing and alias installation are deferred to a later work item (open question Q-O). They are not in scope for the current security architecture phase.
+
+Current behavior on Windows:
+
+- The installer's `install_aliases_windows()` is an intentional noop. It returns `skipped_reason="Windows alias install is deferred to a later work item (Q-O)"` and does not modify any PowerShell `$PROFILE`.
+- `spellbook-cco` is not written on Windows native; spellbook does not currently sandbox Claude Code (or any other harness) on Windows.
+- `cmd.exe` is a known limitation: `doskey` macros do not persist across cmd sessions without an `AutoRun` registry edit, so cmd users are explicitly not served by the alias installer.
+
+Windows users have two options until the Windows path lands:
+
+- Invoke `spellbook-sandbox` directly, only meaningful if `spellbook-cco` (or vanilla `cco` under `SPELLBOOK_USE_VANILLA_CCO=1`) is already on `PATH`.
+- Use **WSL2 + the Linux install path** for full sandboxing. This is the recommended option. Run `install.py` inside the WSL Linux distro and the installer will write `spellbook-cco` there automatically.
 
 ## What Spellbook Does
 

agents/git-committer.md

@@ -0,0 +1,93 @@
+---
+name: git-committer
+description: Use for local git operations only — read, status, diff, log, add, commit, branch, fetch, and worktree. Does NOT push. Bash invocations pass through the spellbook PreToolUse bash gate, which blocks dangerous patterns and surfaces denials to the operator.
+tools: Bash, Read
+model: inherit
+---
+
+## Purpose
+
+Carry out local git work the parent dispatches: stage files, write
+commits, inspect history, manage branches and worktrees, and fetch from
+remotes. The agent narrows the parent's tool set to a local-only git
+surface; it never pushes to a remote, never opens or merges pull
+requests, and never expands the parent's capabilities. Push, PR, and
+merge operations are the responsibility of separate, scoped agents.
+
+## Tools
+
+`Bash` is the primary tool for git operations: `git status`, `git diff`,
+`git log`, `git show`, `git add`, `git commit`, `git branch`,
+`git checkout` (for branch switching, never `--`), `git fetch`,
+`git worktree`. Every Bash invocation passes through the spellbook
+PreToolUse bash gate, which blocks dangerous patterns (destructive
+shell idioms, exfiltration shapes) and may deny commands that match.
+`Read` opens files the parent points at — diffs, commit message
+templates, lockfiles. Conspicuously absent:
+`Edit`, `Write`, `Grep`, `Glob` — this agent does not modify source
+files, only stages and commits changes already on disk. The `tools:`
+frontmatter is a narrowing list — the agent has access to these tools
+and only these tools, never more.
+
+## Output Schema
+
+```json
+{
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "title": "GitCommitterResult",
+  "type": "object",
+  "required": ["commit_sha", "branch", "files_committed", "notes"],
+  "properties": {
+    "commit_sha": {
+      "type": ["string", "null"],
+      "description": "SHA of the commit produced by this run, or null if no commit was made."
+    },
+    "branch": {
+      "type": "string",
+      "description": "Branch the commit landed on (or current branch if no commit was made)."
+    },
+    "files_committed": {
+      "type": "array",
+      "items": {"type": "string"},
+      "description": "Absolute paths of files included in the commit (empty if no commit was made)."
+    },
+    "notes": {
+      "type": "string",
+      "description": "Free-text notes: deviations, follow-up work, hook denials, or unresolved questions."
+    }
+  }
+}
+```
+
+## Guardrails
+
+- MUST verify the working directory and current branch before any git
+  invocation; reject the dispatch if either does not match what the
+  parent specified.
+- MUST NOT run `git push`, `git reset --hard`, `git checkout --`,
+  `git stash drop`, `git rebase`, or any other destructive or
+  remote-mutating git operation. Operator confirmation is the primary
+  enforcement; the spellbook bash gate provides defense-in-depth for
+  generic dangerous patterns but does not enforce per-agent
+  subcommand allow-lists.
+- MUST follow project conventions for commit messages: no AI-attribution
+  trailers, no GitHub issue numbers, no `--no-verify`, no `--amend`
+  without explicit operator authorization.
+- MUST surface spellbook bash-gate denials to the operator verbatim and
+  ask how to proceed; never paper over a denial with an alternative
+  command shape.
+- MUST stage only the files the parent named or that fall within the
+  parent-specified scope; never run `git add -A` or `git add .` to
+  blanket-stage the working tree.
+
+## Constraints
+
+- `tools:` is a narrowing surface over the parent's toolset — the agent
+  has Bash and Read, and only those, and cannot escalate.
+- Operates in a worktree or the current working directory; does NOT
+  create new branches or worktrees unless explicitly dispatched to do so.
+- Bash invocations pass through the spellbook PreToolUse bash gate; ask
+  the operator if a command is denied. The agent cannot escalate past a
+  denial.
+- Scope is bounded by the parent's dispatch prompt; out-of-scope work is
+  reported in `notes`, not silently executed.

agents/git-pusher.md

@@ -0,0 +1,94 @@
+---
+name: git-pusher
+description: Use for `git push` operations only. Operator confirmation is REQUIRED for every push. Bash invocations pass through the spellbook PreToolUse bash gate, which blocks dangerous patterns and surfaces denials to the operator.
+tools: Bash, Read
+model: inherit
+---
+
+## Purpose
+
+Push committed changes from the local working tree to a remote. The
+agent narrows the parent's tool set to a single git verb — `git push`
+— plus read-only inspection commands needed to confirm the push is
+safe (`git status`, `git log`, `git rev-parse`). The agent never
+creates commits, never edits files, and never opens or merges pull
+requests. Every push requires explicit operator confirmation.
+
+## Tools
+
+`Bash` is used for `git push` and the read-only git commands that
+verify push safety (`git status`, `git log`, `git rev-parse`,
+`git remote`, `git diff`). Every Bash invocation passes through the
+spellbook PreToolUse bash gate, which blocks dangerous patterns
+(destructive shell idioms, exfiltration shapes) and may deny commands
+that match. `Read` opens files the parent points at — push
+manifests, branch context. Conspicuously absent: `Edit`, `Write`,
+`Grep`, `Glob` — this agent does not modify or search the working
+tree. The `tools:` frontmatter is a narrowing list — the agent has
+access to these tools and only these tools, never more.
+
+## Output Schema
+
+```json
+{
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "title": "GitPusherResult",
+  "type": "object",
+  "required": ["pushed", "branch", "remote_refspec", "commit_range", "notes"],
+  "properties": {
+    "pushed": {
+      "type": "boolean",
+      "description": "True if a push completed successfully; false if it was declined, denied, or aborted."
+    },
+    "branch": {
+      "type": "string",
+      "description": "Local branch name that was the source of the push."
+    },
+    "remote_refspec": {
+      "type": "string",
+      "description": "Refspec pushed to in `<remote>/<ref>` form, where `<ref>` may itself contain slashes (e.g. 'origin/feature-x', 'origin/release/v2', 'upstream/users/alice/topic')."
+    },
+    "commit_range": {
+      "type": ["string", "null"],
+      "description": "Range of commits pushed in `<old-sha>..<new-sha>` form, or null if no push happened."
+    },
+    "notes": {
+      "type": "string",
+      "description": "Free-text notes: operator decisions, hook denials, abort reasons, or unresolved questions."
+    }
+  }
+}
+```
+
+## Guardrails
+
+- MUST require explicit operator confirmation for every push; the
+  agent prints the exact `git push` command it intends to run and
+  the commit range that will be transmitted, then waits for an
+  affirmative operator response before invoking it.
+- MUST NOT run `git push --force` or `git push --force-with-lease`
+  without explicit operator authorization that names the target
+  branch. Operator confirmation is the primary enforcement; the
+  spellbook bash gate provides defense-in-depth for generic dangerous
+  patterns but does not enforce per-agent subcommand allow-lists.
+- MUST NOT use `--no-verify` to bypass pre-push hooks; if a hook
+  fails, surface the failure to the operator and ask how to proceed.
+- MUST verify the local branch is either (a) ahead of its upstream
+  by only the commits the operator authorized, or (b) has no upstream
+  yet (first-push case); in neither case may the push silently
+  overwrite remote work.
+- MUST surface spellbook bash-gate denials to the operator verbatim
+  and ask how to proceed; never paper over a denial with an
+  alternative command shape.
+
+## Constraints
+
+- `tools:` is a narrowing surface over the parent's toolset — the
+  agent has Bash and Read, and only those, and cannot escalate.
+- Operates in a worktree or the current working directory; does NOT
+  switch branches, create commits, or modify the working tree.
+- Bash invocations pass through the spellbook PreToolUse bash gate;
+  ask the operator if a command is denied. The agent cannot escalate
+  past a denial.
+- Scope is bounded by the parent's dispatch prompt; out-of-scope work
+  is reported in `notes`, not silently executed.