fix(opencode): restore grep/glob/bash for dreamer subagent permissions

Audit of the live OpenCode DB showed real-world hidden-subagent tool
usage:

  historian (compartment):
    read 7, grep 3

  dreamer (consolidate / verify / improve / archive-stale / smart-notes):
    bash 114, ctx_memory 57, grep 26, read 21, glob 4, ctx_reduce 1

The previous commit (571d014) locked dreamer to
read + ctx_memory + ctx_search + ctx_note, which would have broken:

  - smart-note evaluation, which task-prompts.ts explicitly tells the
    model to perform via gh / git / curl / file reads under bash
  - the verify task git log --oneline --since=... step (line 243)
  - the verify task grep-schema-for-defaults instruction (line 81)
  - the improve task find/grep directory inventory (lines 266-268)

Add grep, glob, and bash to DREAMER_ALLOWED_TOOLS. task, edit, write,
webfetch, websearch remain denied — dreamer must not spawn subagents
or commit changes, and smart-note URL fetches go through bash + curl
instead of webfetch to keep one shell surface.

Historian 3 historical grep calls were the model improvising rather
than following its prompt (which makes no mention of grep). Historian
job is summarizing the input it is given, not exploring the repo, so
the read-only restriction stands. If a real summarization task ever
needs grep we can add it then.

Sidekick had no real-world calls captured (it is a recent feature with
low usage). Its prompt allows ONLY ctx_search, so the
ctx_search + ctx_memory allow-list stands.

Tests updated: 1476 pass / 0 fail (+3 dreamer-specific assertions).
Comments in permissions.ts now cite the DB-observed call counts so a
future audit can verify the allow-list against fresh telemetry.

Author: ualtinok

packages/plugin/src/agents/permissions.test.ts

@@ -68,21 +68,45 @@ describe("HISTORIAN_ALLOWED_TOOLS", () => {
 });
 
 describe("DREAMER_ALLOWED_TOOLS", () => {
-    it("includes read + ctx_memory + ctx_search + ctx_note", () => {
-        // Dreamer needs: `read` (key-files identification), `ctx_memory`
-        // (consolidate/verify/archive/merge/update), `ctx_search`
-        // (smart-note evaluation, retrieval-count checks), `ctx_note`
-        // (smart-note dismiss/update).
+    it("includes read + grep + glob + bash for local-repo exploration", () => {
+        // Verify task prompt explicitly tells the model to grep schema
+        // files, read source, glob/find for project structure inventory,
+        // and run `git log --oneline --since=...`. Smart-note evaluation
+        // routinely needs `gh` / `git` / `curl` via bash. Live DB shows
+        // >100 bash invocations across dreamer task variants.
         expect(DREAMER_ALLOWED_TOOLS).toContain("read");
+        expect(DREAMER_ALLOWED_TOOLS).toContain("grep");
+        expect(DREAMER_ALLOWED_TOOLS).toContain("glob");
+        expect(DREAMER_ALLOWED_TOOLS).toContain("bash");
+    });
+
+    it("includes ctx_memory + ctx_search + ctx_note for memory operations", () => {
+        // Dreamer's canonical job: consolidate / verify / archive /
+        // improve memories (`ctx_memory`), and dismiss / surface smart
+        // notes (`ctx_note`). `ctx_search` for retrieval-count and
+        // smart-note evidence lookup.
         expect(DREAMER_ALLOWED_TOOLS).toContain("ctx_memory");
         expect(DREAMER_ALLOWED_TOOLS).toContain("ctx_search");
         expect(DREAMER_ALLOWED_TOOLS).toContain("ctx_note");
     });
 
-    it("does NOT include `task` or edit/bash/web tools", () => {
-        for (const denied of ["task", "bash", "edit", "write", "webfetch", "websearch"]) {
-            expect(DREAMER_ALLOWED_TOOLS).not.toContain(denied);
-        }
+    it("does NOT include `task` (no subagent fanout from dreamer)", () => {
+        expect(DREAMER_ALLOWED_TOOLS).not.toContain("task");
+    });
+
+    it("does NOT include `edit` or `write` (no project-file mutations)", () => {
+        // Dreamer task prompt explicitly says "Do not commit changes" —
+        // memory consolidation must not alter project source files.
+        expect(DREAMER_ALLOWED_TOOLS).not.toContain("edit");
+        expect(DREAMER_ALLOWED_TOOLS).not.toContain("write");
+    });
+
+    it("does NOT include `webfetch` or `websearch` (use bash + curl instead)", () => {
+        // External URL fetches in smart-note conditions go through
+        // `bash` + `curl` so dreamer has one consistent shell surface
+        // instead of two redundant network tools.
+        expect(DREAMER_ALLOWED_TOOLS).not.toContain("webfetch");
+        expect(DREAMER_ALLOWED_TOOLS).not.toContain("websearch");
     });
 });
 
@@ -113,11 +137,14 @@ describe("integration: full hidden-agent permission shape", () => {
         });
     });
 
-    it("dreamer permission object: `*` denied + read + ctx_* allowed", () => {
+    it("dreamer permission object: `*` denied + read + grep + glob + bash + ctx_* allowed", () => {
         const perm = buildAllowOnlyPermission(DREAMER_ALLOWED_TOOLS);
         expect(perm).toEqual({
             "*": "deny",
             read: "allow",
+            grep: "allow",
+            glob: "allow",
+            bash: "allow",
             ctx_memory: "allow",
             ctx_search: "allow",
             ctx_note: "allow",

packages/plugin/src/agents/permissions.ts

@@ -45,12 +45,17 @@
  *     instructs the model to read that file. The model's only output
  *     channel is its text response (the `<output>...</output>` XML).
  *
- *   - **dreamer**: `read` (for the key-files identification task),
- *     plus the Magic Context MCP tools `ctx_memory`, `ctx_search`,
- *     `ctx_note`. Dreamer task prompts in
- *     `features/magic-context/dreamer/task-prompts.ts` explicitly
- *     call these tools to consolidate, verify, archive, merge, and
- *     update memories, plus evaluate smart notes.
+ *   - **dreamer**: `read`, `grep`, `glob`, `bash`, plus the Magic
+ *     Context MCP tools `ctx_memory`, `ctx_search`, `ctx_note`.
+ *     Dreamer task prompts in
+ *     `features/magic-context/dreamer/task-prompts.ts` explicitly tell
+ *     the model to grep schema files for defaults, read source to
+ *     confirm claims, run `git log` / `gh` / `curl` for verify and
+ *     smart-note evaluation, and use glob/find for directory
+ *     inventory. Live DB shows >100 bash invocations across all
+ *     dreamer task variants. `task` / `edit` / `write` / `webfetch` /
+ *     `websearch` remain denied — dreamer must not spawn subagents
+ *     or commit changes.
  *
  *   - **sidekick**: `ctx_search` and `ctx_memory` (read-only ops).
  *     Sidekick's job is augmenting user prompts via memory retrieval
@@ -88,13 +93,42 @@ export function buildAllowOnlyPermission(
 export const HISTORIAN_ALLOWED_TOOLS = ["read"] as const;
 
 /**
- * Tools the dreamer agent needs. Memory consolidation/verification/
- * archive/merge/update flows go through `ctx_memory`; smart-note
- * evaluation uses `ctx_search` and `ctx_note`; the key-files
- * identification task uses `read` to inspect candidate files before
- * picking which ones to pin.
+ * Tools the dreamer agent needs. This is the broadest hidden-agent
+ * surface because dreamer's tasks legitimately require local-repo
+ * exploration plus external command execution:
+ *
+ *   - `ctx_memory` / `ctx_search` / `ctx_note` — the canonical memory
+ *     CRUD and retrieval path for consolidate / verify / archive /
+ *     improve and smart-note dismissal.
+ *   - `read` / `grep` / `glob` — the verify task prompt
+ *     (`task-prompts.ts`) explicitly tells the model to grep schema
+ *     files for default values, read source to confirm claimed
+ *     behavior, and use glob for project structure inventory.
+ *   - `bash` — required for smart-note condition evaluation (the
+ *     prompt explicitly mentions `gh` / `git` / `curl` / file reads),
+ *     for the verify task's `git log --oneline --since=...` step, and
+ *     for the improve task's `find` / `grep` directory inventory. The
+ *     live OpenCode DB shows over 100 `bash` invocations across
+ *     consolidate / verify / improve / archive-stale / smart-notes
+ *     dreamer child sessions, so removing it would regress real,
+ *     documented dreamer behavior.
+ *
+ * Deliberately NOT allowed:
+ *   - `task` — no subagent fanout from dreamer
+ *   - `edit` / `write` — dreamer must not modify project files;
+ *     `task-prompts.ts` explicitly states "Do not commit changes"
+ *   - `webfetch` / `websearch` — out of scope; smart-note URL fetches
+ *     go through `bash` + `curl` instead
  */
-export const DREAMER_ALLOWED_TOOLS = ["read", "ctx_memory", "ctx_search", "ctx_note"] as const;
+export const DREAMER_ALLOWED_TOOLS = [
+    "read",
+    "grep",
+    "glob",
+    "bash",
+    "ctx_memory",
+    "ctx_search",
+    "ctx_note",
+] as const;
 
 /**
  * Tools the sidekick agent needs. Sidekick is a read-only memory