Restrict agent modifications explicitly outside OpenSpec directories despite write permissions #6
Description
Currently, the OpenSpec Architect agent has read/write permissions configured for project.md, AGENTS.md, openspec/, and specs/ folders, while setting the rest of the codebase to read-only. However, there have been cases where the agent attempts or performs unintended modifications outside these approved directories (e.g., in src/, app/, or other implementation folders).
Problem
Even with read-only configuration on non-spec files, the agent sometimes:
Proposes changes to implementation code during planning phases
Edits files outside the OpenSpec scope when refining specs
This breaks the clean separation between spec-driven planning and actual coding phases
Proposed Solution
Add an explicit deny rule in the permission system that:
Blocks ALL modifications to files outside the OpenSpec-approved paths, even if the agent has general write permissions
Logs any attempt to modify non-OpenSpec files with a clear warning
Provides feedback in the UI: "OpenSpec Architect can only modify files in: project.md, AGENTS.md, openspec/, specs/"
Example Implementation
json
{
"permissions": {
"allow": ["project.md", "AGENTS.md", "openspec/", "specs/"],
"explicit_deny": ["src/", "app/", "/*.ts", "/.js", "**/.py"],
"mode": "openspec-plan"
}
}
Expected Behavior
text
✅ ALLOWED: Edit specs/project.md
✅ ALLOWED: Edit openspec/agents.json
❌ BLOCKED: Edit src/components/User.tsx (with clear error message)
This would provide stronger guardrails while maintaining the current auto-detection and agent activation flow.