{ "$schema": "https://opencode.ai/config.json", "theme": "opencode", "autoupdate": false, "model": "opencode/kimi-k2.5-free", "plugin": [], // Global permissions — defense-in-depth safety net across ALL agents "permission": { "bash": "deny", "edit": "deny", "webfetch": "deny", "read": "allow", "grep": "allow", "glob": "allow", "list": "allow", "todoread": "allow", "todowrite": "allow", "lsp": "deny", "task": "allow", "skill": "allow" }, "agent": { // Primary agent — locked to read-only + Lovdata MCP tools "build": { "mode": "primary", "prompt": "{file:./prompts/legal-research.md}", "temperature": 0.2, "tools": { "bash": false, "write": false, "edit": false, "patch": false, "webfetch": false, "read": true, "grep": true, "glob": true, "list": true, "todowrite": true, "todoread": true } }, // Disable plan agent — users shouldn't switch modes "plan": { "mode": "primary", "disable": true }, // Lock down general subagent — it normally has full tool access "general": { "mode": "subagent", "tools": { "bash": false, "write": false, "edit": false, "patch": false, "webfetch": false, "read": true, "grep": true, "glob": true, "list": true } }, // Explore subagent is already read-only, but be explicit "explore": { "mode": "subagent", "tools": { "bash": false, "write": false, "edit": false, "patch": false, "webfetch": false, "read": true, "grep": true, "glob": true, "list": true } } }, "mcp": { "sequential-thinking": { "type": "local", "command": [ "npx", "-y", "@modelcontextprotocol/server-sequential-thinking" ], "enabled": true }, "lovdata": { "type": "remote", "url": "${MCP_SERVER}", "enabled": true } } }