From d0bbc70a4e27bb2b82d059f1bc920dd9044f6135 Mon Sep 17 00:00:00 2001
From: Ed_ <edwardgz@gmail.com>
Date: Thu, 18 Jun 2026 14:30:04 -0400
Subject: [PATCH] fix(tier2): remove AppData allow rules from OpenCode
 permission JSON

Before:
  - read/write allow rules for AppData/Local/manual_slop/tier2/ and
    AppData/Local/manual_slop/tier2_failures/ existed in both the
    top-level and the tier2-autonomous agent's permission blocks.
  - Bash deny rules covered only AppData/Local/Temp/.

After:
  - read/write allow only the Tier 2 clone (C:\\projects\\manual_slop_tier2\\**).
  - Bash deny rules: *AppData\\* (broader) + *AppData\\Local\\Temp\\* (kept for clarity).

The broader *AppData\\* rule catches Local, LocalLow, Roaming, and any
other subdir, not just Temp. The narrower Temp rule is kept as a
self-documenting marker for the original 2026-06-17 regression.

Per the user's 2026-06-18 'NEVER USE APPDATA' directive.

Refs: conductor/tracks/tier2_no_appdata_20260618
---
 conductor/tier2/opencode.json.fragment | 18 ++++++------------
 1 file changed, 6 insertions(+), 12 deletions(-)

diff --git a/conductor/tier2/opencode.json.fragment b/conductor/tier2/opencode.json.fragment
index e31faf1a..d169e4ad 100644
--- a/conductor/tier2/opencode.json.fragment
+++ b/conductor/tier2/opencode.json.fragment
@@ -6,15 +6,11 @@
     "edit": "deny",
     "read": {
       "*": "deny",
-      "C:\\projects\\manual_slop_tier2\\**": "allow",
-      "C:\\Users\\Ed\\AppData\\Local\\manual_slop\\tier2\\**": "allow",
-      "C:\\Users\\Ed\\AppData\\Local\\manual_slop\\tier2_failures\\**": "allow"
+      "C:\\projects\\manual_slop_tier2\\**": "allow"
     },
     "write": {
       "*": "deny",
-      "C:\\projects\\manual_slop_tier2\\**": "allow",
-      "C:\\Users\\Ed\\AppData\\Local\\manual_slop\\tier2\\**": "allow",
-      "C:\\Users\\Ed\\AppData\\Local\\manual_slop\\tier2_failures\\**": "allow"
+      "C:\\projects\\manual_slop_tier2\\**": "allow"
     },
     "bash": {
       "*": "deny",
@@ -43,6 +39,7 @@
       "uv run python scripts/run_tests_batched.py*": "allow",
       "uv run python scripts/tier2/*": "allow",
       "pwsh -File scripts/tier2/*": "allow",
+      "*AppData\\*": "deny",
       "*AppData\\Local\\Temp\\*": "deny",
       "git push*": "deny",
       "git checkout*": "deny",
@@ -58,18 +55,15 @@
         "edit": "allow",
         "read": {
           "*": "deny",
-          "C:\\projects\\manual_slop_tier2\\**": "allow",
-          "C:\\Users\\Ed\\AppData\\Local\\manual_slop\\tier2\\**": "allow",
-          "C:\\Users\\Ed\\AppData\\Local\\manual_slop\\tier2_failures\\**": "allow"
+          "C:\\projects\\manual_slop_tier2\\**": "allow"
         },
         "write": {
           "*": "deny",
-          "C:\\projects\\manual_slop_tier2\\**": "allow",
-          "C:\\Users\\Ed\\AppData\\Local\\manual_slop\\tier2\\**": "allow",
-          "C:\\Users\\Ed\\AppData\\Local\\manual_slop\\tier2_failures\\**": "allow"
+          "C:\\projects\\manual_slop_tier2\\**": "allow"
         },
         "bash": {
           "*": "allow",
+          "*AppData\\*": "deny",
           "*AppData\\Local\\Temp\\*": "deny",
           "git push*": "deny",
           "git checkout*": "deny",