feat(guardrails): add remaining 5 CC agent definitions

[terisuke]

Issue for this PR

Closes #110

Type of change

• Bug fix
• New feature
• Refactor / code improvement
• Documentation

What does this PR do?

Adds the final 5 Claude Code agent definitions that were missing from the OpenCode guardrails profile, bringing agent parity to 100% (31 agents total, covering all 26 CC agents + 5 OC originals).

New agents:

Agent	Mode	Key design decision
code-reviewer	subagent (read-only)	Expert code review with confidence-based severity filtering
database-administrator	subagent (read-only)	DB admin with read-only diagnostic bash commands (psql, mysql, mongosh, redis-cli)
mobile-developer	subagent (edit/write)	React Native + Flutter with standard implement-like permissions
refactor-cleaner	subagent (edit/write ask)	Dead code cleanup with scoped bash (knip, depcheck, ts-prune only)
security-reviewer	subagent (read-only)	OWASP Top 10 + CWE detection, proactive trigger on auth/input changes

Security: findLast pitfall avoided — No agent-level read: or grep: blocks are set. All agents inherit profile-level secret file deny rules (.env, .pem, .key, credentials, etc.) via the profile's opencode.json permission config. This follows the established pattern of review.md, investigate.md, and security.md.

How did you verify your code works?

1. Typecheck: bun turbo typecheck — 13/13 pass
2. Build: bun run --filter opencode build — smoke test pass
3. Binary execution: opencode --version outputs correctly
4. Code review: Ran code-reviewer agent, fixed CRITICAL findLast pitfall (removed agent-level read/grep overrides)

Checklist

• I have tested my changes locally
• I have not included unrelated changes in this PR

[Copilot]

Pull request overview

Adds the final missing Claude Code–parity agent definitions to the packages/guardrails profile so they can be loaded as OpenCode agents (bringing the profile to the stated full agent set).

Changes:

• Added new read-only review agents: code-reviewer and security-reviewer
• Added a read-only diagnostic database-administrator agent with a DB CLI bash allowlist
• Added write-capable agents mobile-developer and refactor-cleaner (with permission constraints)

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
packages/guardrails/profile/agents/security-reviewer.md	Adds a read-only security-focused reviewer agent definition.
packages/guardrails/profile/agents/refactor-cleaner.md	Adds a refactor/cleanup agent definition, including bash allowlist and ask-gated edits.
packages/guardrails/profile/agents/mobile-developer.md	Adds a mobile-focused implementation agent definition with implement-like bash deny rules.
packages/guardrails/profile/agents/database-administrator.md	Adds a read-only DBA agent definition with DB CLI diagnostic command allowlist.
packages/guardrails/profile/agents/code-reviewer.md	Adds a read-only code quality reviewer agent definition.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The bash allowlist here is broader than the PR description/issue requirement (“scoped bash … knip/depcheck/ts-prune only”). Allowing bun run *, npm run*, and npx eslint* can execute arbitrary project scripts/binaries (including destructive ones) despite the intent of a narrowly-scoped refactor-cleaner. Tighten the bash allowlist to only the intended analysis commands (and any strictly necessary read-only helpers like git diff/status/log, ls, pwd, which).

[Copilot]

Allowing arbitrary psql -c 'SELECT ...' is very broad for a “read-only diagnostic” agent: it can easily result in large data dumps/exfiltration and expensive queries (and Postgres also supports mutating forms like SELECT INTO). Consider narrowing the allowlist to safer diagnostics (e.g., EXPLAIN/catalog \d queries) or enforce constraints like requiring LIMIT / explicit schema-qualified tables.

[Copilot]

Similarly, allowing mysql -e 'SELECT ...' is broad for a diagnostic-only DBA agent and can lead to full-table reads or expensive queries. Consider restricting to EXPLAIN/SHOW-only patterns (or requiring SELECT statements to include LIMIT) to better align with the agent’s read-only diagnostic intent.

Suggested change

"mysql -e 'SELECT *": allow