fix: enforce read-only mode for JSON line agents and pass customModel in CLI

src/cli/commands/send.ts

@@ -110,6 +110,7 @@ export async function send(
 	// Spawn agent — spawnAgent handles --resume vs --session-id internally
 	const result = await spawnAgent(agent.toolType, agent.cwd, message, options.session, {
 		readOnlyMode: options.readOnly,
+		customModel: agent.customModel,
 	});
 	const response = buildResponse(agentId, agent.name, result, agent.toolType);
 

src/cli/services/agent-spawner.ts

@@ -22,9 +22,11 @@ const CLAUDE_ARGS = [
 	'--verbose',
 	'--output-format',
 	'stream-json',
-	'--dangerously-skip-permissions',
 ];
 
+// Permission bypass arg for Claude — skipped in read-only mode
+const CLAUDE_YOLO_ARGS = ['--dangerously-skip-permissions'];
+
 // Cached paths per agent type (resolved once at startup)
 const cachedPaths: Map<string, string> = new Map();
 
@@ -192,6 +194,9 @@ async function spawnClaudeAgent(
 			if (def?.readOnlyEnvOverrides) {
 				Object.assign(env, def.readOnlyEnvOverrides);
 			}
+		} else {
+			// Only bypass permissions in non-read-only mode
+			args.push(...CLAUDE_YOLO_ARGS);
 		}
 
 		if (agentSessionId) {
@@ -355,7 +360,8 @@ async function spawnJsonLineAgent(
 	cwd: string,
 	prompt: string,
 	agentSessionId?: string,
-	_readOnlyMode?: boolean
+	readOnlyMode?: boolean,
+	customModel?: string
 ): Promise<AgentResult> {
 	return new Promise((resolve) => {
 		const env = buildExpandedEnv();
@@ -368,11 +374,29 @@ async function spawnJsonLineAgent(
 			}
 		}
 
+		// Apply read-only mode env overrides from agent definition
+		if (readOnlyMode && def?.readOnlyEnvOverrides) {
+			Object.assign(env, def.readOnlyEnvOverrides);
+		}
+
 		// Build args from agent definition
 		const args: string[] = [];
 		if (def?.batchModePrefix) args.push(...def.batchModePrefix);
-		if (def?.batchModeArgs) args.push(...def.batchModeArgs);
+
+		// In read-only mode, filter out YOLO/bypass args from batchModeArgs
+		// (they override read-only flags). In normal mode, apply all batchModeArgs.
+		if (def?.batchModeArgs) {
+			if (readOnlyMode && def.yoloModeArgs?.length) {
+				const yoloSet = new Set(def.yoloModeArgs);
+				args.push(...def.batchModeArgs.filter((a) => !yoloSet.has(a)));
+			} else {
+				args.push(...def.batchModeArgs);
+			}
+		}
+
 		if (def?.jsonOutputArgs) args.push(...def.jsonOutputArgs);
+		if (readOnlyMode && def?.readOnlyArgs) args.push(...def.readOnlyArgs);
+		if (customModel && def?.modelArgs) args.push(...def.modelArgs(customModel));
 
 		if (agentSessionId && def?.resumeArgs) {
 			args.push(...def.resumeArgs(agentSessionId));
@@ -477,6 +501,8 @@ export interface SpawnAgentOptions {
 	agentSessionId?: string;
 	/** Run in read-only/plan mode (uses centralized agent definitions for provider-specific flags) */
 	readOnlyMode?: boolean;
+	/** Custom model ID from agent config (e.g., 'github-copilot/gpt-5-mini') */
+	customModel?: string;
 }
 
 /**
@@ -490,13 +516,14 @@ export async function spawnAgent(
 	options?: SpawnAgentOptions
 ): Promise<AgentResult> {
 	const readOnly = options?.readOnlyMode;
+	const customModel = options?.customModel;
 
 	if (toolType === 'claude-code') {
 		return spawnClaudeAgent(cwd, prompt, agentSessionId, readOnly);
 	}
 
 	if (hasCapability(toolType, 'usesJsonLineOutput')) {
-		return spawnJsonLineAgent(toolType, cwd, prompt, agentSessionId);
+		return spawnJsonLineAgent(toolType, cwd, prompt, agentSessionId, readOnly, customModel);
 	}
 
 	return {

src/cli/services/batch-processor.ts

@@ -440,7 +440,9 @@ export async function* runPlaybook(
 				}
 
 				// Spawn agent with combined prompt + document
-				const result = await spawnAgent(session.toolType, session.cwd, finalPrompt);
+				const result = await spawnAgent(session.toolType, session.cwd, finalPrompt, undefined, {
+					customModel: session.customModel,
+				});
 
 				const elapsedMs = Date.now() - taskStartTime;
 

src/main/agents/definitions.ts

@@ -275,10 +275,12 @@ export const AGENT_DEFINITIONS: AgentDefinition[] = [
 			OPENCODE_CONFIG_CONTENT:
 				'{"permission":{"*":"allow","external_directory":"allow","question":"deny"},"tools":{"question":false}}',
 		},
-		// In read-only mode, strip blanket permission grants so the plan agent can't auto-approve file writes.
+		// In read-only mode, keep blanket permission grants to prevent stdin prompts that hang batch mode.
+		// Read-only enforcement comes from --agent plan (readOnlyArgs), not env config.
 		// Keep question tool disabled to prevent stdin hangs in batch mode.
 		readOnlyEnvOverrides: {
-			OPENCODE_CONFIG_CONTENT: '{"permission":{"question":"deny"},"tools":{"question":false}}',
+			OPENCODE_CONFIG_CONTENT:
+				'{"permission":{"*":"allow","external_directory":"allow","question":"deny"},"tools":{"question":false}}',
 		},
 		// Agent-specific configuration options shown in UI
 		configOptions: [

src/shared/types.ts

@@ -36,6 +36,7 @@ export interface SessionInfo {
 	cwd: string;
 	projectRoot: string;
 	autoRunFolderPath?: string;
+	customModel?: string;
 }
 
 // Usage statistics from AI agent CLI (Claude Code, Codex, etc.)