Deny gated permissions in headless runs; drop the session wildcard (#26)#34
Merged
TheRealDinghyDog merged 1 commit intoJul 10, 2026
Merged
Conversation
Write turns previously created sessions with a bare
`{permission: "*", action: "allow", pattern: "*"}` rule and answered every
permission.asked with "always". OpenCode merges session rules AFTER the
agent ruleset and resolves with the LAST matching rule, so the wildcard
silently stripped the stock build agent's safety guards
(external_directory/.env reads/doom_loop stay on "ask"), and the
auto-"always" responder would have approved any that survived.
Send no session-level permission rules at all — the stock build agent's
ruleset (wildcard allow + ask-guards, plus its own tool-output allowances)
is exactly the intended headless write profile — and reject every headless
permission ask with a diagnostic naming the gated category. Under the
stock agents an ask only fires when a guard trips, so routine write turns
stay approval-free.
Also documents that OpenCode permissions are approval controls rather than
an OS sandbox, updates the fake fixture so workspace edits are ungated
while a gated ask must be denied, and marks the original auto-approve
design in the adaptation plan as superseded.
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #26 (review finding H-01).
Problem
Write turns created sessions with a bare
{permission: "*", action: "allow", pattern: "*"}rule and answered everypermission.askedwith"always". Verified against OpenCode v1.17.15 source (Permission.merge+evaluate): session rules are appended after the agent's ruleset and each request resolves to the last matching rule, so the session wildcard silently stripped the stockbuildagent's safety guards (external_directory: ask,.env/.env.*reads: ask,doom_loop: ask) — and the auto-"always"responder would have approved any ask that survived. The rescue subagent defaults to--write, making this the default posture for delegated implementation tasks.Fix
permissionrules at all. The stockbuildagent's ruleset (wildcard allow + ask-guards + its machine-specific allowances for OpenCode's own tool-output directories) is exactly the intended headless write profile. Any session-level override — including a re-asserted guard — would clobber parts of it under last-match-wins.buildagent; marked the original auto-approve design indocs/opencode-adaptation-plan.mdas superseded.Tests
"reject", and only the workspace edit appears intouchedFiles.npm test: 81 passed, 0 failed, 0 skipped (localhost integration included).True end-to-end enforcement (a live model attempting an out-of-workspace edit) requires a provider-backed turn and is deferred to the release checklist, consistent with the review's own verification scope.
🤖 Generated with Claude Code