Skip to content

feat: align permission defaults with Claude Code #30

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
terisuke merged 3 commits into from
Apr 4, 2026
Merged

feat: align permission defaults with Claude Code #30

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
4bcf15a
feat: align permission defaults with Claude Code's approval model
terisuke Apr 4, 2026
cc26d1f
feat: expand bash allow-list with monorepo dev tools
terisuke Apr 4, 2026
a9e1344
feat: add question and todowrite to permission allow-list
terisuke Apr 4, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
107 changes: 107 additions & 0 deletions .opencode/opencode.jsonc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,9 +6,116 @@
},
},
"permission": {
// Read operations: allow by default, deny sensitive files
// Mirrors Claude Code's Read allow + .env/.secrets deny
"read": {
"*": "allow",
".env": "deny",
".env.*": "deny",
"**/.env": "deny",
"**/.env.*": "deny",
"secrets/**": "deny",
"**/secrets/**": "deny",
Comment on lines +11 to +18
Copy link

Copilot AI Apr 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In read, patterns like .env and .env.* are unlikely to match because the Read tool checks permissions against an absolute file path (e.g. /repo/.env). The **/.env* entries will work, but the non-globbed variants are effectively dead rules and can be misleading. Consider using patterns like *.env / *.env.* (as in the guardrails configs) or dropping the redundant entries to keep the rule set clear.

Copilot uses AI. Check for mistakes.
},
// Edit operations: allow by default (Claude Code's acceptEdits mode)
// Deny migration files and sensitive configs
"edit": {
"*": "allow",
"packages/opencode/migration/*": "deny",
".env": "deny",
".env.*": "deny",
"**/.env": "deny",
"**/.env.*": "deny",
},
Comment on lines +20 to +29
Copy link

Copilot AI Apr 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The PR description says it adds .env/secrets deny rules for both read and edit, but edit only denies .env* patterns and does not deny secrets/** (or **/secrets/**). Either add the secrets deny patterns under edit as well, or update the PR description to match the actual behavior.

Copilot uses AI. Check for mistakes.
// File search: always allow (Claude Code allows Glob/Grep unconditionally)
"glob": "allow",
"grep": "allow",
"list": "allow",
// Bash: pattern-based control mirroring Claude Code's Bash whitelist
"bash": {
"*": "ask",
// JS/TS toolchain
"node *": "allow",
"npm *": "allow",
"npx *": "allow",
"pnpm *": "allow",
"bun *": "allow",
"bunx *": "allow",
"yarn *": "allow",
"turbo *": "allow",
"tsc *": "allow",
// Python toolchain
"python *": "allow",
"python3 *": "allow",
"pip *": "allow",
"pip3 install *": "allow",
"uv *": "allow",
// Linters/formatters
"eslint *": "allow",
"prettier *": "allow",
"biome *": "allow",
// Test runners
"jest *": "allow",
"vitest *": "allow",
"playwright *": "allow",
// Git operations
"git *": "allow",
"gh *": "allow",
// System utilities
"ls *": "allow",
"wc *": "allow",
"lsof *": "allow",
"test *": "allow",
"set *": "allow",
"dig *": "allow",
"nslookup *": "allow",
"cat *": "allow",
"head *": "allow",
"tail *": "allow",
Comment on lines +72 to +74
Copy link

Copilot AI Apr 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The PR description/test plan says .env access should be denied, but the bash whitelist includes cat * (and other file-reading tools). That allows cat .env without prompting/denial, bypassing the read/edit deny rules. If the intent is to block .env/secrets access, consider removing cat from the allow-list (leave it as ask) and/or adding explicit bash deny patterns for .env*/**/.env* and **/secrets/** (plus similar read utilities like head/tail).

Suggested change
"cat *": "allow",
"head *": "allow",
"tail *": "allow",
// File-reading commands must not bypass sensitive-file deny rules
"cat .env": "deny",
"cat .env.*": "deny",
"cat **/.env": "deny",
"cat **/.env.*": "deny",
"cat secrets/**": "deny",
"cat **/secrets/**": "deny",
"head .env": "deny",
"head .env.*": "deny",
"head **/.env": "deny",
"head **/.env.*": "deny",
"head secrets/**": "deny",
"head **/secrets/**": "deny",
"tail .env": "deny",
"tail .env.*": "deny",
"tail **/.env": "deny",
"tail **/.env.*": "deny",
"tail secrets/**": "deny",
"tail **/secrets/**": "deny",
"cat *": "ask",
"head *": "ask",
"tail *": "ask",

Copilot uses AI. Check for mistakes.
"mkdir *": "allow",
"cp *": "allow",
"mv *": "allow",
"touch *": "allow",
"chmod *": "allow",
"which *": "allow",
"echo *": "allow",
"pwd": "allow",
"env *": "allow",
"sort *": "allow",
"uniq *": "allow",
"diff *": "allow",
"grep *": "allow",
"find *": "allow",
"sed *": "allow",
"awk *": "allow",
"xargs *": "allow",
// Network
"curl *": "allow",
"openssl *": "allow",
// Container/Cloud
"docker *": "allow",
"vercel *": "allow",
"supabase *": "allow",
// Dangerous operations: deny
"rm -rf *": "deny",
"sudo *": "deny",
"git push --force*": "deny",
Copy link

Copilot AI Apr 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

git push --force* won't match common force-push forms like git push origin main --force or git push --force-with-lease because the pattern requires --force immediately after git push. Since git * is allowed above, those commands would be allowed. Consider adding deny patterns such as git push * --force* (and potentially git push * --force-with-lease*) to reliably block force pushes.

Suggested change
"git push --force*": "deny",
"git push --force*": "deny",
"git push * --force*": "deny",
"git push * --force-with-lease*": "deny",

Copilot uses AI. Check for mistakes.
"git push -f *": "deny",
"curl * | sh*": "deny",
"curl * | bash*": "deny",
},
// Web operations: allow (Claude Code allows WebSearch, WebFetch)
"websearch": "allow",
"webfetch": "allow",
"codesearch": "allow",
// Tool integrations: allow
"lsp": "allow",
"task": "allow",
"skill": "allow",
"question": "allow",
"todowrite": "allow",
// External directory access: ask (security boundary)
"external_directory": "ask",
},
"mcp": {},
"tools": {
Expand Down
Loading