diff --git a/.opencode/opencode.jsonc b/.opencode/opencode.jsonc
index 8380f7f719ef..7b52fe86ea57 100644
--- a/.opencode/opencode.jsonc
+++ b/.opencode/opencode.jsonc
@@ -6,9 +6,110 @@
     },
   },
   "permission": {
+    // IMPORTANT: These permissions MUST be set at project-level because
+    // user-level config (~/.config/opencode/opencode.jsonc) has LOWER priority
+    // than project-level config. See issue #31 for details.
+    "read": {
+      "*": "allow",
+      ".env": "deny",
+      ".env.*": "deny",
+      "**/.env": "deny",
+      "**/.env.*": "deny",
+      "secrets/**": "deny",
+      "**/secrets/**": "deny",
+    },
     "edit": {
+      "*": "allow",
       "packages/opencode/migration/*": "deny",
+      ".env": "deny",
+      ".env.*": "deny",
+      "**/.env": "deny",
+      "**/.env.*": "deny",
+    },
+    "glob": "allow",
+    "grep": "allow",
+    "list": "allow",
+    "bash": {
+      "*": "ask",
+      // JS/TS toolchain
+      "node *": "allow",
+      "npm *": "allow",
+      "npx *": "allow",
+      "pnpm *": "allow",
+      "bun *": "allow",
+      "bunx *": "allow",
+      "yarn *": "allow",
+      "turbo *": "allow",
+      "tsc *": "allow",
+      // Python toolchain
+      "python *": "allow",
+      "python3 *": "allow",
+      "pip *": "allow",
+      "pip3 install *": "allow",
+      "uv *": "allow",
+      // Linters/formatters
+      "eslint *": "allow",
+      "prettier *": "allow",
+      "biome *": "allow",
+      // Test runners
+      "jest *": "allow",
+      "vitest *": "allow",
+      "playwright *": "allow",
+      // Git operations
+      "git *": "allow",
+      "gh *": "allow",
+      // System utilities
+      "ls *": "allow",
+      "wc *": "allow",
+      "lsof *": "allow",
+      "test *": "allow",
+      "set *": "allow",
+      "dig *": "allow",
+      "nslookup *": "allow",
+      "cat *": "allow",
+      "head *": "allow",
+      "tail *": "allow",
+      "mkdir *": "allow",
+      "cp *": "allow",
+      "mv *": "allow",
+      "touch *": "allow",
+      "chmod *": "allow",
+      "which *": "allow",
+      "echo *": "allow",
+      "pwd": "allow",
+      "env *": "allow",
+      "sort *": "allow",
+      "uniq *": "allow",
+      "diff *": "allow",
+      "grep *": "allow",
+      "find *": "allow",
+      "sed *": "allow",
+      "awk *": "allow",
+      "xargs *": "allow",
+      // Network
+      "curl *": "allow",
+      "openssl *": "allow",
+      // Container/Cloud
+      "docker *": "allow",
+      "vercel *": "allow",
+      "supabase *": "allow",
+      // Dangerous operations: deny
+      "rm -rf *": "deny",
+      "sudo *": "deny",
+      "git push --force*": "deny",
+      "git push -f *": "deny",
+      "curl * | sh*": "deny",
+      "curl * | bash*": "deny",
     },
+    "websearch": "allow",
+    "webfetch": "allow",
+    "codesearch": "allow",
+    "lsp": "allow",
+    "task": "allow",
+    "skill": "allow",
+    "question": "allow",
+    "todowrite": "allow",
+    "external_directory": "ask",
   },
   "mcp": {},
   "tools": {