Skip to content

fix: project-level permissions to work around config priority bug #34

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
terisuke wants to merge 1 commit into from
Closed

fix: project-level permissions to work around config priority bug #34

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
101 changes: 101 additions & 0 deletions .opencode/opencode.jsonc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,9 +6,110 @@
},
},
"permission": {
// IMPORTANT: These permissions MUST be set at project-level because
// user-level config (~/.config/opencode/opencode.jsonc) has LOWER priority
// than project-level config. See issue #31 for details.
"read": {
"*": "allow",
".env": "deny",
".env.*": "deny",
"**/.env": "deny",
"**/.env.*": "deny",
"secrets/**": "deny",
"**/secrets/**": "deny",
},
"edit": {
"*": "allow",
"packages/opencode/migration/*": "deny",
".env": "deny",
".env.*": "deny",
"**/.env": "deny",
"**/.env.*": "deny",
},
"glob": "allow",
"grep": "allow",
Copy link

Copilot AI Apr 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

grep is set to allow, but the grep tool’s permission check is only against the search pattern (not the files searched) and it runs ripgrep across the repo (including hidden files). That means secrets in .env can still be discovered via grep even though read denies .env. If the intent is “.env access is denied”, consider setting grep back to ask/deny (or narrowing it), since the permission model can’t currently restrict grep by filepath.

Suggested change
"grep": "allow",
"grep": "ask",

Copilot uses AI. Check for mistakes.
"list": "allow",
"bash": {
"*": "ask",
// JS/TS toolchain
"node *": "allow",
"npm *": "allow",
"npx *": "allow",
"pnpm *": "allow",
"bun *": "allow",
"bunx *": "allow",
"yarn *": "allow",
"turbo *": "allow",
"tsc *": "allow",
// Python toolchain
"python *": "allow",
"python3 *": "allow",
"pip *": "allow",
"pip3 install *": "allow",
"uv *": "allow",
// Linters/formatters
"eslint *": "allow",
"prettier *": "allow",
"biome *": "allow",
// Test runners
"jest *": "allow",
"vitest *": "allow",
"playwright *": "allow",
// Git operations
"git *": "allow",
"gh *": "allow",
// System utilities
"ls *": "allow",
"wc *": "allow",
"lsof *": "allow",
"test *": "allow",
"set *": "allow",
"dig *": "allow",
"nslookup *": "allow",
"cat *": "allow",
"head *": "allow",
"tail *": "allow",
"mkdir *": "allow",
Comment on lines +69 to +72
Copy link

Copilot AI Apr 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The goal/test plan says “.env file access is denied”, but bash is configured to allow cat * / head * / tail * without prompting. The bash tool does not consult read permissions for files referenced in shell commands, so cat .env (and similar) will still be auto-approved. To actually block .env reads, add explicit bash deny rules that match .env paths (e.g., deny cat *.env*, head *.env*, tail *.env*, etc.), or change these commands back to ask/deny.

Copilot uses AI. Check for mistakes.
"cp *": "allow",
"mv *": "allow",
"touch *": "allow",
"chmod *": "allow",
"which *": "allow",
"echo *": "allow",
"pwd": "allow",
Copy link

Copilot AI Apr 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

pwd is allowed only as an exact match ("pwd"). The bash tool requests permissions against the full command string, so pwd -P / pwd -L will still prompt even though the intent seems to be allowing basic shell utilities. Consider changing this to a wildcard form (e.g., pwd *) for consistency with other entries like ls */cat *.

Suggested change
"pwd": "allow",
"pwd *": "allow",

Copilot uses AI. Check for mistakes.
"env *": "allow",
"sort *": "allow",
"uniq *": "allow",
"diff *": "allow",
"grep *": "allow",
"find *": "allow",
"sed *": "allow",
"awk *": "allow",
"xargs *": "allow",
// Network
"curl *": "allow",
"openssl *": "allow",
// Container/Cloud
"docker *": "allow",
"vercel *": "allow",
"supabase *": "allow",
// Dangerous operations: deny
"rm -rf *": "deny",
"sudo *": "deny",
"git push --force*": "deny",
"git push -f *": "deny",
"curl * | sh*": "deny",
"curl * | bash*": "deny",
Comment on lines +101 to +102
Copy link

Copilot AI Apr 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The deny rules for curl | sh / curl | bash rely on spaces around the pipe ("curl * | sh*"). The bash permission patterns are matched against the raw command text, so variants like curl ...|sh, curl ...| bash, or extra whitespace won’t match and will fall back to the broader "curl *": "allow" rule. Add additional deny patterns that cover common spacing variants (or change curl * to ask).

Suggested change
"curl * | sh*": "deny",
"curl * | bash*": "deny",
"curl * | sh*": "deny",
"curl *| sh*": "deny",
"curl * |sh*": "deny",
"curl *|sh*": "deny",
"curl * | bash*": "deny",
"curl *| bash*": "deny",
"curl * |bash*": "deny",
"curl *|bash*": "deny",

Copilot uses AI. Check for mistakes.
},
"websearch": "allow",
"webfetch": "allow",
"codesearch": "allow",
"lsp": "allow",
"task": "allow",
"skill": "allow",
"question": "allow",
"todowrite": "allow",
"external_directory": "ask",
},
"mcp": {},
"tools": {
Expand Down
Loading