OpenCode plugin that records permission prompts and replies to local JSONL audit logs.
The plugin writes one JSON object per line for permission activity, including:
- prompt, grant, and denial outcomes
- session, request, message, and tool call identifiers when available
- permission type, title, patterns, and metadata
- project directory and worktree
Logs are written to:
~/.local/share/opencode/permission-audit/
Set OPENCODE_PERMISSION_AUDIT_DIR to use a different directory.
Install dependencies and build the package:
bun install
bun run buildFor local OpenCode use, copy the plugin source into your OpenCode plugin directory:
bun run install:localThat writes:
~/.config/opencode/plugins/permission-audit.ts
Then add the plugin to your OpenCode config if it is not already enabled:
{
"plugin": ["permission-audit"]
}The plugin maintains two log streams:
<sessionID>.jsonl: entries for one OpenCode sessionlatest.jsonl: appended stream across sessions
The log directory is chmodded to 0700, and log files are chmodded to 0600 when the platform supports it.
Example entry:
{
"version": 1,
"timestamp": "2026-04-30T00:00:00.000Z",
"source": "event.permission.asked",
"outcome": "prompted",
"sessionID": "session-1",
"requestID": "request-1",
"permission": "bash",
"patterns": ["npm test"],
"directory": "/path/to/repo",
"worktree": "/path/to/repo"
}Generate an evidence-backed permission report:
bunx opencode-permission-audit report --since 7dFor local development:
bun src/cli.ts report --since 7d --min-approvals 2The report groups repeated permission decisions and suggests opencode.json rules only when a pattern has enough grants and no denials. Review suggestions before applying them.
bun install
bun run checkUseful commands:
bun run typecheckbun run lintbun run testbun run buildbun run format
Permission audit logs may contain command patterns, project paths, and tool metadata. Treat the log directory as private data. Do not commit generated logs.
Report security concerns privately using the guidance in SECURITY.md.
MIT. See LICENSE.