Path-based read permissions not enforced; catch-all rules always take precedence

[krasnikau-andrei]

Description

Path-scoped read permissions don't work.

Configurations Attempted

~.config/opencode/agents/s-manager.md

---
description: Lightweight workflow orchestrator - executes skills and subagents
  with read/write access to docs folder only
mode: primary
temperature: 0.3
permission:
  skill: allow
  task: allow
  todowrite: allow
  todoread: allow
  <read configuration here>
---

...

Bellow yaml part of md file for agen configuration

❌ Configuration 1 (Initial - Read tool disappeared)

permission:
  skill: allow
  task: allow
  todowrite: allow
  todoread: allow
  read:
    "docs/**": allow
    "game_docs/**": allow
    "*": deny

Expected: Agent can read only docs/** and game_docs/**

Actual:

Model tried to call unavailable tool 'read'. Available tools: invalid, bash, glob, grep, edit, write, task, webfetch, todowrite, skill, memory_list, memory_set, memory_replace, distill, prune.

❌ Configuration 2 (Added top-level allow - Back to unsecured)

permission:
  skill: allow
  task: allow
  todowrite: allow
  todoread: allow
  read: allow              # ← Added this
  read:
    "docs/**": allow
    "game_docs/**": allow
    "*": deny

Expected: Nested read: rules should restrict access

Actual:

• Read tool reappears and is fully accessible
• Top-level read: allow overwrites nested path configuration
• Agent can read ANY file in working folder
• Path restrictions completely ignored

❌ Configuration 3 (Removed top-level allow, rule order first)

permission:
  skill: allow
  task: allow
  todowrite: allow
  todoread: allow
  read:
    "*": deny                # ← Catch-all deny first
    "docs/**": allow         # ← Specific allows after
    "game_docs/**": allow

Expected: Last matching rule wins (per OpenCode docs) - specific allows after deny should work

Actual:

Error: The user has specified a rule which prevents you from using this specific tool call. 
Here are the relevant rules: 
[
  {"permission":"*","pattern":"*","action":"allow"},
  {"permission":"read","pattern":"*","action":"allow"},
  {"permission":"read","pattern":"*.env","action":"ask"},
  {"permission":"read","pattern":"*.env.*","action":"ask"},
  {"permission":"read","pattern":"*.env.example","action":"allow"},
  {"permission":"*","pattern":"*","action":"deny"},
  {"permission":"read","pattern":"docs/**","action":"allow"},
  {"permission":"read","pattern":"game_docs/**","action":"allow"}
]

• Permission error shows "*" deny rule at position 6, allows at positions 7-8
• Catch-all deny blocks before specific allows are reached

Impact

Security issue - agents cannot be reliably restricted to specific file directories. Path-based permissions do not work as documented.

Plugins

No response

OpenCode version

1.1.60

Steps to reproduce

No response

Screenshot and/or share link

No response

Operating System

macOs

Terminal

Ghosty

[github-actions]

This issue might be a duplicate of or related to existing issues addressing permission enforcement:

• [BUG] opencode's folder permission control is not working #11272: Path-based folder permission control not working (similar catch-all override behavior)
• [FEATURE]: Add per-agent filesystem boundaries (allow/deny paths) + optional run-as user for bash #5529: Feature request for per-agent filesystem boundaries (the functionality you're trying to use)
• Task tool ignores per-target deny and allows self-dispatch recursion #11324: Task tool ignores per-target deny rules
• Subagents don’t respect "*": "allow" agent permissions #12566: Subagents don't respect permission rules

Consider checking these issues for updates or workarounds, and consolidating discussion there if your specific bug is the same root cause.