Permission system: bash commands can create files outside permitted directories

[hcoin18]

Bug Description

The permission system for external_directory in opencode.json only blocks file writes via the write/edit tools for non-permitted directories, but allows bash commands to create files outside permitted directories as a side effect.

Steps to Reproduce

1. Set up opencode.json with limited external_directory permissions:

{
  "permission": {
    "external_directory": {
      "/opt/ai/opencode/**": "allow",
      "/tmp/**": "allow"
    }
  }
}

2. Run a bash command that creates files outside permitted directories:

python3 -m venv /home/user/venv

3. The venv is created successfully in /home/user/, bypassing the permission system.

Expected Behavior

• The write/edit tools correctly block writes to non-permitted directories
• However, bash commands that create files as a side effect should also be blocked or require confirmation
• A configuration like write_confirmation_required: true at the permission level (or equivalent) should apply to all write operations including those via bash

Additional Context

The permission model is incomplete - it separates "direct file writes" (via tools) from "indirect file writes" (via bash commands). This creates a gap where users can inadvertently create files outside permitted directories.

[github-actions]

This issue might be a duplicate of existing issues. Please check:

• external_directory permission bypassed by bash wildcard rules #17497: Similar report of external_directory permission being bypassed by bash commands (different trigger, same permission gap)