Unable to get permissions to work as intended

[JakeMHughes]

Question

I'm pretty new to opencode and I am trying to setup my permissions for everything (putting this in the ~/.config/opencode/opencode.json file). Essentially I want it so when I open opencode in a folder, opencode should be able to edit any file in that folder. but anything one folder up ( ../) should ask for permissions. Now, one of the reasons im having trouble testing this stuff, is because it feels like theres a constant workaround using bash skill.

For example, I set the "list" skill to deny but according to opencode "ls" under bash was allowed so it just ran that instead. I tried setting edit to the below, and asked the model to write hello to a temp file, and the permission was ignored and fell under bash rules because "echo 'Hello' > temp" was used instead

    "edit": {
      "./**": "allow",
      "*": "deny"
    }

So im mostly just looking for some help on what fundamental misunderstanding I have regarding the permissions. also is it possible to have allow for the "current" directory? I know I can hardcode a path, but I want the path to be determined at opencode load time

[github-actions]

This issue might be a duplicate of existing issues. Please check:

• Granular permissions not working (or documentation bad?) #20307: Granular permissions not working - very similar confusion about permission rules being bypassed/not applying as expected, including pattern matching behavior
• opencode not respecting permissions #8832: opencode not respecting permissions - permissions being ignored and tool bypassing them
• How are permissions applied in order? #16157: How are permissions applied in order? - question about how permission rules and ordering work

Please review these issues to see if your question is already answered or being tracked there.

[malhashemi]

Hey @JakeMHughes ,

Permissions are evaluated in order. So that last deny is revoking every allow that comes before it.