feat: make openspec-plan agent permissions fully explicit#8
Merged
Octane0411 merged 2 commits intoOctane0411:mainfrom Mar 23, 2026
Merged
Conversation
- Add explicit allow/deny for all OpenCode permission keys - read: allow all, deny .env files - edit: deny * base, allow only spec files (project.md, AGENTS.md, openspec/**, specs/**) - bash: deny * base, allow read-only filesystem and git read commands - Add explicit allow for glob, grep, list, lsp, todoread, todowrite - Add explicit allow for webfetch, websearch, codesearch, task, skill, question - Keep doom_loop and external_directory as ask (safety guards)
Contributor
Author
The .env deny rules gave a false sense of security since bash tools (cat, grep) could still access them. Agent is trusted with full read access to the project. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Owner
|
Thanks for the PR! I added a small commit to remove the .env deny rules — since bash tools like cat/grep can still access them anyway, the deny gave a false sense of security. Merged. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The
openspec-planagent previously only declarededitpermissions, leavingall other tools (read, bash, glob, grep, etc.) as implicit — relying on
OpenCode's global defaults.
This made the agent's actual capabilities opaque and created a risk of unintended access.
This PR replaces the minimal permission block with a fully explicit declaration
covering every OpenCode permission key relevant to the agent.
Changes
src/config.ts—openSpecAgent.permissionread
.envfiles (a spec agent has no need for secrets)edit
"*": "deny"— nothing is editable by defaultallowonly for spec targets:project.md,AGENTS.md,openspec/**,specs/**bash
"*": "deny"— no arbitrary shell executiongrep,ls,cat,find,echo,pwd,which,env,printenvgit status*,git log*,git diff*,git show*(useful for repo context without risk of mutations)
All other tools
Explicitly declared as
alloworaskinstead of relying on defaults:glob,grep,list,lsp— allow (read-only exploration)todoread,todowrite— allow (internal task tracking)webfetch,websearch,codesearch— allow (doc/reference lookup)task,skill,question— allow (subagents and user interaction)doom_loop,external_directory— ask (safety guards, unchanged)Why last-match-wins matters here
OpenCode evaluates granular permission rules in order, with the last matching
rule winning. For
editandbash, the catch-all"*": "deny"is placedfirst so that the specific
allowrules after it correctly override it.No functional change for spec files
The set of files the agent can edit is identical to before. This PR only makes
the full permission surface explicit and adds a deny baseline for everything
outside that set.