feat: add read_env permission to allow reading .env files

[shkumbinhasani]

Summary

• Adds a new read_env permission option that allows users to explicitly opt-in to letting agents read .env files
• By default, .env files remain blocked (secure default)
• Only supports "allow" or "deny" (no "ask" option for simplicity)

Usage

Add to opencode.json:

{
  "permission": {
    "read_env": "allow"
  }
}

Changes

• packages/opencode/src/config/config.ts - Added read_env to permission schema
• packages/opencode/src/agent/agent.ts - Added read_env to agent permission type and merge function
• packages/opencode/src/tool/read.ts - Modified blocking logic to check permission
• packages/opencode/test/tool/read.test.ts - Added tests for the new permission