opencode icon indicating copy to clipboard operation
opencode copied to clipboard
Published 2 days ago verified publisher icon anomalyco

[BUG] Custom agent 'deny' permissions in opencode.json are ignored when invoked via SDK

Open ramarivera opened this issue 3 weeks ago • 1 comments

Description

Custom agents defined in opencode.json with explicit deny permissions have those permissions completely ignored when the agent is invoked via the OpenCode SDK. The agent can freely use denied tools.

This is related to but distinct from:

  • #3575 (agent prompt overrides work, but permissions are ignored)
  • #5894 (plugin hooks don't intercept subagent calls)
  • #5965 (feature request for SDK-level permission overrides)

The difference here is that I'm not trying to override built-in agents or use plugins - I have a custom agent with explicit denies that are simply not enforced.

Security Impact

This is a security issue for pipelines using OpenCode SDK to run constrained agents. Denied tools can be used freely, bypassing intended restrictions.

Environment

  • OpenCode Version: 1.0.218
  • OS: macOS (darwin)
  • Installation: npm

Reproduction Steps

1. Define a custom agent with denied tools in opencode.json:

{
  "agents": {
    "edit": {
      "model": "anthropic/claude-sonnet-4-20250514",
      "permission": {
        "read": { "*": "allow" },
        "write": { "*": "deny" },
        "edit": { "*.mdx": "allow", "*": "deny" },
        "glob": { "*": "allow" },
        "grep": { "*": "allow" },
        "bash": { "*": "deny" },
        "pty_spawn": "deny",
        "pty_write": "deny",
        "pty_read": "deny",
        "pty_list": "deny",
        "pty_kill": "deny"
      }
    }
  }
}

2. Create the agent prompt in .opencode/agent/edit.md:

You are a documentation editor focused on MDX files.
You should ONLY use read, edit, glob, and grep tools.
DO NOT use bash, PTY, or write tools.

3. Invoke the agent via SDK:

import { Session, Permissions } from "@opencode-ai/sdk"

const session = await Session.start({
  path: projectPath,
  agent: "edit"
})

const response = await session.prompt({
  thread: "main",
  text: "List all open beads issues"
})

4. Observe the agent using denied tools:

✓ pty_spawn: pty_spawn({"command":"bd","args":["list","--status=open"...) (112ms)
✓ pty_write: pty_write({"id":"pty_b4e0438a","data":"bd list --status=i...) (77ms)
✓ pty_read: pty_read({"id":"pty_b4e0438a","limit":50}) (6ms)

Expected Behavior

The agent should be blocked from using pty_spawn, pty_write, pty_read (and other denied tools). The SDK should enforce permissions defined in opencode.json.

Actual Behavior

The agent freely uses all denied tools. Permission denies have no effect when the agent is invoked via SDK.

Additional Context

The agent prompt correctly includes the custom .opencode/agent/edit.md content, so the agent definition is being loaded. Only the permissions are ignored.

This was discovered in a documentation generation pipeline where the edit agent was supposed to be constrained to read/edit/glob/grep only, but was found using PTY tools to run shell commands.

Note: Similar issues were searched before filing. This report was created with AI assistance.

ramarivera avatar Dec 29 '25 21:12 ramarivera