1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
|
---
title: Permissions
description: Control which actions require approval to run.
---
By default, OpenCode allows most operations without approval, except `doom_loop` and `external_directory` which default to `ask`. You can configure this using the `permission` option.
```json title="opencode.json"
{
"$schema": "https://opencode.ai/config.json",
"permission": {
"edit": "allow",
"bash": "ask",
"skill": "ask",
"webfetch": "deny",
"doom_loop": "ask",
"external_directory": "ask"
}
}
```
This lets you configure granular controls for the `edit`, `bash`, `skill`, `webfetch`, `doom_loop`, and `external_directory` tools.
- `"ask"` — Prompt for approval before running the tool
- `"allow"` — Allow all operations without approval
- `"deny"` — Disable the tool
---
## Tools
Currently, the permissions for the `edit`, `bash`, `skill`, `webfetch`, `doom_loop`, and `external_directory` tools can be configured through the `permission` option.
---
### edit
Use the `permission.edit` key to control whether file editing operations require user approval.
```json title="opencode.json" {4}
{
"$schema": "https://opencode.ai/config.json",
"permission": {
"edit": "ask"
}
}
```
---
### bash
You can use the `permission.bash` key to control whether bash commands as a
whole need user approval.
```json title="opencode.json" {4}
{
"$schema": "https://opencode.ai/config.json",
"permission": {
"bash": "ask"
}
}
```
Or, you can target specific commands and set it to `allow`, `ask`, or `deny`.
```json title="opencode.json"
{
"$schema": "https://opencode.ai/config.json",
"permission": {
"bash": {
"git push": "ask",
"git status": "allow",
"git diff": "allow",
"npm run build": "allow",
"ls": "allow",
"pwd": "allow"
}
}
}
```
---
#### Wildcards
You can also use wildcards to manage permissions for specific bash commands.
:::tip
You can use wildcards to manage permissions for specific bash commands.
:::
For example, **disable all** Terraform commands.
```json title="opencode.json" {5}
{
"$schema": "https://opencode.ai/config.json",
"permission": {
"bash": {
"terraform *": "deny"
}
}
}
```
You can also use the `*` wildcard to manage permissions for all commands. For
example, **deny all commands** except a couple of specific ones.
```json title="opencode.json" {5}
{
"$schema": "https://opencode.ai/config.json",
"permission": {
"bash": {
"*": "deny",
"pwd": "allow",
"git status": "ask"
}
}
}
```
Here a specific rule can override the `*` wildcard.
---
##### Glob patterns
The wildcard uses simple regex globbing patterns.
- `*` matches zero or more of any character
- `?` matches exactly one character
- All other characters match literally
---
#### Scope of the `"ask"` option
When the agent asks for permission to run a particular bash command, it will
request feedback with the three options "accept", "accept always" and "deny".
The "accept always" answer applies for the rest of the current session.
In addition, command permissions are applied to the first two elements of a command. So, an "accept always" response for a command like `git log` would whitelist `git log *` but not `git commit ...`.
When an agent asks for permission to run a command in a pipeline, we use tree sitter to parse each command in the pipeline. The "accept always" permission thus applies separately to each command in the pipeline.
---
### skill
Use the `permission.skill` key to control whether the model can load skills via the built-in `skill` tool.
You can apply a single rule to all skills:
```json title="opencode.json" {4}
{
"$schema": "https://opencode.ai/config.json",
"permission": {
"skill": "ask"
}
}
```
Or configure per-skill rules (supports the same wildcard patterns as `permission.bash`):
```json title="opencode.json"
{
"$schema": "https://opencode.ai/config.json",
"permission": {
"skill": {
"*": "deny",
"git-*": "allow",
"frontend/*": "ask"
}
}
}
```
---
### webfetch
Use the `permission.webfetch` key to control whether the LLM can fetch web pages.
```json title="opencode.json" {4}
{
"$schema": "https://opencode.ai/config.json",
"permission": {
"webfetch": "ask"
}
}
```
---
### doom_loop
Use the `permission.doom_loop` key to control whether approval is required when a doom loop is detected. A doom loop occurs when the same tool is called 3 times in a row with identical arguments.
This helps prevent infinite loops where the LLM repeatedly attempts the same action without making progress.
```json title="opencode.json" {4}
{
"$schema": "https://opencode.ai/config.json",
"permission": {
"doom_loop": "ask"
}
}
```
---
### external_directory
Use the `permission.external_directory` key to control whether file operations require approval when accessing files outside the working directory.
This provides an additional safety layer to prevent unintended modifications to files outside your project.
```json title="opencode.json" {4}
{
"$schema": "https://opencode.ai/config.json",
"permission": {
"external_directory": "ask"
}
}
```
---
## Agents
You can also configure permissions per agent. Where the agent specific config
overrides the global config. [Learn more](/docs/agents#permissions) about agent permissions.
```json title="opencode.json" {3-7,10-14}
{
"$schema": "https://opencode.ai/config.json",
"permission": {
"bash": {
"git push": "ask"
}
},
"agent": {
"build": {
"permission": {
"bash": {
"git push": "allow"
}
}
}
}
}
```
For example, here the `build` agent overrides the global `bash` permission to
allow `git push` commands.
You can also configure permissions for agents in Markdown.
```markdown title="~/.config/opencode/agent/review.md"
---
description: Code review without edits
mode: subagent
permission:
edit: deny
bash: ask
webfetch: deny
---
Only analyze code and suggest changes.
```
|
