From 5442c26e7f1a5826a02b7cf67e0c4a37efe611f4 Mon Sep 17 00:00:00 2001 From: Black_Fox Date: Wed, 24 Dec 2025 00:08:09 +0100 Subject: [PATCH] refactor(agent): set Explore subagent bash permissions to read-only --- packages/opencode/src/agent/agent.ts | 87 +++++++++++++++------------- 1 file changed, 48 insertions(+), 39 deletions(-) diff --git a/packages/opencode/src/agent/agent.ts b/packages/opencode/src/agent/agent.ts index ad665e5d6ee..d3e9a7b3a49 100644 --- a/packages/opencode/src/agent/agent.ts +++ b/packages/opencode/src/agent/agent.ts @@ -68,52 +68,61 @@ export namespace Agent { } const agentPermission = mergeAgentPermissions(defaultPermission, cfg.permission ?? {}) + const readOnlyBashPermission = { + "cut*": "allow", + "diff*": "allow", + "du*": "allow", + "file *": "allow", + "find * -delete*": "ask", + "find * -exec*": "ask", + "find * -fprint*": "ask", + "find * -fls*": "ask", + "find * -fprintf*": "ask", + "find * -ok*": "ask", + "find *": "allow", + "git diff*": "allow", + "git log*": "allow", + "git show*": "allow", + "git status*": "allow", + "git branch": "allow", + "git branch -v": "allow", + "grep*": "allow", + "head*": "allow", + "less*": "allow", + "ls*": "allow", + "more*": "allow", + "pwd*": "allow", + "rg*": "allow", + "sort --output=*": "ask", + "sort -o *": "ask", + "sort*": "allow", + "stat*": "allow", + "tail*": "allow", + "tree -o *": "ask", + "tree*": "allow", + "uniq*": "allow", + "wc*": "allow", + "whereis*": "allow", + "which*": "allow", + "*": "ask", + } + const planPermission = mergeAgentPermissions( { edit: "deny", - bash: { - "cut*": "allow", - "diff*": "allow", - "du*": "allow", - "file *": "allow", - "find * -delete*": "ask", - "find * -exec*": "ask", - "find * -fprint*": "ask", - "find * -fls*": "ask", - "find * -fprintf*": "ask", - "find * -ok*": "ask", - "find *": "allow", - "git diff*": "allow", - "git log*": "allow", - "git show*": "allow", - "git status*": "allow", - "git branch": "allow", - "git branch -v": "allow", - "grep*": "allow", - "head*": "allow", - "less*": "allow", - "ls*": "allow", - "more*": "allow", - "pwd*": "allow", - "rg*": "allow", - "sort --output=*": "ask", - "sort -o *": "ask", - "sort*": "allow", - "stat*": "allow", - "tail*": "allow", - "tree -o *": "ask", - "tree*": "allow", - "uniq*": "allow", - "wc*": "allow", - "whereis*": "allow", - "which*": "allow", - "*": "ask", - }, + bash: readOnlyBashPermission, webfetch: "allow", }, cfg.permission ?? {}, ) + const explorePermission = mergeAgentPermissions( + { + bash: readOnlyBashPermission, + }, + cfg.permission ?? {}, + ) + const result: Record = { build: { name: "build", @@ -159,7 +168,7 @@ export namespace Agent { description: `Fast agent specialized for exploring codebases. Use this when you need to quickly find files by patterns (eg. "src/components/**/*.tsx"), search code for keywords (eg. "API endpoints"), or answer questions about the codebase (eg. "how do API endpoints work?"). When calling this agent, specify the desired thoroughness level: "quick" for basic searches, "medium" for moderate exploration, or "very thorough" for comprehensive analysis across multiple locations and naming conventions.`, prompt: PROMPT_EXPLORE, options: {}, - permission: agentPermission, + permission: explorePermission, mode: "subagent", native: true, },