anomalyco · Nindaleth · Dec 23, 2025
diff --git a/packages/opencode/src/agent/agent.ts b/packages/opencode/src/agent/agent.ts
@@ -68,52 +68,61 @@ export namespace Agent {
     }
     const agentPermission = mergeAgentPermissions(defaultPermission, cfg.permission ?? {})
 
+    const readOnlyBashPermission = {
+      "cut*": "allow",
+      "diff*": "allow",
+      "du*": "allow",
+      "file *": "allow",
+      "find * -delete*": "ask",
+      "find * -exec*": "ask",
+      "find * -fprint*": "ask",
+      "find * -fls*": "ask",
+      "find * -fprintf*": "ask",
+      "find * -ok*": "ask",
+      "find *": "allow",
+      "git diff*": "allow",
+      "git log*": "allow",
+      "git show*": "allow",
+      "git status*": "allow",
+      "git branch": "allow",
+      "git branch -v": "allow",
+      "grep*": "allow",
+      "head*": "allow",
+      "less*": "allow",
+      "ls*": "allow",
+      "more*": "allow",
+      "pwd*": "allow",
+      "rg*": "allow",
+      "sort --output=*": "ask",
+      "sort -o *": "ask",
+      "sort*": "allow",
+      "stat*": "allow",
+      "tail*": "allow",
+      "tree -o *": "ask",
+      "tree*": "allow",
+      "uniq*": "allow",
+      "wc*": "allow",
+      "whereis*": "allow",
+      "which*": "allow",
+      "*": "ask",
+    }
+
     const planPermission = mergeAgentPermissions(
       {
         edit: "deny",
-        bash: {
-          "cut*": "allow",
-          "diff*": "allow",
-          "du*": "allow",
-          "file *": "allow",
-          "find * -delete*": "ask",
-          "find * -exec*": "ask",
-          "find * -fprint*": "ask",
-          "find * -fls*": "ask",
-          "find * -fprintf*": "ask",
-          "find * -ok*": "ask",
-          "find *": "allow",
-          "git diff*": "allow",
-          "git log*": "allow",
-          "git show*": "allow",
-          "git status*": "allow",
-          "git branch": "allow",
-          "git branch -v": "allow",
-          "grep*": "allow",
-          "head*": "allow",
-          "less*": "allow",
-          "ls*": "allow",
-          "more*": "allow",
-          "pwd*": "allow",
-          "rg*": "allow",
-          "sort --output=*": "ask",
-          "sort -o *": "ask",
-          "sort*": "allow",
-          "stat*": "allow",
-          "tail*": "allow",
-          "tree -o *": "ask",
-          "tree*": "allow",
-          "uniq*": "allow",
-          "wc*": "allow",
-          "whereis*": "allow",
-          "which*": "allow",
-          "*": "ask",
-        },
+        bash: readOnlyBashPermission,
         webfetch: "allow",
       },
       cfg.permission ?? {},
     )
 
+    const explorePermission = mergeAgentPermissions(
+      {
+        bash: readOnlyBashPermission,
+      },
+      cfg.permission ?? {},
+    )
+
     const result: Record<string, Info> = {
       build: {
         name: "build",
@@ -159,7 +168,7 @@ export namespace Agent {
         description: `Fast agent specialized for exploring codebases. Use this when you need to quickly find files by patterns (eg. "src/components/**/*.tsx"), search code for keywords (eg. "API endpoints"), or answer questions about the codebase (eg. "how do API endpoints work?"). When calling this agent, specify the desired thoroughness level: "quick" for basic searches, "medium" for moderate exploration, or "very thorough" for comprehensive analysis across multiple locations and naming conventions.`,
         prompt: PROMPT_EXPLORE,
         options: {},
-        permission: agentPermission,
+        permission: explorePermission,
         mode: "subagent",
         native: true,
       },