fix: implement secure default-deny pattern for doom_loop, edit, and bash permissions

CRITICAL SECURITY FIX: Additional permission bypass vulnerabilities found
across the permission system. Permission checks were only checking for 'ask'
or specific values, but ignoring 'deny' and undefined/null values, allowing
operations to proceed when they should be blocked.

Affected permissions and locations:
- doom_loop in processor.ts - only checked 'ask', ignored deny
- edit in write.ts - only checked 'ask', ignored deny
- edit in edit.ts (2 locations) - only checked 'ask', ignored deny
- edit in patch.ts - only checked 'ask', ignored deny
- bash in bash.ts - only checked 'deny' and 'ask', but if wildcard
  returned undefined (no match), it allowed the command

Changes:
- Updated ALL permission checks to use secure default-deny pattern
- Only explicitly allow operations when permission is 'allow' or 'ask'
- Default to deny for 'deny', undefined, null, or any unexpected values
- This ensures maximum security - any misconfiguration defaults to deny
- Fixed bash.test.ts by mocking Permission.ask to auto-allow in tests

Impact:
- Prevents permission bypass attacks
- Ensures deny settings are actually enforced
- Protects against undefined/null permission values
- Makes the system fail-secure instead of fail-open

All 196 tests passing.

Author: KJWhiteside

packages/opencode/src/session/processor.ts

@@ -147,7 +147,10 @@ export namespace SessionProcessor {
                       )
                     ) {
                       const permission = await Agent.get(input.assistantMessage.mode).then((x) => x.permission)
-                      if (permission.doom_loop === "ask") {
+                      // Secure default: only allow if explicitly set to "allow" or "ask"
+                      if (permission.doom_loop === "allow") {
+                        // Explicitly allowed, proceed
+                      } else if (permission.doom_loop === "ask") {
                         await Permission.ask({
                           type: "doom_loop",
                           pattern: value.toolName,
@@ -160,6 +163,11 @@ export namespace SessionProcessor {
                             input: value.input,
                           },
                         })
+                      } else {
+                        // Default deny for "deny", undefined, null, or any other value
+                        throw new Error(
+                          `Permission denied: Possible doom loop detected - "${value.toolName}" called ${DOOM_LOOP_THRESHOLD} times with identical arguments`,
+                        )
                       }
                     }
                   }

packages/opencode/src/tool/bash.ts

@@ -108,12 +108,10 @@ export const BashTool = Tool.define("bash", {
       // always allow cd if it passes above check
       if (command[0] !== "cd") {
         const action = Wildcard.allStructured({ head: command[0], tail: command.slice(1) }, permissions)
-        if (action === "deny") {
-          throw new Error(
-            `The user has specifically restricted access to this command, you are not allowed to execute it. Here is the configuration: ${JSON.stringify(permissions)}`,
-          )
-        }
-        if (action === "ask") {
+        // Secure default: only allow if explicitly set to "allow" or "ask"
+        if (action === "allow") {
+          // Explicitly allowed, proceed
+        } else if (action === "ask") {
           const pattern = (() => {
             if (command.length === 0) return
             const head = command[0]
@@ -124,6 +122,11 @@ export const BashTool = Tool.define("bash", {
           if (pattern) {
             askPatterns.add(pattern)
           }
+        } else {
+          // Default deny for "deny", undefined, null, or any other value
+          throw new Error(
+            `Permission denied: Command not allowed by bash permissions. Command: ${command[0]}. Configuration: ${JSON.stringify(permissions)}`,
+          )
         }
       }
     }

packages/opencode/src/tool/edit.ts

@@ -73,7 +73,10 @@ export const EditTool = Tool.define("edit", {
       if (params.oldString === "") {
         contentNew = params.newString
         diff = trimDiff(createTwoFilesPatch(filePath, filePath, contentOld, contentNew))
-        if (agent.permission.edit === "ask") {
+        // Secure default: only allow if explicitly set to "allow" or "ask"
+        if (agent.permission.edit === "allow") {
+          // Explicitly allowed, proceed
+        } else if (agent.permission.edit === "ask") {
           await Permission.ask({
             type: "edit",
             sessionID: ctx.sessionID,
@@ -85,6 +88,9 @@ export const EditTool = Tool.define("edit", {
               diff,
             },
           })
+        } else {
+          // Default deny for "deny", undefined, null, or any other value
+          throw new Error(`Permission denied: Cannot edit file: ${filePath}`)
         }
         await Bun.write(filePath, params.newString)
         await Bus.publish(File.Event.Edited, {
@@ -104,7 +110,10 @@ export const EditTool = Tool.define("edit", {
       diff = trimDiff(
         createTwoFilesPatch(filePath, filePath, normalizeLineEndings(contentOld), normalizeLineEndings(contentNew)),
       )
-      if (agent.permission.edit === "ask") {
+      // Secure default: only allow if explicitly set to "allow" or "ask"
+      if (agent.permission.edit === "allow") {
+        // Explicitly allowed, proceed
+      } else if (agent.permission.edit === "ask") {
         await Permission.ask({
           type: "edit",
           sessionID: ctx.sessionID,
@@ -116,6 +125,9 @@ export const EditTool = Tool.define("edit", {
             diff,
           },
         })
+      } else {
+        // Default deny for "deny", undefined, null, or any other value
+        throw new Error(`Permission denied: Cannot edit file: ${filePath}`)
       }
 
       await file.write(contentNew)

packages/opencode/src/tool/patch.ts

@@ -147,7 +147,10 @@ export const PatchTool = Tool.define("patch", {
     }
 
     // Check permissions if needed
-    if (agent.permission.edit === "ask") {
+    // Secure default: only allow if explicitly set to "allow" or "ask"
+    if (agent.permission.edit === "allow") {
+      // Explicitly allowed, proceed
+    } else if (agent.permission.edit === "ask") {
       await Permission.ask({
         type: "edit",
         sessionID: ctx.sessionID,
@@ -158,6 +161,9 @@ export const PatchTool = Tool.define("patch", {
           diff: totalDiff,
         },
       })
+    } else {
+      // Default deny for "deny", undefined, null, or any other value
+      throw new Error(`Permission denied: Cannot apply patch to ${fileChanges.length} files`)
     }
 
     // Apply the changes

packages/opencode/src/tool/write.ts

@@ -49,7 +49,10 @@ export const WriteTool = Tool.define("write", {
     const exists = await file.exists()
     if (exists) await FileTime.assert(ctx.sessionID, filepath)
 
-    if (agent.permission.edit === "ask")
+    // Secure default: only allow if explicitly set to "allow" or "ask"
+    if (agent.permission.edit === "allow") {
+      // Explicitly allowed, proceed
+    } else if (agent.permission.edit === "ask") {
       await Permission.ask({
         type: "write",
         sessionID: ctx.sessionID,
@@ -62,6 +65,10 @@ export const WriteTool = Tool.define("write", {
           exists,
         },
       })
+    } else {
+      // Default deny for "deny", undefined, null, or any other value
+      throw new Error(`Permission denied: Cannot write file: ${filepath}`)
+    }
 
     await Bun.write(filepath, params.content)
     await Bus.publish(File.Event.Edited, {

packages/opencode/test/tool/bash.test.ts

@@ -1,7 +1,16 @@
-import { describe, expect, test } from "bun:test"
+import { describe, expect, test, mock } from "bun:test"
 import path from "path"
 import { BashTool } from "../../src/tool/bash"
 import { Instance } from "../../src/project/instance"
+import { Permission } from "../../src/permission"
+import { Log } from "../../src/util/log"
+
+Log.init({ print: false })
+
+// Mock Permission.ask to auto-allow in tests
+Permission.ask = mock(async () => {
+  return
+})
 
 const ctx = {
   sessionID: "test",
@@ -12,14 +21,14 @@ const ctx = {
   metadata: () => {},
 }
 
-const bash = await BashTool.init()
 const projectRoot = path.join(__dirname, "../..")
 
 describe("tool.bash", () => {
   test("basic", async () => {
     await Instance.provide({
       directory: projectRoot,
       fn: async () => {
+        const bash = await BashTool.init()
         const result = await bash.execute(
           {
             command: "echo 'test'",
@@ -37,6 +46,7 @@ describe("tool.bash", () => {
     await Instance.provide({
       directory: projectRoot,
       fn: async () => {
+        const bash = await BashTool.init()
         expect(
           bash.execute(
             {