fix: block bash commands in Prometheus mode to respect permission config

[kaizen403]

Summary

Fixes #1428 - Prometheus mode was bypassing the bash permission setting in opencode.jsonc.

Problem

When users configured "bash": "ask" in their opencode.jsonc permission config, Prometheus (Plan Builder) mode could still execute bash commands without user confirmation. This posed a security risk since Prometheus is designed as a read-only planner that should only analyze and create plans, not execute commands.

Root Cause

The prometheus-md-only hook only blocked write and edit tools but did NOT include bash in the BLOCKED_TOOLS list. Since Prometheus has bash: "allow" in its default permission configuration, bash commands executed directly without respecting the user's global permission settings.

Solution

Added bash to the BLOCKED_TOOLS array in the prometheus-md-only hook, making Prometheus truly read-only as intended.

Changes

1. src/hooks/prometheus-md-only/constants.ts: Added "bash" to BLOCKED_TOOLS
2. src/hooks/prometheus-md-only/index.ts: Added specific handling for bash commands with a clear error message
3. src/hooks/prometheus-md-only/index.test.ts: Added test case to verify bash blocking behavior

Security Impact

This fix ensures Prometheus respects the security model by:

• Blocking all bash command execution in Prometheus mode
• Providing clear error messages explaining Prometheus is read-only
• Directing users to use /start-work for plan execution

Testing

• All 26 prometheus-md-only tests pass including the new bash blocking test
• Full test suite: 2050 pass, 10 fail (pre-existing failures unrelated to this change)

Checklist

• Fix implemented
• Tests added
• All tests pass
• Security concern addressed
• PR targets dev branch

---

Summary by cubic

Block bash command execution in Prometheus (Plan Builder) mode to honor opencode.jsonc permissions and keep Prometheus read-only. Fixes #1428.

• Bug Fixes
  • Added "bash" to BLOCKED_TOOLS in the prometheus-md-only hook.
  • Throw a clear error when bash is invoked in Prometheus, directing users to use /start-work for execution.
  • Added a test to verify bash is blocked.

^{Written for commit 8515ad7. Summary will update on new commits.}

[github-actions]

All contributors have signed the CLA. Thank you! ✅
_{Posted by the CLA Assistant Lite bot.}

[kaizen403]

I have read the CLA Document and I hereby sign the CLA

[cubic-dev-ai]

No issues found across 3 files

Confidence score: 5/5

• Automated review surfaced no issues in the provided summaries.
• No files require special attention.

[kaizen403]

@code-yeongyu This is a security fix for issue #1428. Could you please review when you have a moment?

[code-yeongyu]

@sisyphus-dev-ai review

[sisyphus-dev-ai]

Code Review Summary

Reviewer: @sisyphus-dev-ai
Verdict: ✅ APPROVED

---

Overview

This PR addresses a security vulnerability reported in #1428 where Prometheus mode could execute bash commands despite having "bash": "ask" configured in the user's opencode.jsonc. Since Prometheus is designed as a read-only planner, this behavior violated the security model.

---

Changes Reviewed

File	Change	Assessment
constants.ts	Added "bash" to BLOCKED_TOOLS array	✅ Correct
index.ts	Added specific bash blocking logic with error message	✅ Correct
index.test.ts	Added test case for bash blocking behavior	✅ Correct

---

Implementation Quality

1. constants.ts

export const BLOCKED_TOOLS = ["Write", "Edit", "write", "edit", "bash"]

• Correctly adds "bash" to the blocked tools list
• Lowercase only is fine since bash tool is always lowercase

2. index.ts - Bash Blocking Logic (lines 109-121)

if (toolName === "bash") {
  log(`[${HOOK_NAME}] Blocked: Prometheus cannot execute bash commands`, {
    sessionID: input.sessionID,
    tool: toolName,
    agent: agentName,
  })
  throw new Error(
    `[${HOOK_NAME}] ${getAgentDisplayName("prometheus")} cannot execute bash commands. ` +
    `${getAgentDisplayName("prometheus")} is a READ-ONLY planner. Use /start-work to execute the plan. ` +
    `APOLOGIZE TO THE USER, REMIND OF YOUR PLAN WRITING PROCESSES, TELL USER WHAT YOU WILL GOING TO DO AS THE PROCESS, WRITE THE PLAN`
  )
}

• ✅ Explicit bash check before the file path check (correct ordering)
• ✅ Clear error message explaining Prometheus is read-only
• ✅ Directs users to /start-work for execution
• ✅ Includes agent display name for consistency
• ✅ Proper logging for debugging

3. Test Coverage

test("should block bash commands from Prometheus", async () => {
  const hook = createPrometheusMdOnlyHook(createMockPluginInput())
  const input = { tool: "bash", sessionID: TEST_SESSION_ID, callID: "call-1" }
  const output = { args: { command: "echo test" } }
  await expect(hook["tool.execute.before"](input, output)).rejects.toThrow("cannot execute bash commands")
})

• ✅ Tests bash blocking specifically
• ✅ Follows existing BDD comment style (// given, // when / #then)
• ✅ Test name renamed from "non-Write/Edit tools" to "non-blocked tools" (more accurate)

---

Verification

Check	Result
All 26 prometheus-md-only tests pass	✅
TypeScript type check passes	✅
Existing tests unaffected	✅
Pattern consistent with codebase	✅

---

Security Impact

This fix ensures Prometheus mode is truly read-only by:

1. Blocking all bash command execution
2. Providing clear error messages
3. Guiding users to the proper execution path (/start-work)

---

Recommendation

LGTM - Ready to merge. Clean implementation, good test coverage, addresses the security concern appropriately.