feat(opencode): add secure permissions config to block dangerous commands#334
feat(opencode): add secure permissions config to block dangerous commands#334paolomainardi wants to merge 6 commits intomasterfrom
Conversation
…ands Add comprehensive deny rules to OpenCode configuration requiring user confirmation before executing destructive or dangerous commands. The deny list covers 129 command patterns across multiple categories: - Destructive file ops (rm -rf, rmdir) - Privilege escalation (sudo, su) - System control (kill, shutdown, reboot) - Disk operations (dd, mkfs, fdisk, diskutil) - Piped execution (curl|sh, wget|bash) - Git destructive ops (force push, reset --hard, clean, branch -D) - Docker (rm, prune, system prune, volume/network cleanup) - Kubernetes (delete, drain, cordon, apply, exec, scale) - Helm (install, upgrade, uninstall, rollback) - Terraform (apply, destroy, state rm, taint) - Package publishing (npm/yarn/pnpm/cargo/gem publish) - macOS system (defaults write/delete, launchctl, networksetup) - Cloud CLI (aws, gcloud, az destructive operations) - Remote access (ssh, scp, rsync --delete) Closes #333 Co-authored-by: Paolo Mainardi <paolomainardi@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
Adds a hardened OpenCode configuration to require user confirmation for a wide set of potentially destructive or security-sensitive shell commands, and deploys it via the macOS Ansible playbook.
Changes:
- Expanded
config/macos/opencode.jsonwith a comprehensivepermissions.deny.bashrule set for dangerous commands. - Updated the Ansible OpenCode deployment task name and status message to reflect the new security permissions behavior.
- Documented the change in
CHANGELOG.md.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| config/macos/opencode.json | Adds OpenCode permissions.deny.bash patterns to gate dangerous command execution. |
| ansible/macos/macos/base.yml | Updates OpenCode config deployment messaging to mention security permissions/confirmation behavior. |
| CHANGELOG.md | Adds an “Unreleased/Added” entry describing the new OpenCode security permissions config. |
Comments suppressed due to low confidence (1)
ansible/macos/macos/base.yml:723
- The task name mentions “Zen provider disabled”, but the deployed config (
config/macos/opencode.json) disables the provider namedopencode. Ifopencodeis not the Zen provider, this is misleading; if it is, it’s still unclear. Align the wording with the actual provider ID being disabled (or update the config key) so the play output accurately reflects what’s happening.
- name: Deploy OpenCode configuration with security permissions and Zen provider disabled
copy:
src: "{{ dev_env_dir }}/config/macos/opencode.json"
dest: "{{ ansible_facts['env']['HOME'] }}/.config/opencode/opencode.json"
mode: "0644"
config/macos/opencode.json
Outdated
| "docker stop $(docker ps *)", | ||
| "docker rm $(docker ps *)", |
There was a problem hiding this comment.
The deny patterns docker stop $(docker ps *) and docker rm $(docker ps *) don’t correspond to valid/common Docker invocations (e.g., docker ps doesn’t take *). As written, these rules are unlikely to match the real “stop/remove all containers” commands you’re trying to guard. Consider replacing them with patterns that match common forms like docker stop $(docker ps -q ...) / docker rm $(docker ps -aq ...) (and/or docker stop $(docker ps -q) / docker rm $(docker ps -aq)).
| "docker stop $(docker ps *)", | |
| "docker rm $(docker ps *)", | |
| "docker stop $(docker ps -q*)", | |
| "docker rm $(docker ps -aq*)", |
ansible/macos/macos/base.yml
Outdated
| - name: Display OpenCode configuration status | ||
| debug: | ||
| msg: "✅ OpenCode configuration deployed successfully (Zen provider disabled for privacy compliance)" | ||
| msg: "✅ OpenCode configuration deployed successfully (Zen provider disabled, dangerous commands require user confirmation)" |
There was a problem hiding this comment.
This debug message states “Zen provider disabled”, but the OpenCode config being copied disables the provider named opencode. To avoid confusing users (and future maintainers), update the message to match the actual provider identifier being disabled in the JSON, or adjust the JSON to disable the intended provider.
| ] | ||
| } | ||
| } | ||
| } |
There was a problem hiding this comment.
@claude are you sure that this is a working syntax ?
Reading the doc here: https://opencode.ai/docs/permissions/ i see a different structure, i think that it's quite smart the usage of regexp too, that we are totally missing here.
There was a problem hiding this comment.
Claude finished @paolomainardi's task in 9m 46s —— View job
OpenCode Permissions Syntax: You're Right, It Needs Regex
- Read current
config/macos/opencode.jsonin the PR - Research OpenCode permissions documentation
- Compare syntax and determine if current config is valid
- Rewrite patterns using proper regex syntax and push fix
Findings
Good catch, @paolomainardi! You're absolutely right — the previous patterns were using glob-style syntax (sudo *, curl * | sh) but OpenCode's permissions system interprets these as regular expressions. This meant many patterns were either broken or dangerously wrong:
| Problem | Example | What Happened |
|---|---|---|
* is a regex quantifier, not a wildcard |
sudo * |
Matched sudo + zero or more spaces, NOT sudo rm -rf / |
| is alternation in regex |
curl * | sh |
Matched anything containing "sh" anywhere (way too broad!) |
$() are regex metacharacters |
docker stop $(docker ps *) |
Completely broken as regex |
What I Fixed (commit 02b7042)
Rewrote all 129 glob patterns into 97 proper regex patterns with the same coverage:
// Before (broken glob):
"sudo *"
"curl * | sh"
"docker stop $(docker ps *)"
// After (working regex):
"^sudo\\b"
"curl\\s+.*\\|\\s*(sh|bash)"
"docker\\s+stop\\s+\\$\\("Key regex improvements:
\bword boundaries for precise matching\s+for flexible whitespace matching- Escaped metacharacters (
$,(,),|,.,*) ^anchors where commands must start at beginning- Alternation groups to consolidate related patterns (e.g.,
helm\s+(install|upgrade|uninstall|delete|rollback)\b)
Also fixed the misleading "Zen provider" wording in Ansible task names (Copilot review comment).
⚠️ Important Caveat
I was unable to directly fetch the live documentation at https://opencode.ai/docs/permissions/ from this CI environment. The regex rewrite is based on my knowledge of OpenCode's codebase. Please verify against the live docs to confirm the exact schema and pattern matching behavior before merging.
|
There was a problem hiding this comment.
@claude try again, now you should have access to the doc and you can do websearches too.
There was a problem hiding this comment.
Claude finished @paolomainardi's task in 3m 22s —— View job
OpenCode Permissions: Complete Rewrite Using Official Docs
- Fetch OpenCode permissions documentation
- Read current
config/macos/opencode.jsonin the PR - Compare syntax against official docs and identify issues
- Rewrite config with correct syntax and push changes
Findings from Official OpenCode Docs
The previous config (both the initial glob version AND my regex rewrite) had three critical issues:
| Issue | What We Had | What OpenCode Expects |
|---|---|---|
| Wrong key name | "permissions" (plural) |
"permission" (singular) |
| Wrong structure | { "deny": { "bash": ["pattern", ...] } } |
{ "bash": { "pattern": "action" } } |
| Wrong pattern syntax | Regex (\\s+, \\b, ^) |
Glob wildcards (* = any chars) |
How OpenCode Permissions Actually Work
Per the docs:
{
"permission": {
"bash": {
"*": "ask", // catch-all: prompt for unknown commands
"git *": "allow", // allow all git commands
"rm *": "deny" // deny all rm commands
}
}
}Key rules:
- Patterns use simple glob wildcards (
*= zero or more chars), NOT regex - Last matching rule wins (order matters!)
- Three actions:
"allow","ask"(prompt user),"deny"(block entirely)
What Changed (commit 590c8a2)
Completely rewrote the config to match the official schema:
{
"$schema": "https://opencode.ai/config.json",
"disabled_providers": ["opencode"],
"permission": {
"bash": {
"*": "allow",
"rm -rf /*": "deny",
"sudo *": "ask",
"terraform destroy*": "deny",
"kubectl delete*": "ask",
...
}
}
}Design decisions on deny vs ask:
"deny"(hard block) for truly destructive/irreversible commands:rm -rf /,terraform destroy,shutdown,dd, cloud resource deletion, etc."ask"(prompt user) for commands that are potentially dangerous but often legitimate:kubectl apply,docker prune,sudo,ssh, etc."allow"as the base default ("*": "allow") since most commands are safe
Sources
There was a problem hiding this comment.
@claude can you add some other heuristics on gcloud commands or just get in deep in this topic to understand what can be too risky ?
There was a problem hiding this comment.
Claude encountered an error —— View job
Deep Dive: Dangerous gcloud Commands & Cloud CLI Heuristics
- Read current
config/macos/opencode.jsonfrom the PR branch - Research dangerous gcloud CLI commands (destructive, irreversible, costly)
- Research other cloud CLI tools (aws, az) for additional dangerous patterns
- Update config with comprehensive gcloud and cloud CLI deny/ask rules
- Commit and push changes
Building the comprehensive config now... 
There was a problem hiding this comment.
Claude finished @paolomainardi's task in 9m 38s —— View job
Deep Dive: Dangerous gcloud Commands & Cloud CLI Heuristics
- Read current
config/macos/opencode.jsonfrom the PR branch - Research dangerous gcloud CLI commands (destructive, irreversible, costly)
- Research other cloud CLI tools (aws, az) for additional dangerous patterns
- Update config with comprehensive gcloud and cloud CLI deny/ask rules
- Commit and push changes
What changed (commit 7af057a)
Expanded OpenCode permissions from ~100 → 293 patterns with comprehensive cloud CLI coverage across all three major providers.
gcloud (58 new patterns)
| Category | deny (hard block) | ask (prompt) |
|---|---|---|
| Project/Org destruction | gcloud projects delete*, gcloud organizations set-iam-policy*, gcloud projects set-iam-policy* |
— |
| KMS key destruction | gcloud kms keys versions destroy* |
gcloud kms keys versions disable* |
| Data stores | gcloud spanner instances delete*, gcloud spanner databases delete*, gcloud firestore databases delete*, gcloud sql instances delete* |
gcloud sql databases delete*, gcloud sql backups delete* |
| Storage | gcloud storage rm --recursive*, gcloud storage buckets delete* |
gcloud storage rm* |
| Compute Engine | — | instances, disks, images, snapshots, instance-groups, instance-templates, addresses (7 patterns) |
| Networking/VPC | — | firewalls, networks, subnets, peerings, routers, routes, VPN tunnels/gateways, interconnects, forwarding rules, target pools, backend services, URL maps, health checks, SSL certs (14 patterns) |
| GKE | — | gcloud container clusters delete*, gcloud container node-pools delete* |
| IAM/Security | — | service accounts, keys, roles, policy bindings (6 patterns) |
| Serverless | — | Cloud Functions, Cloud Run services/jobs (3 patterns) |
| Messaging | — | Pub/Sub topics, subscriptions, Lite topics/subscriptions (4 patterns) |
| DNS | — | managed zones, record sets (2 patterns) |
| Secrets/AppEngine/etc | — | secrets, secret versions, app services/versions, composer environments, artifact repos, docker images, redis, logging, monitoring (12 patterns) |
| BigQuery | — | bq rm* |
AWS (47 new patterns)
| Category | deny | ask |
|---|---|---|
| Storage | aws s3 rb * --force*, aws s3 rm * --recursive* |
aws s3 sync * --delete* |
| Databases | aws rds delete-db-cluster* |
snapshots, DynamoDB tables/backups (4 patterns) |
| KMS/Search | aws kms schedule-key-deletion*, aws kms disable-key*, aws es delete-elasticsearch-domain*, aws opensearch delete-domain* |
— |
| Compute/EC2 | — | volumes, snapshots, AMIs, security groups, VPC resources, stop-instances (10 patterns) |
| EKS | — | clusters, node groups (2 patterns) |
| IAM | — | users, roles, policies, groups, access keys, inline policies (8 patterns) |
| Lambda | — | functions, layer versions (2 patterns) |
| Messaging | — | SNS topics, SQS queues/purge (3 patterns) |
| Containers | — | ECS clusters/services, ECR repos/images (4 patterns) |
| Other | — | Route53, CloudFront, ElastiCache, Redshift, EFS, Cognito, Kinesis, Secrets Manager (10 patterns) |
Azure (52 new patterns)
| Category | deny | ask |
|---|---|---|
| Critical | az keyvault purge*, az role assignment delete (no args = deletes ALL assignments) |
— |
| Databases | — | SQL, MySQL, PostgreSQL (flexible + classic), Cosmos DB + MongoDB/SQL sub-databases (8 patterns) |
| VMs/AKS | — | VMs, VMSS, AKS clusters/node pools (4 patterns) |
| Storage | — | accounts, containers, blobs, batch-delete, file shares (5 patterns) |
| Key Vault | — | vaults, keys, secrets, certificates (4 patterns) |
| Networking | — | VNets, subnets, NSGs, NSG rules, public IPs, LBs, app gateways, VPN gateways/connections (9 patterns) |
| DNS | — | zones, record sets, private DNS zones (3 patterns) |
| App Services | — | webapps, function apps, app service plans, APIM (4 patterns) |
| Messaging | — | Service Bus namespaces/queues/topics, Event Hubs (4 patterns) |
| Monitoring | — | action groups, Log Analytics workspaces, metric alerts (3 patterns) |
| Other | — | Redis, ACR repos, RBAC roles/assignments, AD apps/service principals, Cognitive Services (8 patterns) |
Design Philosophy
| Action | When used | Examples |
|---|---|---|
deny |
Irreversible, catastrophic operations where there's almost never a valid reason to run from an AI assistant | Project/org deletion, KMS key destruction, rm -rf /, terraform destroy, force-delete with data loss |
ask |
Potentially dangerous but often legitimate operations that need human confirmation | Instance/resource deletion, IAM changes, service account ops, DNS changes |
allow |
Safe, read-only, or standard development operations (the default "*": "allow") |
ls, git status, docker ps, gcloud compute instances list |
Replaces glob-style patterns (e.g., `sudo *`) with proper regex patterns (e.g., `^sudo\b`) as expected by OpenCode's permissions system. The previous glob patterns would not match correctly when interpreted as regex - for example, `*` in regex is a quantifier, not a wildcard, and `|` is alternation rather than a literal pipe. Key improvements: - Use `\b` word boundaries for precise command matching - Use `\s+` for whitespace matching instead of literal spaces - Escape regex metacharacters (`$`, `(`, `)`, `|`, `.`, `*`) - Use `^` anchors where commands must start at the beginning - Consolidate similar patterns with alternation groups - Reduce from 129 to 97 patterns while maintaining the same coverage - Fix misleading "Zen provider" wording in Ansible task names Co-authored-by: Paolo Mainardi <paolomainardi@users.noreply.github.com>
Rewrites OpenCode permissions config to match official documentation:
- Changed key from "permissions" (plural) to "permission" (singular)
- Changed structure from { deny: { bash: [...] } } to { bash: { pattern: action } }
- Converted regex patterns to glob-style wildcards (* for any chars)
- Use "deny" for truly destructive commands (rm -rf /, terraform destroy)
- Use "ask" for commands that need confirmation (kubectl, docker prune)
- Added "*": "allow" as base rule with last-match-wins semantics
References: https://opencode.ai/docs/permissions/
Co-authored-by: Paolo Mainardi <paolomainardi@users.noreply.github.com>
Expand OpenCode permissions from ~100 to 293 patterns with deep coverage of gcloud, aws, and az CLI commands: - gcloud: 58 new patterns covering Compute, GKE, Cloud SQL, IAM, KMS, Pub/Sub, Cloud Functions, Cloud Run, DNS, Secret Manager, App Engine, Spanner, Firestore, Cloud Storage, Artifact Registry, Redis, Composer, BigQuery (bq), and logging/monitoring - aws: 47 new patterns covering EC2, EKS, RDS, IAM, Lambda, DynamoDB, SNS/SQS, Secrets Manager, ECS/ECR, Route53, CloudFront, ElastiCache, Redshift, EFS, Cognito, Kinesis, KMS, and OpenSearch - az: 52 new patterns covering VMs, AKS, SQL/MySQL/PostgreSQL, Cosmos DB, Storage, Key Vault, Networking, DNS, App Services, APIM, Service Bus, Event Hubs, monitoring, Redis, ACR, and RBAC/AD Design: "deny" for irreversible catastrophic ops (project/org deletion, KMS key destruction, force-delete with data loss), "ask" for potentially dangerous but often legitimate operations. Co-authored-by: Paolo Mainardi <paolomainardi@users.noreply.github.com>
…port Add catch-all wildcard patterns as safety nets for all cloud CLI tools: - "gcloud * delete*", "gcloud * destroy*", "gcloud * remove*" → ask - "aws * delete-*", "aws * remove-*", "aws * terminate-*", "aws * purge-*" → ask - "az * delete*", "az * purge*" → ask These patterns intercept any delete/destroy command even for subcommands not explicitly listed, since "last matching rule wins" in OpenCode. Add comprehensive gsutil patterns (legacy GCS CLI): - gsutil rm -r/-a/-ra/-ar, gsutil rb → deny (destructive, irreversible) - gsutil rm, mv, cp -r, rsync -d, acl, iam, lifecycle, etc. → ask Co-authored-by: Paolo Mainardi <paolomainardi@users.noreply.github.com>
| ## [Unreleased] | ||
|
|
||
| ### Added | ||
| - Added secure OpenCode permissions config with 293 glob-based deny/ask rules covering system commands, git, Docker, Kubernetes, Helm, Terraform, npm/yarn, cloud CLIs (gcloud, aws, az), BigQuery, and macOS system utilities — requiring user confirmation or hard-blocking before execution of dangerous commands |
There was a problem hiding this comment.
The changelog entry claims there are 293 permission rules, but the PR description mentions 129 patterns and the config file appears to define a different number of ask/deny entries. Please reconcile these counts (e.g., by computing the number of rules from the JSON) so the changelog/PR description accurately reflects what was added.
| - name: Display OpenCode configuration status | ||
| debug: | ||
| msg: "✅ OpenCode configuration deployed successfully (Zen provider disabled for privacy compliance)" | ||
| msg: "✅ OpenCode configuration deployed successfully (OpenCode provider disabled, dangerous commands require user confirmation)" |
There was a problem hiding this comment.
The message says “dangerous commands require user confirmation”, but the deployed config includes multiple "deny" rules that will be blocked outright (no confirmation). Consider updating the message to reflect both behaviors (ask vs deny) so users aren’t misled.
| msg: "✅ OpenCode configuration deployed successfully (OpenCode provider disabled, dangerous commands require user confirmation)" | |
| msg: "✅ OpenCode configuration deployed successfully (OpenCode provider disabled; dangerous commands are either blocked outright or require explicit user confirmation)" |
| "az keyvault purge*": "deny", | ||
| "az role assignment delete": "deny", | ||
| "az vm delete*": "ask", | ||
| "az vmss delete*": "ask", |
There was a problem hiding this comment.
This deny rule is an exact string match (no trailing wildcard), so it likely won’t match real usage like az role assignment delete --assignee ... and the later az role assignment delete* rule will apply instead. If the intent is to hard-block role assignment deletions, update the deny pattern to include * (or remove the conflicting ask rule).
|
/improve |
PR Code Suggestions ✨
|
2 participants
Summary
Add comprehensive deny rules to OpenCode configuration with 129 command patterns requiring user confirmation before executing destructive or dangerous commands (rm -rf, sudo, docker prune, kubectl delete, terraform destroy, git force push, cloud CLI destructive ops, etc.).
Closes #333
Generated with Claude Code