sparkfabrik · paolomainardi · Feb 10, 2026 · Feb 10, 2026 · Feb 10, 2026 · Feb 10, 2026
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -8,6 +8,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ## [Unreleased]
 
 ### Added
+- Added secure OpenCode permissions config with 293 glob-based deny/ask rules covering system commands, git, Docker, Kubernetes, Helm, Terraform, npm/yarn, cloud CLIs (gcloud, aws, az), BigQuery, and macOS system utilities — requiring user confirmation or hard-blocking before execution of dangerous commands
 - Added OpenSpec (@fission-ai/openspec) npm package to default package list for spec-driven development with AI coding assistants
 - Added opencode AI coding tool to default package list (now officially supported by Copilot)
 - Added OpenCode shell alias: `c` as a simple alias to `opencode` command

diff --git a/ansible/macos/macos/base.yml b/ansible/macos/macos/base.yml
@@ -716,7 +716,7 @@
             mode: "0755"
           become: no
 
-        - name: Deploy OpenCode configuration to disable Zen free models
+        - name: Deploy OpenCode configuration with security permissions and OpenCode provider disabled
           copy:
             src: "{{ dev_env_dir }}/config/macos/opencode.json"
             dest: "{{ ansible_facts['env']['HOME'] }}/.config/opencode/opencode.json"
@@ -725,7 +725,7 @@
 
         - name: Display OpenCode configuration status
           debug:
-            msg: "✅ OpenCode configuration deployed successfully (Zen provider disabled for privacy compliance)"
+            msg: "✅ OpenCode configuration deployed successfully (OpenCode provider disabled, dangerous commands require user confirmation)"
-            msg: "✅ OpenCode configuration deployed successfully (OpenCode provider disabled, dangerous commands require user confirmation)"
+            msg: "✅ OpenCode configuration deployed successfully (OpenCode provider disabled; dangerous commands are either blocked outright or require explicit user confirmation)"
-            msg: "✅ OpenCode configuration deployed successfully (OpenCode provider disabled, dangerous commands require user confirmation)"
+            msg: "✅ OpenCode configuration deployed successfully (OpenCode provider disabled; dangerous commands are either blocked outright or require explicit user confirmation)"
 
   post_tasks:
     - name: Print installation complete message

diff --git a/config/macos/opencode.json b/config/macos/opencode.json
@@ -1,4 +1,348 @@
 {
   "$schema": "https://opencode.ai/config.json",
-  "disabled_providers": ["opencode"]
-}
+  "disabled_providers": ["opencode"],
+  "permission": {
+    "bash": {
+      "*": "allow",
+
+      "rm -rf /*": "deny",
+      "rm -rf ~*": "deny",
+      "rm -rf .*": "deny",
+      "rm -rf *": "ask",
+      "rmdir *": "ask",
+      "sudo rm*": "deny",
+      "sudo rmdir*": "deny",
+      "sudo *": "ask",
+      "su *": "ask",
+      "chmod 777 *": "deny",
+      "chmod -R 777 *": "deny",
+      "chown *": "ask",
+      "chgrp *": "ask",
+
+      "kill *": "ask",
+      "killall *": "ask",
+      "pkill *": "ask",
+      "shutdown*": "deny",
+      "reboot*": "deny",
+      "halt*": "deny",
+      "poweroff*": "deny",
+
+      "dd *": "deny",
+      "mkfs*": "deny",
+      "fdisk*": "deny",
+      "parted*": "deny",
+      "diskutil eraseDisk*": "deny",
+      "diskutil partitionDisk*": "deny",
+
+      "curl *| sh*": "deny",
+      "curl *| bash*": "deny",
+      "wget *| sh*": "deny",
+      "wget *| bash*": "deny",
+      "eval *": "ask",
+
+      "git push *--force*": "deny",
+      "git push *-f*": "deny",
+      "git reset --hard*": "deny",
+      "git clean -f*": "deny",
+      "git checkout -- .*": "deny",
+      "git branch -D*": "deny",
+
+      "docker rm -f*": "ask",
+      "docker rmi -f*": "ask",
+      "docker system prune*": "ask",
+      "docker volume rm*": "ask",
+      "docker volume prune*": "ask",
+      "docker network rm*": "ask",
+      "docker network prune*": "ask",
+      "docker container prune*": "ask",
+      "docker image prune*": "ask",
+      "docker compose down -v*": "ask",
+      "docker compose rm*": "ask",
+      "docker stop $(*": "ask",
+      "docker rm $(*": "ask",
+
+      "kubectl delete*": "ask",
+      "kubectl drain*": "ask",
+      "kubectl cordon*": "ask",
+      "kubectl taint*": "ask",
+      "kubectl apply*": "ask",
+      "kubectl create*": "ask",
+      "kubectl patch*": "ask",
+      "kubectl replace*": "ask",
+      "kubectl scale*": "ask",
+      "kubectl rollout*": "ask",
+      "kubectl exec*": "ask",
+      "kubectl edit*": "ask",
+      "kubectl set *": "ask",
+      "kubectl label*": "ask",
+      "kubectl annotate*": "ask",
+
+      "helm install*": "ask",
+      "helm upgrade*": "ask",
+      "helm uninstall*": "ask",
+      "helm delete*": "ask",
+      "helm rollback*": "ask",
+
+      "terraform apply*": "ask",
+      "terraform destroy*": "deny",
+      "terraform import*": "ask",
+      "terraform taint*": "ask",
+      "terraform untaint*": "ask",
+      "terraform state rm*": "deny",
+
+      "npm publish*": "ask",
+      "npm unpublish*": "deny",
+      "npm deprecate*": "ask",
+      "npm dist-tag*": "ask",
+      "npm access*": "ask",
+      "npm owner*": "ask",
+      "yarn publish*": "ask",
+      "pnpm publish*": "ask",
+      "cargo publish*": "ask",
+      "gem push*": "ask",
+      "pip install --user*": "ask",
+
+      "brew uninstall*": "ask",
+      "brew remove*": "ask",
+      "brew cleanup --prune=all*": "ask",
+      "mas uninstall*": "ask",
+
+      "launchctl unload*": "ask",
+      "launchctl remove*": "ask",
+      "systemctl stop*": "ask",
+      "systemctl disable*": "ask",
+      "systemctl mask*": "ask",
+
+      "defaults delete*": "ask",
+      "defaults write*": "ask",
+      "networksetup*": "ask",
+      "scutil*": "ask",
+      "csrutil*": "deny",
+      "spctl*": "ask",
+      "security delete-keychain*": "deny",
+      "security delete-certificate*": "deny",
+
+      "ssh *": "ask",
+      "scp *": "ask",
+      "rsync *--delete*": "ask",
+
+      "xattr -cr*": "ask",
+      "dscl*": "ask",
+      "osascript*": "ask",
+      "crontab -r*": "deny",
+
+      "gcloud * delete*": "ask",
+      "gcloud * destroy*": "ask",
+      "gcloud * remove*": "ask",
+      "gcloud projects delete*": "deny",
+      "gcloud organizations set-iam-policy*": "deny",
+      "gcloud projects set-iam-policy*": "deny",
+      "gcloud kms keys versions destroy*": "deny",
+      "gcloud spanner instances delete*": "deny",
+      "gcloud spanner databases delete*": "deny",
+      "gcloud firestore databases delete*": "deny",
+      "gcloud storage rm --recursive*": "deny",
+      "gcloud storage buckets delete*": "deny",
+      "gcloud compute instances delete*": "ask",
+      "gcloud compute disks delete*": "ask",
+      "gcloud compute images delete*": "ask",
+      "gcloud compute snapshots delete*": "ask",
+      "gcloud compute instance-groups *delete*": "ask",
+      "gcloud compute instance-templates delete*": "ask",
+      "gcloud compute firewall-rules delete*": "ask",
+      "gcloud compute networks delete*": "ask",
+      "gcloud compute networks subnets delete*": "ask",
+      "gcloud compute networks peerings delete*": "ask",
+      "gcloud compute routers delete*": "ask",
+      "gcloud compute routes delete*": "ask",
+      "gcloud compute vpn-tunnels delete*": "ask",
+      "gcloud compute vpn-gateways delete*": "ask",
+      "gcloud compute interconnects delete*": "ask",
+      "gcloud compute addresses delete*": "ask",
+      "gcloud compute forwarding-rules delete*": "ask",
+      "gcloud compute target-pools delete*": "ask",
+      "gcloud compute backend-services delete*": "ask",
+      "gcloud compute url-maps delete*": "ask",
+      "gcloud compute health-checks delete*": "ask",
+      "gcloud compute ssl-certificates delete*": "ask",
+      "gcloud container clusters delete*": "ask",
+      "gcloud container node-pools delete*": "ask",
+      "gcloud sql instances delete*": "deny",
+      "gcloud sql databases delete*": "ask",
+      "gcloud sql backups delete*": "ask",
+      "gcloud storage rm*": "ask",
+      "gcloud iam service-accounts delete*": "ask",
+      "gcloud iam service-accounts keys delete*": "ask",
+      "gcloud iam roles delete*": "ask",
+      "gcloud projects remove-iam-policy-binding*": "ask",
+      "gcloud projects add-iam-policy-binding*": "ask",
+      "gcloud organizations remove-iam-policy-binding*": "ask",
+      "gcloud organizations add-iam-policy-binding*": "ask",
+      "gcloud kms keys versions disable*": "ask",
+      "gcloud functions delete*": "ask",
+      "gcloud run services delete*": "ask",
+      "gcloud run jobs delete*": "ask",
+      "gcloud pubsub topics delete*": "ask",
+      "gcloud pubsub subscriptions delete*": "ask",
+      "gcloud pubsub lite-topics delete*": "ask",
+      "gcloud pubsub lite-subscriptions delete*": "ask",
+      "gcloud dns managed-zones delete*": "ask",
+      "gcloud dns record-sets delete*": "ask",
+      "gcloud secrets delete*": "ask",
+      "gcloud secrets versions destroy*": "ask",
+      "gcloud app services delete*": "ask",
+      "gcloud app versions delete*": "ask",
+      "gcloud composer environments delete*": "ask",
+      "gcloud artifacts repositories delete*": "ask",
+      "gcloud artifacts docker images delete*": "ask",
+      "gcloud redis instances delete*": "ask",
+      "gcloud logging logs delete*": "ask",
+      "gcloud logging metrics delete*": "ask",
+      "gcloud monitoring channels delete*": "ask",
+      "gcloud monitoring policies delete*": "ask",
+      "bq rm*": "ask",
+
+      "gsutil rm -r*": "deny",
+      "gsutil rm -a*": "deny",
+      "gsutil rm -ra*": "deny",
+      "gsutil rm -ar*": "deny",
+      "gsutil rb*": "deny",
+      "gsutil rm*": "ask",
+      "gsutil mv*": "ask",
+      "gsutil cp -r*": "ask",
+      "gsutil rsync -d*": "ask",
+      "gsutil setmeta*": "ask",
+      "gsutil acl*": "ask",
+      "gsutil iam*": "ask",
+      "gsutil lifecycle*": "ask",
+      "gsutil versioning*": "ask",
+      "gsutil cors*": "ask",
+      "gsutil logging*": "ask",
+      "gsutil defacl*": "ask",
+
+      "aws * delete-*": "ask",
+      "aws * remove-*": "ask",
+      "aws * terminate-*": "ask",
+      "aws * deregister-*": "ask",
+      "aws * purge-*": "ask",
+      "aws s3 rb * --force*": "deny",
+      "aws s3 rm * --recursive*": "deny",
+      "aws ec2 terminate-instances*": "deny",
+      "aws rds delete-db-instance*": "deny",
+      "aws rds delete-db-cluster*": "deny",
+      "aws cloudformation delete-stack*": "deny",
+      "aws kms schedule-key-deletion*": "deny",
+      "aws kms disable-key*": "deny",
+      "aws es delete-elasticsearch-domain*": "deny",
+      "aws opensearch delete-domain*": "deny",
+      "aws s3 rm*": "ask",
+      "aws s3 rb*": "ask",
+      "aws s3 sync * --delete*": "ask",
+      "aws ec2 delete-volume*": "ask",
+      "aws ec2 delete-snapshot*": "ask",
+      "aws ec2 deregister-image*": "ask",
+      "aws ec2 delete-security-group*": "ask",
+      "aws ec2 delete-key-pair*": "ask",
+      "aws ec2 delete-vpc*": "ask",
+      "aws ec2 delete-subnet*": "ask",
+      "aws ec2 delete-internet-gateway*": "ask",
+      "aws ec2 delete-nat-gateway*": "ask",
+      "aws ec2 delete-route-table*": "ask",
+      "aws ec2 stop-instances*": "ask",
+      "aws eks delete-cluster*": "ask",
+      "aws eks delete-nodegroup*": "ask",
+      "aws rds delete-db-snapshot*": "ask",
+      "aws rds delete-db-cluster-snapshot*": "ask",
+      "aws iam delete-user*": "ask",
+      "aws iam delete-role*": "ask",
+      "aws iam delete-policy*": "ask",
+      "aws iam delete-group*": "ask",
+      "aws iam put-user-policy*": "ask",
+      "aws iam put-role-policy*": "ask",
+      "aws iam delete-role-policy*": "ask",
+      "aws iam delete-access-key*": "ask",
+      "aws lambda delete-function*": "ask",
+      "aws lambda delete-layer-version*": "ask",
+      "aws dynamodb delete-table*": "ask",
+      "aws dynamodb delete-backup*": "ask",
+      "aws sns delete-topic*": "ask",
+      "aws sqs delete-queue*": "ask",
+      "aws sqs purge-queue*": "ask",
+      "aws secretsmanager delete-secret*": "ask",
+      "aws ecs delete-cluster*": "ask",
+      "aws ecs delete-service*": "ask",
+      "aws ecr delete-repository*": "ask",
+      "aws ecr batch-delete-image*": "ask",
+      "aws route53 delete-hosted-zone*": "ask",
+      "aws cloudfront delete-distribution*": "ask",
+      "aws elasticache delete-cache-cluster*": "ask",
+      "aws elasticache delete-replication-group*": "ask",
+      "aws redshift delete-cluster*": "ask",
+      "aws efs delete-file-system*": "ask",
+      "aws cognito-idp delete-user-pool*": "ask",
+      "aws kinesis delete-stream*": "ask",
+      "aws firehose delete-delivery-stream*": "ask",
+
+      "az * delete*": "ask",
+      "az * purge*": "ask",
+      "az group delete*": "deny",
+      "az keyvault purge*": "deny",
+      "az role assignment delete": "deny",
+      "az vm delete*": "ask",
+      "az vmss delete*": "ask",
+      "az aks delete*": "ask",
+      "az aks nodepool delete*": "ask",
+      "az sql server delete*": "ask",
+      "az sql db delete*": "ask",
+      "az mysql server delete*": "ask",
+      "az mysql flexible-server delete*": "ask",
+      "az postgres server delete*": "ask",
+      "az postgres flexible-server delete*": "ask",
+      "az cosmosdb delete*": "ask",
+      "az cosmosdb mongodb database delete*": "ask",
+      "az cosmosdb sql database delete*": "ask",
+      "az storage account delete*": "ask",
+      "az storage container delete*": "ask",
+      "az storage blob delete*": "ask",
+      "az storage blob delete-batch*": "ask",
+      "az storage share delete*": "ask",
+      "az keyvault delete*": "ask",
+      "az keyvault key delete*": "ask",
+      "az keyvault secret delete*": "ask",
+      "az keyvault certificate delete*": "ask",
+      "az network vnet delete*": "ask",
+      "az network vnet subnet delete*": "ask",
+      "az network nsg delete*": "ask",
+      "az network nsg rule delete*": "ask",
+      "az network public-ip delete*": "ask",
+      "az network lb delete*": "ask",
+      "az network application-gateway delete*": "ask",
+      "az network vnet-gateway delete*": "ask",
+      "az network vpn-connection delete*": "ask",
+      "az dns zone delete*": "ask",
+      "az dns record-set * delete*": "ask",
+      "az network private-dns zone delete*": "ask",
+      "az webapp delete*": "ask",
+      "az functionapp delete*": "ask",
+      "az appservice plan delete*": "ask",
+      "az apim delete*": "ask",
+      "az apim deletedservice purge*": "ask",
+      "az servicebus namespace delete*": "ask",
+      "az servicebus queue delete*": "ask",
+      "az servicebus topic delete*": "ask",
+      "az eventhubs namespace delete*": "ask",
+      "az eventhubs eventhub delete*": "ask",
+      "az monitor action-group delete*": "ask",
+      "az monitor log-analytics workspace delete*": "ask",
+      "az monitor metrics alert delete*": "ask",
+      "az redis delete*": "ask",
+      "az acr delete*": "ask",
+      "az acr repository delete*": "ask",
+      "az role assignment delete*": "ask",
+      "az role definition delete*": "ask",
+      "az ad app delete*": "ask",
+      "az ad sp delete*": "ask",
+      "az cognitiveservices account delete*": "ask"
+    }
+  }
+}