Permissions in OpenCode Config Agent control what agents are allowed to do during a session — which shell commands they can run, which files they can read, and which other agents they can delegate work to. The global permission block inDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/lnardev/opencode-config-agent/llms.txt
Use this file to discover all available pages before exploring further.
opencode.json establishes baseline rules for all agents, while individual agents can declare their own overrides on top.
Global permission structure
The top-levelpermission block in opencode.json has two keys: bash and read.
| Value | Behavior |
|---|---|
"allow" | The action is permitted without prompting |
"ask" | OpenCode will pause and ask for confirmation before proceeding |
"deny" | The action is blocked entirely |
"*".
Bash permissions
Thebash block governs which shell commands agents can execute.
How it works
"*": "allow"— all bash commands are permitted by default. Agents can run tests, build tools, install packages, and read the filesystem freely.- Specific
"ask"patterns — destructive or irreversible git operations require explicit confirmation before running. This gives you a checkpoint before the agent commits, pushes, force-pushes, rebases, or hard-resets.
Pattern matching
Patterns use glob-style matching where* matches any sequence of characters, including spaces. This means "git push *" matches git push origin main, git push --tags, and any other git push invocation with arguments.
Common customizations
Read permissions
Theread block controls which files agents are allowed to read from disk.
How it works
"*": "allow"— agents can read any file by default.- Deny patterns — sensitive files that typically contain credentials or secrets are blocked. This prevents agents from accidentally including secret values in their context or leaking them through tool output.
Blocked file patterns
| Pattern | What it blocks |
|---|---|
**/.env | .env files at any depth in the directory tree |
**/.env.* | .env.local, .env.production, .env.test, etc. at any depth |
**/credentials.json | Any credentials.json file at any depth |
**/secrets/** | Any file inside a secrets/ directory at any depth |
*.env | .env-style files in the current directory |
*.env.* | .env.local-style files in the current directory |
Adding custom deny patterns
To block additional sensitive paths, add entries to theread block:
Per-agent permissions
Individual agents can declare apermission block inside their agent definition. These rules layer on top of the global permission block and apply only to that agent.
sdd-orchestrator task permission
Thesdd-orchestrator agent has a task permission override:
task key governs which agents the orchestrator is allowed to delegate synchronous tasks to. With this configuration:
- The orchestrator cannot delegate to arbitrary agent names.
- The orchestrator can only delegate to agents whose names match
sdd-*(e.g.sdd-apply,sdd-verify,sdd-explore).
The
task permission type controls synchronous delegation (where the orchestrator waits for the result). Async delegation via delegate is governed separately. The orchestrator uses task for phases where it needs the result before proceeding to the next phase.Adding per-agent overrides
You can add apermission block to any agent. For example, to prevent tony stark from running any bash commands: