Permission rework #6319
Merged
Permission rework #6319
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
thdxr
force-pushed
the
permission-rework
branch
7 times, most recently
from
2964abd to
591cbd4
Compare
Contributor
Author
|
@copilot review this bitch |
Contributor
Contributor
Author
|
/review |
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
| return null | ||
| } | ||
|
|
||
| function DialogPermission() { |
Contributor
There was a problem hiding this comment.
Suggestion: This DialogPermission component is defined but never used or exported. Consider either completing and using it, or removing it to keep the codebase clean.
|
|
||
| export function Permission() { | ||
| const dialog = useDialog() | ||
| onMount(() => {}) |
Contributor
There was a problem hiding this comment.
Suggestion: The Permission component has an empty onMount callback that does nothing. This could be removed unless there are plans to add functionality later.
| import { useTheme } from "../context/theme" | ||
|
|
||
| export function Permission() { | ||
| const dialog = useDialog() |
Contributor
There was a problem hiding this comment.
Suggestion: The dialog variable is declared but never used in this component. Consider removing it or using it.
| @@ -0,0 +1,53 @@ | |||
| import { onMount } from "solid-js" | |||
| import { useDialog } from "../ui/dialog" | |||
| import { TextAttributes } from "@opentui/core" | |||
Contributor
There was a problem hiding this comment.
Suggestion: The TextAttributes import is unused in this file (only used in the unused DialogPermission component). Consider removing it along with the cleanup of unused code.
| gap={1} | ||
| paddingLeft={2} | ||
| paddingRight={2} | ||
| onKeyDown={(e) => { |
Contributor
There was a problem hiding this comment.
Suggestion: There is a console.log statement here that appears to be debug code. Consider removing it before merging.
thdxr
force-pushed
the
permission-rework
branch
3 times, most recently
from
96b1106 to
6c21fd1
Compare
Replaces legacy Permission.respond with PermissionNext.reply for better async handling and updates server endpoints to use the new permission system. Improves error handling in session processor to work with both old and new permission rejection types.
Removes permission setting from opencode config and adds test root configuration to prevent running tests from project root.
Eric-Guo
added a commit
to Eric-Guo/opencode
that referenced
this pull request
Jan 7, 2026
…omalyco#6319) for tool availability and tool execution
Eric-Guo
added a commit
to Eric-Guo/opencode
that referenced
this pull request
Jan 7, 2026
…omalyco#6319) for tool availability and tool execution
Eric-Guo
added a commit
to Eric-Guo/opencode
that referenced
this pull request
Jan 8, 2026
…omalyco#6319) for tool availability and tool execution
ryanwyler
added a commit
to gignit/opencode
that referenced
this pull request
Jan 8, 2026
## Problem The 'Hide tool details' toggle in the command palette (Ctrl+P) has no effect on the UI - completed tools are always displayed regardless of the setting. ## Root Cause The Permission rework commit 351ddee (merged 2026-01-01, PR anomalyco#6319) accidentally removed the showDetails check from the ToolPart function when refactoring the tool rendering system. ### Before Permission rework (working): ```typescript function ToolPart(props: { last: boolean; part: ToolPart; message: AssistantMessage }) { const { theme } = useTheme() const { showDetails } = use() // <-- Gets showDetails from context const sync = useSync() const [margin, setMargin] = createSignal(0) const component = createMemo(() => { // Hide tool if showDetails is false and tool completed successfully // But always show if there's an error or permission is required const shouldHide = !showDetails() && props.part.state.status === "completed" && !sync.data.permission[props.message.sessionID]?.some((x) => x.callID === props.part.callID) if (shouldHide) { return undefined // <-- Returns nothing, hiding the tool } // ... }) } ``` ### After Permission rework (broken): ```typescript function ToolPart(props: { last: boolean; part: ToolPart; message: AssistantMessage }) { const sync = useSync() // <-- No use() call! // <-- No showDetails check! const toolprops = { /* ... */ } return ( <Switch> // <-- Always renders all tools unconditionally </Switch> ) } ``` ## Fix Restore the showDetails check by: 1. Adding `const ctx = use()` to access the context 2. Adding a `shouldHide` memo with the original logic 3. Wrapping the return in `<Show when={!shouldHide()}>` The fix preserves the original behavior: - Hide completed tools when showDetails is false - Always show tools that are pending/running (so users see progress) - Always show tools that require permission (so users can respond)
This was referenced Jan 8, 2026
ryanwyler
added a commit
to gignit/opencode
that referenced
this pull request
Jan 8, 2026
## Problem The 'Hide tool details' toggle in the command palette (Ctrl+P) has no effect on the UI - completed tools are always displayed regardless of the setting. ## Root Cause The Permission rework commit 351ddee (merged 2026-01-01, PR anomalyco#6319) accidentally removed the showDetails check from the ToolPart function. ## Fix Restore the showDetails check with simplified logic: - Show all tools when showDetails is true - Show running/pending tools (so users see progress) - Hide completed tools when showDetails is false Removed the permission-based visibility check as the new PermissionPrompt dialog handles permissions separately at the bottom of the screen.
Eric-Guo
added a commit
to Eric-Guo/opencode
that referenced
this pull request
Jan 8, 2026
…omalyco#6319) for tool availability and tool execution
Eric-Guo
added a commit
to Eric-Guo/opencode
that referenced
this pull request
Jan 8, 2026
…omalyco#6319) for tool availability and tool execution
Eric-Guo
added a commit
to Eric-Guo/opencode
that referenced
this pull request
Jan 9, 2026
…omalyco#6319) for tool availability and tool execution
Eric-Guo
added a commit
to Eric-Guo/opencode
that referenced
this pull request
Jan 9, 2026
…omalyco#6319) for tool availability and tool execution
Eric-Guo
added a commit
to Eric-Guo/opencode
that referenced
this pull request
Jan 9, 2026
…omalyco#6319) for tool availability and tool execution
Eric-Guo
added a commit
to Eric-Guo/opencode
that referenced
this pull request
Jan 9, 2026
…omalyco#6319) for tool availability and tool execution
Eric-Guo
added a commit
to Eric-Guo/opencode
that referenced
this pull request
Jan 10, 2026
…omalyco#6319) for tool availability and tool execution
Eric-Guo
added a commit
to Eric-Guo/opencode
that referenced
this pull request
Jan 10, 2026
…omalyco#6319) for tool availability and tool execution
Eric-Guo
added a commit
to Eric-Guo/opencode
that referenced
this pull request
Jan 11, 2026
…omalyco#6319) for tool availability and tool execution
Eric-Guo
added a commit
to Eric-Guo/opencode
that referenced
this pull request
Jan 11, 2026
…omalyco#6319) for tool availability and tool execution
Eric-Guo
added a commit
to Eric-Guo/opencode
that referenced
this pull request
Jan 11, 2026
…omalyco#6319) for tool availability and tool execution
Eric-Guo
added a commit
to Eric-Guo/opencode
that referenced
this pull request
Jan 12, 2026
…omalyco#6319) for tool availability and tool execution
Eric-Guo
added a commit
to Eric-Guo/opencode
that referenced
this pull request
Jan 12, 2026
…omalyco#6319) for tool availability and tool execution
Eric-Guo
added a commit
to Eric-Guo/opencode
that referenced
this pull request
Jan 12, 2026
…omalyco#6319) for tool availability and tool execution
Eric-Guo
added a commit
to Eric-Guo/opencode
that referenced
this pull request
Jan 12, 2026
…omalyco#6319) for tool availability and tool execution
Eric-Guo
added a commit
to Eric-Guo/opencode
that referenced
this pull request
Jan 12, 2026
…omalyco#6319) for tool availability and tool execution
malhashemi
added a commit
to malhashemi/opencode
that referenced
this pull request
Jan 13, 2026
The permission rework in anomalyco#6319 removed the ability to override the default task tool restriction via agent frontmatter. Previously, agents could set `tools: { task: true }` to enable nested sub-agents. This fix restores that functionality using the new permission system: - Check if the agent's permission ruleset explicitly allows task tool - If so, don't add the deny rule to session permissions - If so, don't pass task: false to the tools parameter Agents can now enable nested sub-agents by setting: ```yaml permission: task: allow ``` The default behavior remains unchanged - task tool is disabled for sub-agents unless explicitly allowed.
malhashemi
added a commit
to malhashemi/opencode
that referenced
this pull request
Jan 13, 2026
The permission rework in anomalyco#6319 removed the ability to override the default task tool restriction via agent frontmatter. This fix checks if the agent has any task permission rule defined. If so, we don't add our default deny - letting the agent's permission take effect. If not specified, the default deny behavior is preserved.
Eric-Guo
added a commit
to Eric-Guo/opencode
that referenced
this pull request
Jan 13, 2026
…omalyco#6319) for tool availability and tool execution
Eric-Guo
added a commit
to Eric-Guo/opencode
that referenced
this pull request
Jan 13, 2026
…omalyco#6319) for tool availability and tool execution
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
This is a major change that overhauls the permissions system in OpenCode.
Tools Merged into Permission
The
toolsconfiguration has been deprecated and merged into thepermissionfield. Previously, you could enable/disable tools like this:{ "tools": { "bash": true, "edit": false } }Now, this should be configured using
permission:{ "permission": { "bash": "allow", "edit": "deny" } }The old
toolsconfig is still supported for backwards compatibility and will be automatically migrated to the permission system.Granular Permissions with Object Syntax
Permissions now support granular control using an object syntax with pattern matching. When you specify a permission as an object, you can set different rules for different patterns:
{ "permission": { "bash": { "npm *": "allow", "git *": "allow", "rm *": "deny", "*": "ask" }, "edit": { "*.md": "allow", "*.ts": "ask", "*": "deny" } } }Each key in the object is a glob pattern that matches against the tool's input, and the value is the action to take:
"allow"- automatically approve"deny"- automatically reject"ask"- prompt the user for approvalYou can also set a blanket permission using a simple string:
{ "permission": { "bash": "allow", "edit": "ask" } }Or set all permissions at once:
{ "permission": "allow" }Breaking Changes for SDK Users
The permission events have changed significantly. The new
PermissionNextmodule (permission/next.ts) has a different event structure compared to the oldPermissionmodule (permission/index.ts):Old Event Structure (
Permission.Event):Updated:{ id, type, pattern, sessionID, messageID, callID, message, metadata, time }Replied:{ sessionID, permissionID, response }New Event Structure (
PermissionNext.Event):Asked:{ id, sessionID, permission, patterns, metadata, always, tool: { messageID, callID } }Replied:{ sessionID, requestID, reply }Key differences:
permission.updatedtopermission.askedtyperenamed topermissionpatternis nowpatterns(array of strings)messagefield removedresponserenamed toreplypermissionIDrenamed torequestIDalwaysfield contains patterns that would be approved for future requests if user selects "always"The reply values are the same:
"once","always", or"reject"Server Changes
POST /permission/:requestID/replyfor responding to permission requestsPOST /session/:sessionID/permissions/:permissionIDis now deprecatedGET /permissionnow returnsPermissionNext.Request[]instead ofPermission.Info[]server.corsconfig optionOther Changes
toolsfield is deprecated - usepermissioninsteadmaxStepsis deprecated - usestepsinsteadoptions