Description
Per-pattern permission rules defined under "grep" in opencode.json are not enforced.
Files set to "deny" in the grep rules still return their content when matched. The same pattern-based rules work correctly under "read" and "glob".
Expected behavior: grep should block matches inside files matching denied patterns, showing a permission denied message — the same way read and glob do.
Additional context: "read" and "glob" per-pattern rules work as expected with identical pattern syntax. The file include filter on grep appears to bypass the permission check entirely.
Plugins
None
OpenCode version
1.17.13
Steps to reproduce
- Create a project with .opencode/opencode.json:
{
"permission": {
"grep": {
"": "allow",
"/config.php": "deny"
}
}
}
- Create config.php with any content
- Run: grep with "pattern": "any-string", "include": "config.php"
- The config.php content is returned — no permission block
Screenshot and/or share link
No response
Operating System
Ubuntu 26.10
Terminal
Tabby
Description
Per-pattern permission rules defined under "grep" in opencode.json are not enforced.
Files set to "deny" in the grep rules still return their content when matched. The same pattern-based rules work correctly under "read" and "glob".
Expected behavior: grep should block matches inside files matching denied patterns, showing a permission denied message — the same way read and glob do.
Additional context: "read" and "glob" per-pattern rules work as expected with identical pattern syntax. The file include filter on grep appears to bypass the permission check entirely.
Plugins
None
OpenCode version
1.17.13
Steps to reproduce
{
"permission": {
"grep": {
"": "allow",
"/config.php": "deny"
}
}
}
Screenshot and/or share link
No response
Operating System
Ubuntu 26.10
Terminal
Tabby