Skip to content

grep tool ignores per-pattern deny permission rules #35503

Description

@CryptoSiD

Description

Per-pattern permission rules defined under "grep" in opencode.json are not enforced.
Files set to "deny" in the grep rules still return their content when matched. The same pattern-based rules work correctly under "read" and "glob".

Expected behavior: grep should block matches inside files matching denied patterns, showing a permission denied message — the same way read and glob do.

Additional context: "read" and "glob" per-pattern rules work as expected with identical pattern syntax. The file include filter on grep appears to bypass the permission check entirely.

Plugins

None

OpenCode version

1.17.13

Steps to reproduce

  1. Create a project with .opencode/opencode.json:
    {
    "permission": {
    "grep": {
    "": "allow",
    "
    /config.php": "deny"
    }
    }
    }
  2. Create config.php with any content
  3. Run: grep with "pattern": "any-string", "include": "config.php"
  4. The config.php content is returned — no permission block

Screenshot and/or share link

No response

Operating System

Ubuntu 26.10

Terminal

Tabby

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions