diff --git a/packages/opencode/src/tool/registry.ts b/packages/opencode/src/tool/registry.ts
index c49dbb00..1ff89f72 100644
--- a/packages/opencode/src/tool/registry.ts
+++ b/packages/opencode/src/tool/registry.ts
@@ -75,6 +75,9 @@ export namespace ToolRegistry {
       result["patch"] = false
       result["write"] = false
     }
+    if (cfg?.permission?.bash === "deny") {
+      result["bash"] = false
+    }
 
     if (modelID.toLowerCase().includes("claude")) {
       result["patch"] = false
diff --git a/packages/web/src/content/docs/docs/permissions.mdx b/packages/web/src/content/docs/docs/permissions.mdx
index 651546f7..a3de452d 100644
--- a/packages/web/src/content/docs/docs/permissions.mdx
+++ b/packages/web/src/content/docs/docs/permissions.mdx
@@ -21,6 +21,7 @@ Use the `permission.edit` key to control whether file editing operations require
 
 - `"ask"` - Prompt for approval before editing files
 - `"allow"` - Allow all file editing operations without approval
+- `"deny"` - Make all file editing tools disabled and unavailable
 
 ```json title="opencode.json" {4}
 {
@@ -41,7 +42,8 @@ Controls whether bash commands require user approval.
 You can specify which commands you want to have run without approval.
 :::
 
-This can be configured globally or with specific patterns. Setting this to `"ask"` is the strictest mode, requiring approval for all bash commands.
+This can be configured globally or with specific patterns. Setting this to `"ask"`, requiring approval for all bash commands.
+Setting this to `"deny"` is the strictest option, blocking LLM from running that command or command pattern.
 
 For example.
 
@@ -56,6 +58,19 @@ For example.
   }
   ```
 
+- **Disable all Terraform commands**
+
+  ```json title="opencode.json"
+  {
+    "$schema": "https://opencode.ai/config.json",
+    "permission": {
+      "bash": {
+        "terraform *": "deny"
+      }
+    }
+  }
+  ```
+
 - **Approve specific commands**
 
   ```json title="opencode.json"