From e1f80c006761fd0d0f5eda36ce727970a3d4b272 Mon Sep 17 00:00:00 2001
From: Mariano Uvalle <u.g.a.mariano@gmail.com>
Date: Wed, 13 Aug 2025 06:01:17 -0700
Subject: [PATCH] Merge default agent permissions with global config (#1879)

---
 packages/opencode/src/agent/agent.ts | 59 +++++++++++++++++-----------
 1 file changed, 36 insertions(+), 23 deletions(-)

diff --git a/packages/opencode/src/agent/agent.ts b/packages/opencode/src/agent/agent.ts
index aa9eeec8..7f0831c0 100644
--- a/packages/opencode/src/agent/agent.ts
+++ b/packages/opencode/src/agent/agent.ts
@@ -44,6 +44,8 @@ export namespace Agent {
       },
       webfetch: "allow",
     }
+    const agentPermission = mergeAgentPermissions(defaultPermission, cfg.permission ?? {})
+
     const result: Record<string, Info> = {
       general: {
         name: "general",
@@ -54,20 +56,20 @@ export namespace Agent {
           todowrite: false,
         },
         options: {},
-        permission: defaultPermission,
+        permission: agentPermission,
         mode: "subagent",
       },
       build: {
         name: "build",
         tools: {},
         options: {},
-        permission: defaultPermission,
+        permission: agentPermission,
         mode: "primary",
       },
       plan: {
         name: "plan",
         options: {},
-        permission: defaultPermission,
+        permission: agentPermission,
         tools: {
           write: false,
           edit: false,
@@ -86,7 +88,7 @@ export namespace Agent {
         item = result[key] = {
           name: key,
           mode: "all",
-          permission: defaultPermission,
+          permission: agentPermission,
           options: {},
           tools: {},
         }
@@ -108,25 +110,7 @@ export namespace Agent {
       if (mode) item.mode = mode
 
       if (permission ?? cfg.permission) {
-        const merged = mergeDeep(cfg.permission ?? {}, permission ?? {})
-        if (merged.edit) item.permission.edit = merged.edit
-        if (merged.webfetch) item.permission.webfetch = merged.webfetch
-        if (merged.bash) {
-          if (typeof merged.bash === "string") {
-            item.permission.bash = {
-              "*": merged.bash,
-            }
-          }
-          // if granular permissions are provided, default to "ask"
-          if (typeof merged.bash === "object") {
-            item.permission.bash = mergeDeep(
-              {
-                "*": "ask",
-              },
-              merged.bash,
-            )
-          }
-        }
+        item.permission = mergeAgentPermissions(cfg.permission ?? {}, permission ?? {})
       }
     }
     return result
@@ -170,3 +154,32 @@ export namespace Agent {
     return result.object
   }
 }
+
+function mergeAgentPermissions(basePermission: any, overridePermission: any): Agent.Info["permission"] {
+  const merged = mergeDeep(basePermission ?? {}, overridePermission ?? {}) as any
+  let mergedBash
+  if (merged.bash) {
+    if (typeof merged.bash === "string") {
+      mergedBash = {
+        "*": merged.bash,
+      }
+    }
+    // if granular permissions are provided, default to "ask"
+    if (typeof merged.bash === "object") {
+      mergedBash = mergeDeep(
+        {
+          "*": "ask",
+        },
+        merged.bash,
+      )
+    }
+  }
+
+  const result: Agent.Info["permission"] = {
+    edit: merged.edit ?? "allow",
+    webfetch: merged.webfetch ?? "allow",
+    bash: mergedBash ?? { "*": "allow" },
+  }
+
+  return result
+}