core: remove hardcoded .env read block and use new permissions model instead

2026-04-04 08:03:14 +00:00 · 2026-01-04 01:49:31 -06:00
parent c3fd3c8656
commit 3611260405
3 changed files with 42 additions and 34 deletions
--- a/packages/opencode/src/agent/agent.ts
+++ b/packages/opencode/src/agent/agent.ts
@@ -47,6 +47,13 @@ export namespace Agent {
      "*": "allow",
      doom_loop: "ask",
      external_directory: "ask",
+      // mirrors github.com/github/gitignore Node.gitignore pattern for .env files
+      read: {
+        "*": "allow",
+        "*.env": "deny",
+        "*.env.*": "deny",
+        "*.env.example": "allow",
+      },
    })
    const user = PermissionNext.fromConfig(cfg.permission ?? {})