|
@@ -80,12 +80,49 @@ Permission patterns use simple wildcard matching:
|
|
|
|
|
|
|
|
### Home Directory Expansion
|
|
### Home Directory Expansion
|
|
|
|
|
|
|
|
-You can use `~` or `$HOME` at the start of a pattern to reference your home directory. This is particularly useful for `external_directory` rules.
|
|
|
|
|
|
|
+You can use `~` or `$HOME` at the start of a pattern to reference your home directory. This is particularly useful for [`external_directory`](#external-directories) rules.
|
|
|
|
|
|
|
|
- `~/projects/*` -> `/Users/username/projects/*`
|
|
- `~/projects/*` -> `/Users/username/projects/*`
|
|
|
- `$HOME/projects/*` -> `/Users/username/projects/*`
|
|
- `$HOME/projects/*` -> `/Users/username/projects/*`
|
|
|
- `~` -> `/Users/username`
|
|
- `~` -> `/Users/username`
|
|
|
|
|
|
|
|
|
|
+### External Directories
|
|
|
|
|
+
|
|
|
|
|
+Use `external_directory` to allow tool calls that touch paths outside the working directory where OpenCode was started. This applies to any tool that takes a path as input (for example `read`, `edit`, `list`, `glob`, `grep`, and many `bash` commands).
|
|
|
|
|
+
|
|
|
|
|
+Home expansion (like `~/...`) only affects how a pattern is written. It does not make an external path part of the current workspace, so paths outside the working directory must still be allowed via `external_directory`.
|
|
|
|
|
+
|
|
|
|
|
+For example, this allows access to everything under `~/projects/personal/`:
|
|
|
|
|
+
|
|
|
|
|
+```json title="opencode.json"
|
|
|
|
|
+{
|
|
|
|
|
+ "$schema": "https://opencode.ai/config.json",
|
|
|
|
|
+ "permission": {
|
|
|
|
|
+ "external_directory": {
|
|
|
|
|
+ "~/projects/personal/**": "allow"
|
|
|
|
|
+ }
|
|
|
|
|
+ }
|
|
|
|
|
+}
|
|
|
|
|
+```
|
|
|
|
|
+
|
|
|
|
|
+Any directory allowed here inherits the same defaults as the current workspace. Since [`read` defaults to `allow`](#defaults), reads are also allowed for entries under `external_directory` unless overridden. Add explicit rules when a tool should be restricted in these paths, such as blocking edits while keeping reads:
|
|
|
|
|
+
|
|
|
|
|
+```json title="opencode.json"
|
|
|
|
|
+{
|
|
|
|
|
+ "$schema": "https://opencode.ai/config.json",
|
|
|
|
|
+ "permission": {
|
|
|
|
|
+ "external_directory": {
|
|
|
|
|
+ "~/projects/personal/**": "allow"
|
|
|
|
|
+ },
|
|
|
|
|
+ "edit": {
|
|
|
|
|
+ "~/projects/personal/**": "deny"
|
|
|
|
|
+ }
|
|
|
|
|
+ }
|
|
|
|
|
+}
|
|
|
|
|
+```
|
|
|
|
|
+
|
|
|
|
|
+Keep the list focused on trusted paths, and layer extra allow or deny rules as needed for other tools (for example `bash`).
|
|
|
|
|
+
|
|
|
---
|
|
---
|
|
|
|
|
|
|
|
## Available Permissions
|
|
## Available Permissions
|
OpeOginni