fix: permission checks for external_directory and doom_loop (#4433)

Co-authored-by: Aiden Cline <[email protected]>
Co-authored-by: AerionDyseti <[email protected]>

packages/opencode/src/permission/index.ts

@@ -186,8 +186,13 @@ export namespace Permission {
       public readonly permissionID: string,
       public readonly toolCallID?: string,
       public readonly metadata?: Record<string, any>,
+      public readonly reason?: string,
     ) {
-      super(`The user rejected permission to use this specific tool call. You may try again with different parameters.`)
+      super(
+        reason !== undefined
+          ? reason
+          : `The user rejected permission to use this specific tool call. You may try again with different parameters.`,
+      )
     }
   }
 }

packages/opencode/src/session/processor.ts

@@ -136,6 +136,7 @@ export namespace SessionProcessor {
 
                     const parts = await MessageV2.parts(input.assistantMessage.id)
                     const lastThree = parts.slice(-DOOM_LOOP_THRESHOLD)
+
                     if (
                       lastThree.length === DOOM_LOOP_THRESHOLD &&
                       lastThree.every(
@@ -160,6 +161,17 @@ export namespace SessionProcessor {
                             input: value.input,
                           },
                         })
+                      } else if (permission.doom_loop === "deny") {
+                        throw new Permission.RejectedError(
+                          input.assistantMessage.sessionID,
+                          "doom_loop",
+                          value.toolCallId,
+                          {
+                            tool: value.toolName,
+                            input: value.input,
+                          },
+                          `You seem to be stuck in a doom loop, please stop repeating the same action`,
+                        )
                       }
                     }
                   }

packages/opencode/src/tool/edit.ts

@@ -57,6 +57,17 @@ export const EditTool = Tool.define("edit", {
             parentDir,
           },
         })
+      } else if (agent.permission.external_directory === "deny") {
+        throw new Permission.RejectedError(
+          ctx.sessionID,
+          "external_directory",
+          ctx.callID,
+          {
+            filepath: filePath,
+            parentDir,
+          },
+          `File ${filePath} is not in the current working directory`,
+        )
       }
     }
 

packages/opencode/src/tool/patch.ts

@@ -68,6 +68,17 @@ export const PatchTool = Tool.define("patch", {
               parentDir,
             },
           })
+        } else if (agent.permission.external_directory === "deny") {
+          throw new Permission.RejectedError(
+            ctx.sessionID,
+            "external_directory",
+            ctx.callID,
+            {
+              filepath: filePath,
+              parentDir,
+            },
+            `File ${filePath} is not in the current working directory`,
+          )
         }
       }
 

packages/opencode/src/tool/read.ts

@@ -46,6 +46,17 @@ export const ReadTool = Tool.define("read", {
             parentDir,
           },
         })
+      } else if (agent.permission.external_directory === "deny") {
+        throw new Permission.RejectedError(
+          ctx.sessionID,
+          "external_directory",
+          ctx.callID,
+          {
+            filepath: filepath,
+            parentDir,
+          },
+          `File ${filepath} is not in the current working directory`,
+        )
       }
     }
 

packages/opencode/src/tool/write.ts

@@ -36,6 +36,17 @@ export const WriteTool = Tool.define("write", {
             parentDir,
           },
         })
+      } else if (agent.permission.external_directory === "deny") {
+        throw new Permission.RejectedError(
+          ctx.sessionID,
+          "external_directory",
+          ctx.callID,
+          {
+            filepath: filepath,
+            parentDir,
+          },
+          `File ${filepath} is not in the current working directory`,
+        )
       }
     }