feat: add granular external_directory permission configuration

packages/opencode/src/agent/agent.ts

@@ -33,7 +33,7 @@ export namespace Agent {
         skill: z.record(z.string(), Config.Permission),
         webfetch: Config.Permission.optional(),
         doom_loop: Config.Permission.optional(),
-        external_directory: Config.Permission.optional(),
+        external_directory: Config.ExternalDirectoryPermission.optional(),
       }),
       model: z
         .object({

packages/opencode/src/config/config.ts

@@ -388,6 +388,28 @@ export namespace Config {
   export const Permission = z.enum(["ask", "allow", "deny"])
   export type Permission = z.infer<typeof Permission>
 
+  export const DirectoryRulesObject = z
+    .object({
+      directories: z.record(z.string(), Permission).optional(),
+      default: Permission.optional(),
+    })
+    .strict()
+  export type DirectoryRulesObject = z.infer<typeof DirectoryRulesObject>
+
+  export const OperationPermission = z.union([Permission, DirectoryRulesObject])
+  export type OperationPermission = z.infer<typeof OperationPermission>
+
+  export const ExternalDirectoryPermission = z.union([
+    Permission,
+    z
+      .object({
+        read: OperationPermission.optional(),
+        write: OperationPermission.optional(),
+      })
+      .strict(),
+  ])
+  export type ExternalDirectoryPermission = z.infer<typeof ExternalDirectoryPermission>
+
   export const Command = z.object({
     template: z.string(),
     description: z.string().optional(),
@@ -425,7 +447,7 @@ export namespace Config {
           skill: z.union([Permission, z.record(z.string(), Permission)]).optional(),
           webfetch: Permission.optional(),
           doom_loop: Permission.optional(),
-          external_directory: Permission.optional(),
+          external_directory: ExternalDirectoryPermission.optional(),
         })
         .optional(),
     })
@@ -790,7 +812,7 @@ export namespace Config {
           skill: z.union([Permission, z.record(z.string(), Permission)]).optional(),
           webfetch: Permission.optional(),
           doom_loop: Permission.optional(),
-          external_directory: Permission.optional(),
+          external_directory: ExternalDirectoryPermission.optional(),
         })
         .optional(),
       tools: z.record(z.string(), z.boolean()).optional(),

packages/opencode/src/tool/bash.ts

@@ -15,6 +15,7 @@ import { fileURLToPath } from "url"
 import { Flag } from "@/flag/flag.ts"
 import path from "path"
 import { Shell } from "@/shell/shell"
+import { ExternalPermission } from "@/util/external-permission"
 
 const MAX_OUTPUT_LENGTH = Flag.OPENCODE_EXPERIMENTAL_BASH_MAX_OUTPUT_LENGTH || 30_000
 const DEFAULT_TIMEOUT = Flag.OPENCODE_EXPERIMENTAL_BASH_DEFAULT_TIMEOUT_MS || 2 * 60 * 1000
@@ -86,7 +87,8 @@ export const BashTool = Tool.define("bash", async () => {
       const checkExternalDirectory = async (dir: string) => {
         if (Filesystem.contains(Instance.directory, dir)) return
         const title = `This command references paths outside of ${Instance.directory}`
-        if (agent.permission.external_directory === "ask") {
+        const externalPerm = ExternalPermission.resolve(agent.permission.external_directory, dir, "write")
+        if (externalPerm === "ask") {
           await Permission.ask({
             type: "external_directory",
             pattern: [dir, path.join(dir, "*")],
@@ -98,7 +100,7 @@ export const BashTool = Tool.define("bash", async () => {
               command: params.command,
             },
           })
-        } else if (agent.permission.external_directory === "deny") {
+        } else if (externalPerm === "deny") {
           throw new Permission.RejectedError(
             ctx.sessionID,
             "external_directory",

packages/opencode/src/tool/edit.ts

@@ -17,6 +17,7 @@ import { Filesystem } from "../util/filesystem"
 import { Instance } from "../project/instance"
 import { Agent } from "../agent/agent"
 import { Snapshot } from "@/snapshot"
+import { ExternalPermission } from "@/util/external-permission"
 
 const MAX_DIAGNOSTICS_PER_FILE = 20
 
@@ -46,7 +47,8 @@ export const EditTool = Tool.define("edit", {
     const filePath = path.isAbsolute(params.filePath) ? params.filePath : path.join(Instance.directory, params.filePath)
     if (!Filesystem.contains(Instance.directory, filePath)) {
       const parentDir = path.dirname(filePath)
-      if (agent.permission.external_directory === "ask") {
+      const externalPerm = ExternalPermission.resolve(agent.permission.external_directory, filePath, "write")
+      if (externalPerm === "ask") {
         await Permission.ask({
           type: "external_directory",
           pattern: [parentDir, path.join(parentDir, "*")],
@@ -59,7 +61,7 @@ export const EditTool = Tool.define("edit", {
             parentDir,
           },
         })
-      } else if (agent.permission.external_directory === "deny") {
+      } else if (externalPerm === "deny") {
         throw new Permission.RejectedError(
           ctx.sessionID,
           "external_directory",
@@ -68,7 +70,7 @@ export const EditTool = Tool.define("edit", {
             filepath: filePath,
             parentDir,
           },
-          `File ${filePath} is not in the current working directory`,
+          `Access to ${filePath} is denied by external_directory permission`,
         )
       }
     }

packages/opencode/src/tool/glob.ts

@@ -4,6 +4,10 @@ import { Tool } from "./tool"
 import DESCRIPTION from "./glob.txt"
 import { Ripgrep } from "../file/ripgrep"
 import { Instance } from "../project/instance"
+import { Filesystem } from "../util/filesystem"
+import { Permission } from "../permission"
+import { Agent } from "../agent/agent"
+import { ExternalPermission } from "../util/external-permission"
 
 export const GlobTool = Tool.define("glob", {
   description: DESCRIPTION,
@@ -16,9 +20,36 @@ export const GlobTool = Tool.define("glob", {
         `The directory to search in. If not specified, the current working directory will be used. IMPORTANT: Omit this field to use the default directory. DO NOT enter "undefined" or "null" - simply omit it for the default behavior. Must be a valid directory path if provided.`,
       ),
   }),
-  async execute(params) {
-    let search = params.path ?? Instance.directory
-    search = path.isAbsolute(search) ? search : path.resolve(Instance.directory, search)
+  async execute(params, ctx) {
+    const search = params.path
+      ? path.isAbsolute(params.path)
+        ? params.path
+        : path.resolve(Instance.directory, params.path)
+      : Instance.directory
+    const agent = await Agent.get(ctx.agent)
+
+    if (!Filesystem.contains(Instance.directory, search)) {
+      const externalPerm = ExternalPermission.resolve(agent.permission.external_directory, search, "read")
+      if (externalPerm === "ask") {
+        await Permission.ask({
+          type: "external_directory",
+          pattern: [search, path.join(search, "*")],
+          sessionID: ctx.sessionID,
+          messageID: ctx.messageID,
+          callID: ctx.callID,
+          title: `Search directory outside working directory: ${search}`,
+          metadata: { searchPath: search },
+        })
+      } else if (externalPerm === "deny") {
+        throw new Permission.RejectedError(
+          ctx.sessionID,
+          "external_directory",
+          ctx.callID,
+          { searchPath: search },
+          `Access to ${search} is denied by external_directory permission`,
+        )
+      }
+    }
 
     const limit = 100
     const files = []

packages/opencode/src/tool/grep.ts

@@ -1,9 +1,14 @@
 import z from "zod"
+import path from "path"
 import { Tool } from "./tool"
 import { Ripgrep } from "../file/ripgrep"
 
 import DESCRIPTION from "./grep.txt"
 import { Instance } from "../project/instance"
+import { Filesystem } from "../util/filesystem"
+import { Permission } from "../permission"
+import { Agent } from "../agent/agent"
+import { ExternalPermission } from "../util/external-permission"
 
 const MAX_LINE_LENGTH = 2000
 
@@ -14,12 +19,40 @@ export const GrepTool = Tool.define("grep", {
     path: z.string().optional().describe("The directory to search in. Defaults to the current working directory."),
     include: z.string().optional().describe('File pattern to include in the search (e.g. "*.js", "*.{ts,tsx}")'),
   }),
-  async execute(params) {
+  async execute(params, ctx) {
     if (!params.pattern) {
       throw new Error("pattern is required")
     }
 
-    const searchPath = params.path || Instance.directory
+    const searchPath = params.path
+      ? path.isAbsolute(params.path)
+        ? params.path
+        : path.resolve(Instance.directory, params.path)
+      : Instance.directory
+    const agent = await Agent.get(ctx.agent)
+
+    if (!Filesystem.contains(Instance.directory, searchPath)) {
+      const externalPerm = ExternalPermission.resolve(agent.permission.external_directory, searchPath, "read")
+      if (externalPerm === "ask") {
+        await Permission.ask({
+          type: "external_directory",
+          pattern: [searchPath, path.join(searchPath, "*")],
+          sessionID: ctx.sessionID,
+          messageID: ctx.messageID,
+          callID: ctx.callID,
+          title: `Search directory outside working directory: ${searchPath}`,
+          metadata: { searchPath },
+        })
+      } else if (externalPerm === "deny") {
+        throw new Permission.RejectedError(
+          ctx.sessionID,
+          "external_directory",
+          ctx.callID,
+          { searchPath },
+          `Access to ${searchPath} is denied by external_directory permission`,
+        )
+      }
+    }
 
     const rgPath = await Ripgrep.filepath()
     const args = ["-nH", "--field-match-separator=|", "--regexp", params.pattern]

packages/opencode/src/tool/ls.ts

@@ -4,6 +4,10 @@ import * as path from "path"
 import DESCRIPTION from "./ls.txt"
 import { Instance } from "../project/instance"
 import { Ripgrep } from "../file/ripgrep"
+import { Filesystem } from "../util/filesystem"
+import { Permission } from "../permission"
+import { Agent } from "../agent/agent"
+import { ExternalPermission } from "../util/external-permission"
 
 export const IGNORE_PATTERNS = [
   "node_modules/",
@@ -40,8 +44,32 @@ export const ListTool = Tool.define("list", {
     path: z.string().describe("The absolute path to the directory to list (must be absolute, not relative)").optional(),
     ignore: z.array(z.string()).describe("List of glob patterns to ignore").optional(),
   }),
-  async execute(params) {
+  async execute(params, ctx) {
     const searchPath = path.resolve(Instance.directory, params.path || ".")
+    const agent = await Agent.get(ctx.agent)
+
+    if (!Filesystem.contains(Instance.directory, searchPath)) {
+      const externalPerm = ExternalPermission.resolve(agent.permission.external_directory, searchPath, "read")
+      if (externalPerm === "ask") {
+        await Permission.ask({
+          type: "external_directory",
+          pattern: [searchPath, path.join(searchPath, "*")],
+          sessionID: ctx.sessionID,
+          messageID: ctx.messageID,
+          callID: ctx.callID,
+          title: `List directory outside working directory: ${searchPath}`,
+          metadata: { searchPath },
+        })
+      } else if (externalPerm === "deny") {
+        throw new Permission.RejectedError(
+          ctx.sessionID,
+          "external_directory",
+          ctx.callID,
+          { searchPath },
+          `Access to ${searchPath} is denied by external_directory permission`,
+        )
+      }
+    }
 
     const ignoreGlobs = IGNORE_PATTERNS.map((p) => `!${p}*`).concat(params.ignore?.map((p) => `!${p}`) || [])
     const files = []

packages/opencode/src/tool/patch.ts

@@ -11,6 +11,7 @@ import { Agent } from "../agent/agent"
 import { Patch } from "../patch"
 import { Filesystem } from "../util/filesystem"
 import { createTwoFilesPatch } from "diff"
+import { ExternalPermission } from "@/util/external-permission"
 
 const PatchParams = z.object({
   patchText: z.string().describe("The full patch text that describes all changes to be made"),
@@ -55,7 +56,8 @@ export const PatchTool = Tool.define("patch", {
 
       if (!Filesystem.contains(Instance.directory, filePath)) {
         const parentDir = path.dirname(filePath)
-        if (agent.permission.external_directory === "ask") {
+        const externalPerm = ExternalPermission.resolve(agent.permission.external_directory, filePath, "write")
+        if (externalPerm === "ask") {
           await Permission.ask({
             type: "external_directory",
             pattern: [parentDir, path.join(parentDir, "*")],
@@ -68,7 +70,7 @@ export const PatchTool = Tool.define("patch", {
               parentDir,
             },
           })
-        } else if (agent.permission.external_directory === "deny") {
+        } else if (externalPerm === "deny") {
           throw new Permission.RejectedError(
             ctx.sessionID,
             "external_directory",
@@ -77,7 +79,7 @@ export const PatchTool = Tool.define("patch", {
               filepath: filePath,
               parentDir,
             },
-            `File ${filePath} is not in the current working directory`,
+            `Access to ${filePath} is denied by external_directory permission`,
           )
         }
       }
@@ -122,12 +124,45 @@ export const PatchTool = Tool.define("patch", {
 
           const diff = createTwoFilesPatch(filePath, filePath, oldContent, newContent)
 
+          const movePath = hunk.move_path ? path.resolve(Instance.directory, hunk.move_path) : undefined
+
+          // Check permission for move destination
+          if (movePath && !Filesystem.contains(Instance.directory, movePath)) {
+            const moveParentDir = path.dirname(movePath)
+            const moveExternalPerm = ExternalPermission.resolve(agent.permission.external_directory, movePath, "write")
+            if (moveExternalPerm === "ask") {
+              await Permission.ask({
+                type: "external_directory",
+                pattern: [moveParentDir, path.join(moveParentDir, "*")],
+                sessionID: ctx.sessionID,
+                messageID: ctx.messageID,
+                callID: ctx.callID,
+                title: `Move file to outside working directory: ${movePath}`,
+                metadata: {
+                  filepath: movePath,
+                  parentDir: moveParentDir,
+                },
+              })
+            } else if (moveExternalPerm === "deny") {
+              throw new Permission.RejectedError(
+                ctx.sessionID,
+                "external_directory",
+                ctx.callID,
+                {
+                  filepath: movePath,
+                  parentDir: moveParentDir,
+                },
+                `Access to ${movePath} is denied by external_directory permission`,
+              )
+            }
+          }
+
           fileChanges.push({
             filePath,
             oldContent,
             newContent,
-            type: hunk.move_path ? "move" : "update",
-            movePath: hunk.move_path ? path.resolve(Instance.directory, hunk.move_path) : undefined,
+            type: movePath ? "move" : "update",
+            movePath,
           })
 
           totalDiff += diff + "\n"

packages/opencode/src/tool/read.ts

@@ -11,6 +11,7 @@ import { Identifier } from "../id/id"
 import { Permission } from "../permission"
 import { Agent } from "@/agent/agent"
 import { iife } from "@/util/iife"
+import { ExternalPermission } from "@/util/external-permission"
 
 const DEFAULT_READ_LIMIT = 2000
 const MAX_LINE_LENGTH = 2000
@@ -32,7 +33,8 @@ export const ReadTool = Tool.define("read", {
 
     if (!ctx.extra?.["bypassCwdCheck"] && !Filesystem.contains(Instance.directory, filepath)) {
       const parentDir = path.dirname(filepath)
-      if (agent.permission.external_directory === "ask") {
+      const externalPerm = ExternalPermission.resolve(agent.permission.external_directory, filepath, "read")
+      if (externalPerm === "ask") {
         await Permission.ask({
           type: "external_directory",
           pattern: [parentDir, path.join(parentDir, "*")],
@@ -45,7 +47,7 @@ export const ReadTool = Tool.define("read", {
             parentDir,
           },
         })
-      } else if (agent.permission.external_directory === "deny") {
+      } else if (externalPerm === "deny") {
         throw new Permission.RejectedError(
           ctx.sessionID,
           "external_directory",
@@ -54,7 +56,7 @@ export const ReadTool = Tool.define("read", {
             filepath: filepath,
             parentDir,
           },
-          `File ${filepath} is not in the current working directory`,
+          `Access to ${filepath} is denied by external_directory permission`,
         )
       }
     }