sst · elithrar · Dec 24, 2025 · Dec 24, 2025 · Dec 24, 2025 · Dec 25, 2025
diff --git a/packages/opencode/src/agent/agent.ts b/packages/opencode/src/agent/agent.ts
@@ -34,6 +34,7 @@ export namespace Agent {
         webfetch: Config.Permission.optional(),
         doom_loop: Config.Permission.optional(),
         external_directory: Config.Permission.optional(),
+        allow_tmpdir: z.boolean().optional(),
       }),
       model: z
         .object({
@@ -65,6 +66,7 @@ export namespace Agent {
       webfetch: "allow",
       doom_loop: "ask",
       external_directory: "ask",
+      allow_tmpdir: false,
     }
     const agentPermission = mergeAgentPermissions(defaultPermission, cfg.permission ?? {})
 
@@ -392,6 +394,7 @@ function mergeAgentPermissions(basePermission: any, overridePermission: any): Ag
     skill: mergedSkill ?? { "*": "allow" },
     doom_loop: merged.doom_loop,
     external_directory: merged.external_directory,
+    allow_tmpdir: merged.allow_tmpdir,
   }
 
   return result

diff --git a/packages/opencode/src/config/config.ts b/packages/opencode/src/config/config.ts
@@ -418,6 +418,7 @@ export namespace Config {
           webfetch: Permission.optional(),
           doom_loop: Permission.optional(),
           external_directory: Permission.optional(),
+          allow_tmpdir: z.boolean().optional(),
         })
         .optional(),
     })
@@ -770,6 +771,7 @@ export namespace Config {
           webfetch: Permission.optional(),
           doom_loop: Permission.optional(),
           external_directory: Permission.optional(),
+          allow_tmpdir: z.boolean().optional(),
         })
         .optional(),
       tools: z.record(z.string(), z.boolean()).optional(),

diff --git a/packages/opencode/src/tool/bash.ts b/packages/opencode/src/tool/bash.ts
@@ -85,6 +85,8 @@ export const BashTool = Tool.define("bash", async () => {
 
       const checkExternalDirectory = async (dir: string) => {
         if (Filesystem.contains(Instance.directory, dir)) return
+        const inTmpdir = agent.permission.allow_tmpdir && Filesystem.isInTmpdir(dir)
+        if (inTmpdir) return
         const title = `This command references paths outside of ${Instance.directory}`
         if (agent.permission.external_directory === "ask") {
           await Permission.ask({

diff --git a/packages/opencode/src/tool/edit.ts b/packages/opencode/src/tool/edit.ts
@@ -46,30 +46,33 @@ export const EditTool = Tool.define("edit", {
     const filePath = path.isAbsolute(params.filePath) ? params.filePath : path.join(Instance.directory, params.filePath)
     if (!Filesystem.contains(Instance.directory, filePath)) {
       const parentDir = path.dirname(filePath)
-      if (agent.permission.external_directory === "ask") {
-        await Permission.ask({
-          type: "external_directory",
-          pattern: [parentDir, path.join(parentDir, "*")],
-          sessionID: ctx.sessionID,
-          messageID: ctx.messageID,
-          callID: ctx.callID,
-          title: `Edit file outside working directory: ${filePath}`,
-          metadata: {
-            filepath: filePath,
-            parentDir,
-          },
-        })
-      } else if (agent.permission.external_directory === "deny") {
-        throw new Permission.RejectedError(
-          ctx.sessionID,
-          "external_directory",
-          ctx.callID,
-          {
-            filepath: filePath,
-            parentDir,
-          },
-          `File ${filePath} is not in the current working directory`,
-        )
+      const inTmpdir = agent.permission.allow_tmpdir && Filesystem.isInTmpdir(filePath)
+      if (!inTmpdir) {
+        if (agent.permission.external_directory === "ask") {
+          await Permission.ask({
+            type: "external_directory",
+            pattern: [parentDir, path.join(parentDir, "*")],
+            sessionID: ctx.sessionID,
+            messageID: ctx.messageID,
+            callID: ctx.callID,
+            title: `Edit file outside working directory: ${filePath}`,
+            metadata: {
+              filepath: filePath,
+              parentDir,
+            },
+          })
+        } else if (agent.permission.external_directory === "deny") {
+          throw new Permission.RejectedError(
+            ctx.sessionID,
+            "external_directory",
+            ctx.callID,
+            {
+              filepath: filePath,
+              parentDir,
+            },
+            `File ${filePath} is not in the current working directory`,
+          )
+        }
       }
     }
 

diff --git a/packages/opencode/src/tool/patch.ts b/packages/opencode/src/tool/patch.ts
@@ -55,30 +55,33 @@ export const PatchTool = Tool.define("patch", {
 
       if (!Filesystem.contains(Instance.directory, filePath)) {
         const parentDir = path.dirname(filePath)
-        if (agent.permission.external_directory === "ask") {
-          await Permission.ask({
-            type: "external_directory",
-            pattern: [parentDir, path.join(parentDir, "*")],
-            sessionID: ctx.sessionID,
-            messageID: ctx.messageID,
-            callID: ctx.callID,
-            title: `Patch file outside working directory: ${filePath}`,
-            metadata: {
-              filepath: filePath,
-              parentDir,
-            },
-          })
-        } else if (agent.permission.external_directory === "deny") {
-          throw new Permission.RejectedError(
-            ctx.sessionID,
-            "external_directory",
-            ctx.callID,
-            {
-              filepath: filePath,
-              parentDir,
-            },
-            `File ${filePath} is not in the current working directory`,
-          )
+        const inTmpdir = agent.permission.allow_tmpdir && Filesystem.isInTmpdir(filePath)
+        if (!inTmpdir) {
+          if (agent.permission.external_directory === "ask") {
+            await Permission.ask({
+              type: "external_directory",
+              pattern: [parentDir, path.join(parentDir, "*")],
+              sessionID: ctx.sessionID,
+              messageID: ctx.messageID,
+              callID: ctx.callID,
+              title: `Patch file outside working directory: ${filePath}`,
+              metadata: {
+                filepath: filePath,
+                parentDir,
+              },
+            })
+          } else if (agent.permission.external_directory === "deny") {
+            throw new Permission.RejectedError(
+              ctx.sessionID,
+              "external_directory",
+              ctx.callID,
+              {
+                filepath: filePath,
+                parentDir,
+              },
+              `File ${filePath} is not in the current working directory`,
+            )
+          }
         }
       }
 

diff --git a/packages/opencode/src/tool/read.ts b/packages/opencode/src/tool/read.ts
@@ -32,30 +32,33 @@ export const ReadTool = Tool.define("read", {
 
     if (!ctx.extra?.["bypassCwdCheck"] && !Filesystem.contains(Instance.directory, filepath)) {
       const parentDir = path.dirname(filepath)
-      if (agent.permission.external_directory === "ask") {
-        await Permission.ask({
-          type: "external_directory",
-          pattern: [parentDir, path.join(parentDir, "*")],
-          sessionID: ctx.sessionID,
-          messageID: ctx.messageID,
-          callID: ctx.callID,
-          title: `Access file outside working directory: ${filepath}`,
-          metadata: {
-            filepath,
-            parentDir,
-          },
-        })
-      } else if (agent.permission.external_directory === "deny") {
-        throw new Permission.RejectedError(
-          ctx.sessionID,
-          "external_directory",
-          ctx.callID,
-          {
-            filepath: filepath,
-            parentDir,
-          },
-          `File ${filepath} is not in the current working directory`,
-        )
+      const inTmpdir = agent.permission.allow_tmpdir && Filesystem.isInTmpdir(filepath)
+      if (!inTmpdir) {
+        if (agent.permission.external_directory === "ask") {
+          await Permission.ask({
+            type: "external_directory",
+            pattern: [parentDir, path.join(parentDir, "*")],
+            sessionID: ctx.sessionID,
+            messageID: ctx.messageID,
+            callID: ctx.callID,
+            title: `Access file outside working directory: ${filepath}`,
+            metadata: {
+              filepath,
+              parentDir,
+            },
+          })
+        } else if (agent.permission.external_directory === "deny") {
+          throw new Permission.RejectedError(
+            ctx.sessionID,
+            "external_directory",
+            ctx.callID,
+            {
+              filepath: filepath,
+              parentDir,
+            },
+            `File ${filepath} is not in the current working directory`,
+          )
+        }
       }
     }
 

diff --git a/packages/opencode/src/tool/write.ts b/packages/opencode/src/tool/write.ts
@@ -26,30 +26,33 @@ export const WriteTool = Tool.define("write", {
     const filepath = path.isAbsolute(params.filePath) ? params.filePath : path.join(Instance.directory, params.filePath)
     if (!Filesystem.contains(Instance.directory, filepath)) {
       const parentDir = path.dirname(filepath)
-      if (agent.permission.external_directory === "ask") {
-        await Permission.ask({
-          type: "external_directory",
-          pattern: [parentDir, path.join(parentDir, "*")],
-          sessionID: ctx.sessionID,
-          messageID: ctx.messageID,
-          callID: ctx.callID,
-          title: `Write file outside working directory: ${filepath}`,
-          metadata: {
-            filepath,
-            parentDir,
-          },
-        })
-      } else if (agent.permission.external_directory === "deny") {
-        throw new Permission.RejectedError(
-          ctx.sessionID,
-          "external_directory",
-          ctx.callID,
-          {
-            filepath: filepath,
-            parentDir,
-          },
-          `File ${filepath} is not in the current working directory`,
-        )
+      const inTmpdir = agent.permission.allow_tmpdir && Filesystem.isInTmpdir(filepath)
+      if (!inTmpdir) {
+        if (agent.permission.external_directory === "ask") {
+          await Permission.ask({
+            type: "external_directory",
+            pattern: [parentDir, path.join(parentDir, "*")],
+            sessionID: ctx.sessionID,
+            messageID: ctx.messageID,
+            callID: ctx.callID,
+            title: `Write file outside working directory: ${filepath}`,
+            metadata: {
+              filepath,
+              parentDir,
+            },
+          })
+        } else if (agent.permission.external_directory === "deny") {
+          throw new Permission.RejectedError(
+            ctx.sessionID,
+            "external_directory",
+            ctx.callID,
+            {
+              filepath: filepath,
+              parentDir,
+            },
+            `File ${filepath} is not in the current working directory`,
+          )
+        }
       }
     }
 

diff --git a/packages/opencode/src/util/filesystem.ts b/packages/opencode/src/util/filesystem.ts
@@ -1,6 +1,7 @@
 import { realpathSync } from "fs"
 import { exists } from "fs/promises"
 import { dirname, join, relative } from "path"
+import os from "os"
 
 export namespace Filesystem {
   /**
@@ -80,4 +81,63 @@ export namespace Filesystem {
     }
     return result
   }
+
+  /**
+   * Get the system's temporary directory with symlink resolution.
+   * Handles platform differences:
+   * - Linux: Usually /tmp
+   * - macOS: /var/folders/.../T/ (symlinked from /tmp -> /private/tmp)
+   * - Windows: C:\Users\<user>\AppData\Local\Temp
+   */
+  export function tmpdir(): string {
+    const tmp = os.tmpdir()
+    try {
+      return realpathSync(tmp)
+    } catch {
+      return tmp
+    }
+  }
+
+  /**
+   * Check if child path is within parent, with symlink resolution.
+   * Prevents symlink traversal attacks.
+   */
+  export function containsResolved(parent: string, child: string): boolean {
+    try {
+      const resolvedParent = realpathSync(parent)
+      const resolvedChild = realpathSync(child)
+      return !relative(resolvedParent, resolvedChild).startsWith("..")
+    } catch {
+      // Path doesn't exist yet (e.g., file being created)
+      // Walk up the child path to find the first existing ancestor and resolve from there
+      try {
+        const resolvedParent = realpathSync(parent)
+        let current = child
+        let suffix = ""
+        while (current !== dirname(current)) {
+          try {
+            const resolvedCurrent = realpathSync(current)
+            const resolvedChild = suffix ? join(resolvedCurrent, suffix) : resolvedCurrent
+            return !relative(resolvedParent, resolvedChild).startsWith("..")
+          } catch {
+            // This level doesn't exist, move up
+            const base = current.split(/[/\\]/).pop()!
+            suffix = suffix ? join(base, suffix) : base
+            current = dirname(current)
+          }
+        }
+        // No ancestor exists, fall back to unresolved comparison
+        return !relative(parent, child).startsWith("..")
+      } catch {
+        return !relative(parent, child).startsWith("..")
+      }
+    }
+  }
+
+  /**
+   * Check if path is within the system tmpdir
+   */
+  export function isInTmpdir(filepath: string): boolean {
+    return containsResolved(tmpdir(), filepath)
+  }
 }