Bug Report
Summary
guardrail.ts プラグインが .env.example ファイルの読み取りをブロックします。opencode.json では "*.env.example": "allow" と明示的に許可しているにもかかわらず。
Root Cause
Two locations in packages/guardrails/profile/plugins/guardrail.ts are affected:
1. sec regex (L5):
const sec = [
/(^|\/)\.env($|\.)/i, // matches .env.example because .env. satisfies \.env\.
]
2. bash command check (L642):
if (has(file, sec) || file.includes(".opencode/guardrails/")) {
throw new Error(text("shell access to protected files"))
}file here is the full command string, so cat backend/.env.example is matched by the sec pattern.
This produces two distinct error messages:
- Read tool:
Guardrail policy blocked this action: secret material is outside the allowed read surface
- Bash tool:
Guardrail policy blocked this action: shell access to protected files
Conflict with opencode.json
packages/guardrails/profile/opencode.json already expresses the correct intent:
"read": {
"*.env": "deny",
"*.env.*": "deny",
"*.env.example": "allow"
}The plugin fires in tool.execute.before before permission evaluation, so the config allowlist is never reached.
Impact
Agents investigating Docker/service configurations cannot read .env.example template files. This slows down legitimate debugging workflows unnecessarily.
Proposed Fix
Option A — Narrow the sec regex with a negative lookahead:
/(^|\/)\.env($|\.)(?!example)/i
Option B — Add an early return in deny() and the bash check:
function deny(file: string, kind: "read" | "edit") {
const item = rel(input.worktree, file)
if (item.endsWith(".env.example")) return // template files are safe
if (kind === "read" && has(item, sec)) return "secret material is outside the allowed read surface"
...
}The same exception must be applied to the bash command check at L642.
Steps to Reproduce
- Enable the guardrails profile in opencode
- Ask an agent to read
backend/.env.example or run cat backend/.env.example
- Observe:
Guardrail policy blocked this action
Environment
- File:
packages/guardrails/profile/plugins/guardrail.ts
- Config:
packages/guardrails/profile/opencode.json
Bug Report
Summary
guardrail.tsプラグインが.env.exampleファイルの読み取りをブロックします。opencode.jsonでは"*.env.example": "allow"と明示的に許可しているにもかかわらず。Root Cause
Two locations in
packages/guardrails/profile/plugins/guardrail.tsare affected:1.
secregex (L5):2. bash command check (L642):
filehere is the full command string, socat backend/.env.exampleis matched by thesecpattern.This produces two distinct error messages:
Guardrail policy blocked this action: secret material is outside the allowed read surfaceGuardrail policy blocked this action: shell access to protected filesConflict with opencode.json
packages/guardrails/profile/opencode.jsonalready expresses the correct intent:The plugin fires in
tool.execute.beforebefore permission evaluation, so the config allowlist is never reached.Impact
Agents investigating Docker/service configurations cannot read
.env.exampletemplate files. This slows down legitimate debugging workflows unnecessarily.Proposed Fix
Option A — Narrow the
secregex with a negative lookahead:/(^|\/)\.env($|\.)(?!example)/iOption B — Add an early return in
deny()and the bash check:The same exception must be applied to the bash command check at L642.
Steps to Reproduce
backend/.env.exampleor runcat backend/.env.exampleGuardrail policy blocked this actionEnvironment
packages/guardrails/profile/plugins/guardrail.tspackages/guardrails/profile/opencode.json