Skip to content

fix(opencode): preserve safe parent permissions in task child sessions#23290

Open
remorses wants to merge 1 commit intoanomalyco:devfrom
remorses:fix-subagent-session-permissions
Open

fix(opencode): preserve safe parent permissions in task child sessions#23290
remorses wants to merge 1 commit intoanomalyco:devfrom
remorses:fix-subagent-session-permissions

Conversation

@remorses
Copy link
Copy Markdown
Contributor

@remorses remorses commented Apr 18, 2026

Issue for this PR

Closes #20549

Type of change

  • Bug fix
  • New feature
  • Refactor / code improvement
  • Documentation

What does this PR do?

When task creates a child session, it now carries over only the parent session's external_directory rules and deny rules.

That fixes repeated prompts for trusted external paths while avoiding broad allow-rule inheritance that could make restrictive subagents like explore writable.

How did you verify your code works?

  • bunx prettier --write packages/opencode/src/tool/task.ts packages/opencode/test/tool/task.test.ts
  • bun test --timeout 30000 test/tool/task.test.ts
  • bun typecheck

Screenshots / recordings

Not applicable.

Checklist

  • I have tested my changes locally
  • I have not included unrelated changes in this PR

@remorses
fix(opencode): preserve safe parent permissions in task child sessions
8eaba3e 
Carry forward only transitive-safe session rules when `task` creates a child session.
This keeps parent `external_directory` approvals and deny rules so subagents stop re-prompting for trusted paths, while avoiding broad allow-rule inheritance that could accidentally grant write access to restrictive agents like `explore`.

Verification:
- bunx prettier --write packages/opencode/src/tool/task.ts packages/opencode/test/tool/task.test.ts
- bun test --timeout 30000 test/tool/task.test.ts
- bun typecheck

Session: ses_25fac94daffeLwJ8p3cQRCI5pF
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Apr 18, 2026

The following comment was made by an LLM, it may be inaccurate:

Based on my search results, I found related PRs that address similar permission and restriction preservation issues in task child sessions:

Related PRs:

  1. fix(task): preserve subagent todo permissions #18202 - fix(task): preserve subagent todo permissions

    • Directly related to preserving permissions when creating subagent sessions

  2. fix(opencode): preserve readonly subagent restrictions across compaction #18764 - fix(opencode): preserve readonly subagent restrictions across compaction

    • Addresses preserving restrictions across session operations, similar concern to this PR

  3. fix: subagent permissions bypass and Lost restrictions after compaction #21661 - fix: subagent permissions bypass and Lost restrictions after compaction

    • Handles permission and restriction preservation issues

  4. fix: avoid external_directory prompt for global AGENTS.md #18721 - fix: avoid external_directory prompt for global AGENTS.md

    • Related to the external_directory prompts that this PR aims to reduce

  5. feat: Use proper globbing for "edit", "read" and "external_directory" permi… #22676 - feat: Use proper globbing for "edit", "read" and "external_directory" permissions

    • Recent work on external_directory permission handling

These PRs are related to the same codebase area (task tool, permissions, subagent sessions) but don't appear to be direct duplicates of PR #23290. Your PR is specifically addressing the narrow issue of preserving only safe parent permissions (external_directory and deny rules) when task creates child sessions.

@remorses remorses mentioned this pull request Apr 18, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

contributor

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Improve transitive permissions for agents subagents and tasks

1 participant

@remorses