opencode-permission
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseOpenCode Permission Manager
OpenCode 权限管理器
Manage rules in . Add, remove, list, or format auto-approval rules for shell commands and tool invocations.
permission~/.config/opencode/opencode.jsonc管理 中的 规则,为Shell命令和工具调用添加、删除、列出或格式化自动批准规则。
~/.config/opencode/opencode.jsoncpermissionWorkflow
工作流程
- Identify the rule string(s) and action from the user's request (e.g., →
"kubectl get *")allow - Determine the subcommand: /
add/remove/list/list-allformat - Run the bundled script:
bash
# 单条添加 uv run --script <skill-path>/scripts/manage_permission.py add "kubectl get *" --action allow # 批量添加 uv run --script <skill-path>/scripts/manage_permission.py add "kubectl get *" "kubectl describe *" "kubectl logs *" - Confirm the change was written
- Remind the user: 修改配置后需要重启 OpenCode 才能生效
- 从用户请求中识别规则字符串和操作(例如:→
"kubectl get *")allow - 确定子命令:/
add/remove/list/list-allformat - 运行捆绑脚本:
bash
# 单条添加 uv run --script <skill-path>/scripts/manage_permission.py add "kubectl get *" --action allow # 批量添加 uv run --script <skill-path>/scripts/manage_permission.py add "kubectl get *" "kubectl describe *" "kubectl logs *" - 确认变更已写入
- 提醒用户:修改配置后需要重启 OpenCode 才能生效
Behaviors
功能特性
- 自动备份:/
add/remove操作会在写入前创建带时间戳的备份,文件名格式format,多次变更各自保留。opencode.jsonc.YYYYMMDDTHHMMSS.bak - 自动格式化:/
add操作完成后自动规范 bash 段格式,保证每条规则独占一行。remove - 批量添加:接受多个位置参数,只需一次执行。
add
- 自动备份:/
add/remove操作会在写入前创建带时间戳的备份,文件名格式为format,多次变更各自保留备份。opencode.jsonc.YYYYMMDDTHHMMSS.bak - 自动格式化:/
add操作完成后自动规范bash段格式,保证每条规则独占一行。remove - 批量添加:支持多个位置参数,只需一次执行即可完成多条规则添加。
add
Command Reference
命令参考
Add rules
添加规则
bash
undefinedbash
undefined单条(默认 action=allow)
单条(默认 action=allow)
uv run --script manage_permission.py add "kubectl get *"
uv run --script manage_permission.py add "kubectl get *"
批量添加
批量添加
uv run --script manage_permission.py add "kubectl get *" "kubectl describe *" "kubectl logs *"
uv run --script manage_permission.py add "kubectl get *" "kubectl describe *" "kubectl logs *"
指定 action
指定操作
uv run --script manage_permission.py add "git commit *" --action ask
uv run --script manage_permission.py add "rm -rf *" --action deny
uv run --script manage_permission.py add "git commit *" --action ask
uv run --script manage_permission.py add "rm -rf *" --action deny
自定义配置路径
自定义配置路径
uv run --script manage_permission.py add "kubectl get *" --config /path/to/opencode.jsonc
undefineduv run --script manage_permission.py add "kubectl get *" --config /path/to/opencode.jsonc
undefinedRemove a rule
删除规则
bash
uv run --script manage_permission.py remove "kubectl get *"bash
uv run --script manage_permission.py remove "kubectl get *"List rules
列出规则
bash
undefinedbash
undefinedList permission.bash only
仅列出 permission.bash 规则
uv run --script manage_permission.py list
uv run --script manage_permission.py list
List all permission categories (bash, read, edit, etc.)
列出所有权限分类(bash、read、edit等)
uv run --script manage_permission.py list-all
undefineduv run --script manage_permission.py list-all
undefinedFormat rules
格式化规则
bash
undefinedbash
undefined格式化 bash 规则(一行一条,自动备份)
格式化bash规则(一行一条,自动备份)
uv run --script manage_permission.py format
undefineduv run --script manage_permission.py format
undefinedRule Format Reference
规则格式参考
Permission actions
权限操作
| Value | Meaning |
|---|---|
| Auto-execute, no confirmation needed |
| Prompt for confirmation each time |
| Block the command entirely |
| 值 | 含义 |
|---|---|
| 自动执行,无需确认 |
| 每次执行前提示确认 |
| 完全阻止命令执行 |
Wildcard syntax
通配符语法
| Symbol | Meaning | Example |
|---|---|---|
| Matches zero or more characters | |
| Matches exactly one character | |
Important: only matches with no arguments. To match with arguments, use .
"git status"git status"git status *"| 符号 | 含义 | 示例 |
|---|---|---|
| 匹配零个或多个字符 | |
| 匹配恰好一个字符 | |
重要提示: 仅匹配不带参数的 。若要匹配带参数的命令,请使用 。
"git status"git status"git status *"Available permission keys
可用权限键
| Key | Matches | Description |
|---|---|---|
| Shell command pattern | Command execution (e.g., |
| File path | File reading operations |
| File path | File modifications (edit/write/patch) |
| Glob pattern | File wildcard search |
| Regex pattern | Content search |
| Directory path | Directory listing |
| Subagent type | Subagent spawning |
| LSP query | Language server queries |
| Skill name | Skill loading |
| File path | Access outside working directory |
| — | Todo writing (simple, no pattern matching) |
| — | Asking user questions (simple) |
| URL | Web fetching (simple) |
| Search query | Web/code search (simple) |
| — | Repeated tool call detection (simple) |
Simple keys (no pattern matching) accept only , , or as a string value.
"allow""ask""deny"| 键 | 匹配对象 | 描述 |
|---|---|---|
| Shell命令模式 | 命令执行(例如: |
| 文件路径 | 文件读取操作 |
| 文件路径 | 文件修改操作(编辑/写入/补丁) |
| 通配符模式 | 文件通配符搜索 |
| 正则表达式模式 | 内容搜索 |
| 目录路径 | 目录列表 |
| 子Agent类型 | 子Agent生成 |
| LSP查询 | 语言服务器查询 |
| Skill名称 | Skill加载 |
| 文件路径 | 访问工作目录外的路径 |
| — | Todo写入(简单模式,无匹配) |
| — | 向用户提问(简单模式) |
| URL | 网页内容获取(简单模式) |
| 搜索查询 | 网页/代码搜索(简单模式) |
| — | 重复工具调用检测(简单模式) |
简单键(无模式匹配)仅接受 、 或 作为字符串值。
"allow""ask""deny"Rule matching logic
规则匹配逻辑
- Last matching rule wins — more specific rules override defaults
"*" - Common pattern: set as fallback, then add specific
"*": "ask"rulesallow - Supports and
~path expansion for file-related keys$HOME
- 最后匹配的规则生效——更具体的规则会覆盖 默认规则
"*" - 常见模式:设置 作为 fallback,然后添加具体的
"*": "ask"规则allow - 支持文件相关键使用 和
~路径展开$HOME
Configuration file format
配置文件格式
- Location: (global) or
~/.config/opencode/opencode.jsonc(project-level)<project>/.opencode/opencode.jsonc - Format: JSONC (JSON with Comments) — supports and
//comments/* */ - Structure:
jsonc
{ "permission": { "edit": "ask", "bash": { "*": "ask", "kubectl get *": "allow", "git status *": "allow" } } } - Agent-level override: Rules can also be set per-agent in the section, which take precedence over global rules
agent
- 位置:全局配置为 ,项目级配置为
~/.config/opencode/opencode.jsonc<project>/.opencode/opencode.jsonc - 格式:JSONC(带注释的JSON)——支持 和
//注释/* */ - 结构:
jsonc
{ "permission": { "edit": "ask", "bash": { "*": "ask", "kubectl get *": "allow", "git status *": "allow" } } } - Agent级覆盖:规则也可以在 部分按Agent单独设置,优先级高于全局规则
agent
Examples
示例
Allow all kubectl read operations
允许所有kubectl读取操作
bash
uv run --script manage_permission.py add \
"kubectl get *" \
"kubectl describe *" \
"kubectl logs *" \
"kubectl top *" \
"kubectl explain *" \
"kubectl diff *" \
"kubectl auth can-i *"bash
uv run --script manage_permission.py add \
"kubectl get *" \
"kubectl describe *" \
"kubectl logs *" \
"kubectl top *" \
"kubectl explain *" \
"kubectl diff *" \
"kubectl auth can-i *"Allow git commit but require confirmation for push
允许git commit但要求确认push操作
bash
uv run --script manage_permission.py add "git commit *" --action allow
uv run --script manage_permission.py add "git push *" --action askbash
uv run --script manage_permission.py add "git commit *" --action allow
uv run --script manage_permission.py add "git push *" --action askBlock dangerous commands
阻止危险命令
bash
uv run --script manage_permission.py add "rm -rf *" --action denybash
uv run --script manage_permission.py add "rm -rf *" --action denyFormat existing config
格式化现有配置
bash
uv run --script manage_permission.py formatbash
uv run --script manage_permission.py formatView current rules
查看当前规则
bash
uv run --script manage_permission.py listbash
uv run --script manage_permission.py listNotes
注意事项
- Uses (ModelLoader/ModelDumper) to preserve all existing comments during read-modify-write cycles.
json-five - New rules are appended to the end of ; after writing, the bash section is automatically formatted to one-rule-per-line.
permission.bash - /
add/removecreate a timestamped backup before writing (e.g.,format).opencode.jsonc.20260428T153045.bak
- 使用 (ModelLoader/ModelDumper)在读取-修改-写入周期中保留所有现有注释。
json-five - 新规则会追加到 的末尾;写入后,bash段会自动格式化为一行一条规则。
permission.bash - /
add/remove操作在写入前会创建带时间戳的备份(例如:format)。opencode.jsonc.20260428T153045.bak