monadical/opencode
14
0
Fork 0
Code Issues Pull Requests Actions 5 Packages Projects Releases Wiki Activity

chore(docs): Better explanation on how to allow tools in external directories (#10862)

Browse Source
This commit is contained in:
OpeOginni
2026-01-27 17:00:10 +01:00
committed by GitHub
parent dbc8d7edca
commit 0aa93379bd
1 changed files with 38 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

39
packages/web/src/content/docs/permissions.mdx
View File

@@ -80,12 +80,49 @@ Permission patterns use simple wildcard matching:
### Home Directory Expansion ### Home Directory Expansion
You can use `~` or `$HOME` at the start of a pattern to reference your home directory. This is particularly useful for `external_directory` rules. You can use `~` or `$HOME` at the start of a pattern to reference your home directory. This is particularly useful for [`external_directory`](#external-directories) rules.
- `~/projects/*` -> `/Users/username/projects/*` - `~/projects/*` -> `/Users/username/projects/*`
- `$HOME/projects/*` -> `/Users/username/projects/*` - `$HOME/projects/*` -> `/Users/username/projects/*`
- `~` -> `/Users/username` - `~` -> `/Users/username`
### External Directories
Use `external_directory` to allow tool calls that touch paths outside the working directory where OpenCode was started. This applies to any tool that takes a path as input (for example `read`, `edit`, `list`, `glob`, `grep`, and many `bash` commands).
Home expansion (like `~/...`) only affects how a pattern is written. It does not make an external path part of the current workspace, so paths outside the working directory must still be allowed via `external_directory`.
For example, this allows access to everything under `~/projects/personal/`:
```json title="opencode.json"
{
"$schema": "https://opencode.ai/config.json",
"permission": {
"external_directory": {
"~/projects/personal/**": "allow"
}
}
}
```
Any directory allowed here inherits the same defaults as the current workspace. Since [`read` defaults to `allow`](#defaults), reads are also allowed for entries under `external_directory` unless overridden. Add explicit rules when a tool should be restricted in these paths, such as blocking edits while keeping reads:
```json title="opencode.json"
{
"$schema": "https://opencode.ai/config.json",
"permission": {
"external_directory": {
"~/projects/personal/**": "allow"
},
"edit": {
"~/projects/personal/**": "deny"
}
}
}
```
Keep the list focused on trusted paths, and layer extra allow or deny rules as needed for other tools (for example `bash`).
--- ---
## Available Permissions ## Available Permissions