core: remove hardcoded .env read block and use new permissions model instead

packages/opencode/test/tool/read.test.ts

@@ -3,7 +3,8 @@ import path from "path"
 import { ReadTool } from "../../src/tool/read"
 import { Instance } from "../../src/project/instance"
 import { tmpdir } from "../fixture/fixture"
-import type { PermissionNext } from "../../src/permission/next"
+import { PermissionNext } from "../../src/permission/next"
+import { Agent } from "../../src/agent/agent"
 
 const ctx = {
   sessionID: "test",
@@ -122,29 +123,45 @@ describe("tool.read external_directory permission", () => {
 })
 
 describe("tool.read env file blocking", () => {
-  test.each([
+  const cases: [string, boolean][] = [
     [".env", true],
     [".env.local", true],
     [".env.production", true],
-    [".env.sample", false],
+    [".env.development.local", true],
     [".env.example", false],
     [".envrc", false],
     ["environment.ts", false],
-  ])("%s blocked=%s", async (filename, blocked) => {
-    await using tmp = await tmpdir({
-      init: (dir) => Bun.write(path.join(dir, filename), "content"),
-    })
-    await Instance.provide({
-      directory: tmp.path,
-      fn: async () => {
-        const read = await ReadTool.init()
-        const promise = read.execute({ filePath: path.join(tmp.path, filename) }, ctx)
-        if (blocked) {
-          await expect(promise).rejects.toThrow("blocked")
-        } else {
-          expect((await promise).output).toContain("content")
-        }
-      },
+  ]
+
+  describe.each(["build", "plan"])("agent=%s", (agentName) => {
+    test.each(cases)("%s blocked=%s", async (filename, blocked) => {
+      await using tmp = await tmpdir({
+        init: (dir) => Bun.write(path.join(dir, filename), "content"),
+      })
+      await Instance.provide({
+        directory: tmp.path,
+        fn: async () => {
+          const agent = await Agent.get(agentName)
+          const ctxWithPermissions = {
+            ...ctx,
+            ask: async (req: Omit<PermissionNext.Request, "id" | "sessionID" | "tool">) => {
+              for (const pattern of req.patterns) {
+                const rule = PermissionNext.evaluate(req.permission, pattern, agent.permission)
+                if (rule.action === "deny") {
+                  throw new PermissionNext.DeniedError(agent.permission)
+                }
+              }
+            },
+          }
+          const read = await ReadTool.init()
+          const promise = read.execute({ filePath: path.join(tmp.path, filename) }, ctxWithPermissions)
+          if (blocked) {
+            await expect(promise).rejects.toThrow(PermissionNext.DeniedError)
+          } else {
+            expect((await promise).output).toContain("content")
+          }
+        },
+      })
     })
   })
 })