core: add permission checks to lsp and todo tools

2025-12-31 19:15:30 -05:00 · 2025-12-31 19:15:30 -05:00 · e0438bc318
parent 4a07bb561f
commit e0438bc318
3 changed files with 27 additions and 5 deletions
--- a/packages/opencode/src/config/config.ts
+++ b/packages/opencode/src/config/config.ts
@ -407,6 +407,7 @@ export namespace Config {
      webfetch: PermissionAction.optional(),
      websearch: PermissionAction.optional(),
      codesearch: PermissionAction.optional(),
+      lsp: PermissionRule.optional(),
      doom_loop: PermissionAction.optional(),
    })
    .catchall(PermissionRule)
--- a/packages/opencode/src/tool/lsp.ts
+++ b/packages/opencode/src/tool/lsp.ts
@ -26,7 +26,14 @@ export const LspTool = Tool.define("lsp", {
    line: z.number().int().min(1).describe("The line number (1-based, as shown in editors)"),
    character: z.number().int().min(1).describe("The character offset (1-based, as shown in editors)"),
  }),
-  execute: async (args) => {
+  execute: async (args, ctx) => {
+    await ctx.ask({
+      permission: "lsp",
+      patterns: ["*"],
+      always: ["*"],
+      metadata: {},
+    })
+
    const file = path.isAbsolute(args.filePath) ? args.filePath : path.join(Instance.directory, args.filePath)
    const uri = pathToFileURL(file).href
    const position = {
--- a/packages/opencode/src/tool/todo.ts
+++ b/packages/opencode/src/tool/todo.ts
@ -8,9 +8,16 @@ export const TodoWriteTool = Tool.define("todowrite", {
  parameters: z.object({
    todos: z.array(z.object(Todo.Info.shape)).describe("The updated todo list"),
  }),
-  async execute(params, opts) {
+  async execute(params, ctx) {
+    await ctx.ask({
+      permission: "todowrite",
+      patterns: ["*"],
+      always: ["*"],
+      metadata: {},
+    })
+
    await Todo.update({
-      sessionID: opts.sessionID,
+      sessionID: ctx.sessionID,
      todos: params.todos,
    })
    return {
@ -26,8 +33,15 @@ export const TodoWriteTool = Tool.define("todowrite", {
 export const TodoReadTool = Tool.define("todoread", {
  description: "Use this tool to read your todo list",
  parameters: z.object({}),
-  async execute(_params, opts) {
-    const todos = await Todo.get(opts.sessionID)
+  async execute(_params, ctx) {
+    await ctx.ask({
+      permission: "todoread",
+      patterns: ["*"],
+      always: ["*"],
+      metadata: {},
+    })
+
+    const todos = await Todo.get(ctx.sessionID)
    return {
      title: `${todos.filter((x) => x.status !== "completed").length} todos`,
      metadata: {