Description
Summary
The active default agent is configured with a narrow permission.task allow-list, but the live injected task tool schema advertises many more subagent types than that allow-list.
This is confusing and may be a permission boundary issue. If task permissions are enforced only at execution time, the tool schema still exposes unavailable subagents to the model and makes the active permissions hard to reason about.
Environment
- Config path:
~/.config/opencode/opencode.json
- Active default agent from config:
default
Relevant Config
opencode.json sets the default agent:
"default_agent": "default"
The default agent is configured with this permission.task allow-list:
"task": {
"code-analyzer": "allow",
"code-locator": "allow",
"code-pattern-finder": "allow",
"code-researcher": "allow",
"context-locator": "allow",
"context-analyzer": "allow",
"web-researcher": "allow"
}This appears in the default agent block in ~/.config/opencode/opencode.json.
Expected Behavior
When the active agent is default, the injected task tool should expose only the subagents allowed by that agent's permission.task config:
code-analyzer
code-locator
code-pattern-finder
code-researcher
context-locator
context-analyzer
web-researcher
Alternatively, if the schema must advertise all registered subagents, opencode should clearly document that permission.task is enforced only at invocation time and not reflected in the tool schema.
Actual Behavior
The live injected task tool definition advertises many more subagent_type options than the active default agent allows.
Those subagents are not present in the default agent's permission.task allow-list.
Why This Matters
The current behavior creates two possible problems:
- The model may believe it can use subagents that the active agent config does not allow.
- A user cannot tell from the injected tool schema whether
permission.task is actually being enforced.
- High-impact subagents are advertised even when the active agent config does not allow them.
Steps To Reproduce
- Configure
default_agent as default.
- Configure
agent.default.permission.task with only these allowed subagents:
code-analyzer
code-locator
code-pattern-finder
code-researcher
context-locator
context-analyzer
web-researcher
- Start opencode with that config.
- Inspect the injected
task tool definition available to the active agent.
- Observe that
subagent_type includes many subagents outside the allow-list.
Open Question
Is permission.task intended to filter the task tool schema, or only to block invocation after the model attempts to call a disallowed subagent?
Suggested Fix
Preferred fix:
Filter task.subagent_type enum/options according to the active agent's permission.task rules before injecting the tool schema.
Acceptable alternative:
Document that task schemas expose all registered subagents and that permission.task is enforced only at execution time.
If the alternative is chosen, the runtime denial should produce a clear error that names the active agent and the denied subagent.
Plugins
none
OpenCode version
1.17.9
Operating System
Nix Linux
Terminal
WezTerm via SSH
Description
Summary
The active
defaultagent is configured with a narrowpermission.taskallow-list, but the live injectedtasktool schema advertises many more subagent types than that allow-list.This is confusing and may be a permission boundary issue. If task permissions are enforced only at execution time, the tool schema still exposes unavailable subagents to the model and makes the active permissions hard to reason about.
Environment
~/.config/opencode/opencode.jsondefaultRelevant Config
opencode.jsonsets the default agent:The
defaultagent is configured with thispermission.taskallow-list:This appears in the
defaultagent block in~/.config/opencode/opencode.json.Expected Behavior
When the active agent is
default, the injectedtasktool should expose only the subagents allowed by that agent'spermission.taskconfig:Alternatively, if the schema must advertise all registered subagents, opencode should clearly document that
permission.taskis enforced only at invocation time and not reflected in the tool schema.Actual Behavior
The live injected
tasktool definition advertises many moresubagent_typeoptions than the activedefaultagent allows.Those subagents are not present in the
defaultagent'spermission.taskallow-list.Why This Matters
The current behavior creates two possible problems:
permission.taskis actually being enforced.Steps To Reproduce
default_agentasdefault.agent.default.permission.taskwith only these allowed subagents:tasktool definition available to the active agent.subagent_typeincludes many subagents outside the allow-list.Open Question
Is
permission.taskintended to filter thetasktool schema, or only to block invocation after the model attempts to call a disallowed subagent?Suggested Fix
Preferred fix:
Acceptable alternative:
If the alternative is chosen, the runtime denial should produce a clear error that names the active agent and the denied subagent.
Plugins
none
OpenCode version
1.17.9
Operating System
Nix Linux
Terminal
WezTerm via SSH