external_directory: "deny" not enforced when running OpenCode from Git Bash on Windows

[rosrosros]

Description

I am running OpenCode on Windows using Git Bash.

I configured the global config file:

C:\Users[user].config\opencode\opencode.json

with:

{
  "permission": {
    "external_directory": "deny"
  }
}

The intention is to prevent the model from reading files outside the current project directory.

When OpenCode is started inside a project folder, the restriction works correctly. Attempts to read files outside the project are blocked.

However, when OpenCode is started from another directory (for example D:), the model can still read files from other drives, such as:

C:\oc-perm-test\outside\secret.txt

even though external_directory is set to "deny".

Debug logs show that the following configuration files are loaded:

C:\Users\[user]\.config\opencode\config.json
C:\Users\[user]\.config\opencode\opencode.json
C:\Users\[user]\.config\opencode\opencode.jsonc

This suggests either:

the global config is not enforced correctly when OpenCode is started outside a project directory, or

Windows / Git Bash path handling affects the sandbox rule.

Plugins

None

OpenCode version

1.2.17

Steps to reproduce

1 Configure global config:

C:\Users\[user]\.config\opencode\opencode.json
{
  "permission": {
    "external_directory": "deny"
  }
}

2 Start OpenCode from Git Bash inside a project folder:

C:\oc-perm-test\project

3 Ask OpenCode to read:

../outside/secret.txt

Result: correctly blocked.

4 Start OpenCode instead from:

D:\

5 Ask OpenCode to read:

C:\oc-perm-test\outside\secret.txt

Result: file is read successfully even though external directories should be denied.

Screenshot and/or share link

No response

Operating System

windows 11

Terminal

Git Bash though Windows Terminal

[621625]

I second this. Oh and a warning, opencode deleted my /home/bm/Downloads folder with rm -rf without asking. Advice: restrict rm. This folder issue is also an important security flaw. It should perhaps be considered severe.

[621625]

I'm on Linux.

[Helios12345]

i also have this problem! Very critital security issue!! it appears also on 1.2.20 on my system with that config (played around a lot with them already, also with the help from opencode itself, but could not fix the behaviour).

when i start opencode from d:\git i can access (read/write) on c:\windows - even when i set external_directory to "deny". when i set it to "ask" i never get asked!

windows 10 iot enterprise ltsc 21h2 + windows 11 25h2

"permission": { "read": { "D:\\git\\**": "allow", "*.env": "deny", "*.env.*": "deny" }, "edit": "allow", "bash": "allow", "external_directory": "deny", "webfetch": "allow", "websearch": "allow" }
what opencode suggested:

`Based on my research, this is a confirmed and widespread bug in OpenCode on Windows. Here's what I found:
CONFIRMED ISSUES:

1. GitHub Issue external_directory: "deny" not enforced when running OpenCode from Git Bash on Windows #16126 - Exact same problem

• User reports: external_directory: "deny" works when inside a project, but completely bypassed when started from another drive (e.g., starting from D:\ allows reading C:\ files)
• Status: OPEN (assigned to @Hona)

2. GitHub Issue External directory permission does not work on Windows #11042 - Root Cause Identified

"In a Windows environment with mixed paths (Windows, MSYS/GitBash) the Wildcard/Permission system breaks in several cases (relative paths, absolute paths / cross-drive) due to path mismatching"

• Status: Closed (claimed fixed by PR fix(windows): path handling fixes for Windows #6763, but see below...)

3. GitHub Issue Permissions are no longer working after 6 to 8 weeks as is #15754 - Permissions stopped working

• Users report external_directory: "ask" worked for weeks then suddenly stopped enforcing
• Status: OPEN

4. Reddit post (11 hours ago!) - "Opencode security/permission broken (1.2.27)?"

"Started from d:\git and asked for E: drive - and it could! why is this setting ignored?"
THE FAILED FIX:
PR #6763 "fix(windows): path handling fixes for Windows" attempted to fix this with path normalization. However:

• The contributor closed it in Feb 2026 stating: "they apparently prefer their own thing, closing this one - getting no replies since december. despite all the things clearly broken"
• On Mar 6, 2026, @Hona commented: "Yes it's nots far off"
  CURRENT STATUS:
  The permission system on Windows has fundamental path handling bugs that cause external_directory checks to fail when:
• Mixed path formats are used (backslashes vs forward slashes)
• Cross-drive access is attempted
• MSYS/Git Bash paths are involved
  Workaround: None available. This is a core platform bug that requires an official fix from the OpenCode team.
  Recommendation: Report this at https://github.com/anomalyco/opencode/issues referencing issue external_directory: "deny" not enforced when running OpenCode from Git Bash on Windows #16126`

[Helios12345]

Try to set up something like that - restrict Opencode to only have access to the working dir and another directory. Everything else should be blocked. It simply does not work! Sometimes it works, but then after a restart of Opencode it does not work anymore!

The whole permission section is really buggy.

[Helios12345]

ALL of these issues i have with permissions are tested NOT WORKING on Windows with Terminal, not with GIT Bash. no matter what i configure - I can't achieve to have Opencode only access to working dir + 1 other directory. All other access to any folder should not be allowed. Opencode itself confirmed several times, that my permission config is correct, but that there are bugs in permissions of Opencode. Please fix it, I don't want to use Opencode with massive security issues like that.

[kennethac]

I'm also having this issue in Windows Terminal running OpenCode from PowerShell 7, no git bash involved.

[pschiel]

* On Mar 6, 2026, [@Hona](https://github.com/Hona) commented: "Yes it's nots far off"

the dude keeps telling "next week" since several months. it's a lie, it's not going to happen. their "fixes" so far even introduced more bugs.

[PhilWheat]

Still no progress?