[SECURITY] allow ignoring files to prevent secrets being leaked from .env to LLM

[aspiers]

Forgive me if I've missed it, but I couldn't see any mechanism in the code for ignoring files like .env which very often contain API secrets and other credentials and sensitive data.

The closest I could see was this hard-coded list:

https://github.com/sst/opencode/blob/67480e5a1c71a0b65467a724a7b7afa828f93168/packages/opencode/src/tool/ls.ts#L7-L19

If I'm right, that means that currently it's possible for security-critical data to be leaked to the LLM, which would be a pretty significant security concern. Other agentic coding environments have gone through the same pain, e.g. there are many threads such as this one in the Cursor forums. So it would be great if opencode got this right from early on.

I think it's fairly simple to solve: just support an .opencodeignore file at the top of the repo (and perhaps honour .gitignore by default too).

(On a related but tangential note, ideally everyone would standardise on .ai-ignore, .ai-rules etc. rather than every agent having its own set of config files, but that's a battle for another day ...)

[aspiers]

See google-gemini/gemini-cli#2092 for a report of a similar issue there (although Gemini CLI does at least already respect .gitignore by default). Some approaches to the solution are also suggested in that issue.

[aspiers]

Also anthropics/claude-code#79

[thdxr]

our ls tool should be reworked to use rg which respects gitgnore - i'll do this

[aspiers]

Thanks @thdxr this sounds like a great step in the right direction!

[superDuperCyberTechno]

It reads my entire user directory without a hitch. Is this not a little worrisome? One thing is secrets like encryption, - and API keys, another thing entirely is personal medical documents and whatnot. Would it be possible to implement some sort of whitelist functionality where you explicitly state what folders/files are accessible?

[SeanRoberts]

It reads my entire user directory without a hitch. Is this not a little worrisome? One thing is secrets like encryption, - and API keys, another thing entirely is personal medical documents and whatnot. Would it be possible to implement some sort of whitelist functionality where you explicitly state what folders/files are accessible?

I created a separate issue for that here

In the meantime I'll just use it within a container.

[rekram1-node]

A few improvements have been shipped in this area list of improvements:

• Proper permissions system: you can make the llm have to ask you for permission before taking actions
• agent is locked to cwd by default (can't use read or edit tools on files outside)
• you can make plugins if you need even more control here is an example from docs:

export const EnvProtection = async ({ client, $ }) => {
  return {
    "tool.execute.before": async (input, output) => {
      if (input.tool === "read" && output.args.filePath.includes(".env")) {
        throw new Error("Do not read .env files")
      }
    }
  }
}

[aspiers]

My $0.02:

1. If preventing opencode from reading sensitive files requires the user to go through any process more than an extremely simple configuration task (e.g. adding a file to .ai-ignore), then I don't think the feature can reasonably be considered as implemented. For example, while supporting more sophisticated control via plugins is awesome, if the user is required to write code, then it's an inherently insecure design by default.

2. I would strongly recommend making ignoring .env part of the default configuration. It's a very well-known industry-wide convention these days that this file typically contains secrets, so feeding those secrets to LLMs by default is really not at all good practice.

[rekram1-node]

definitely fair point about .env I tend to agree w/ you there

[superDuperCyberTechno]

agent is locked to cwd by default (can't use read or edit tools on files outside)

It can however, still use shell commands outside the CWD. Would it be feasible to just neuter opencode completely outside the CWD with options to open up its permissions if need be?

[aspiers]

agent is locked to cwd by default (can't use read or edit tools on files outside)

It can however, still use shell commands outside the CWD. Would it be feasible to just neuter opencode completely outside the CWD with options to open up its permissions if need be?

While this is an important topic, and certainly requires attention, I think it belongs in a separate issue, because in the vast majority of cases .env will be inside the CWD.

[rekram1-node]

@aspiers I will say the llm can't grep for this files but I think we may also want to add extra preventions by default in the read tool too. Thanks for pushing back on this a bit!