PM Agent: opencode external_directory permission fails for subdirectory paths #36

New Issue

shoko · 2026-03-31T00:44:48+02:00

shoko commented

2026-03-31 00:44:48 +02:00

Context

PM Agent delegation fails with permission errors when trying to access any directory outside the session root, even with broad permission patterns.

Bug Description

When delegating tasks to the PM Agent (via kugetsu-helper delegate-to-pm), the agent attempts to clone/access /home/shoko/repositories/kugetsu and gets rejected with:

! permission requested: external_directory (/home/shoko/repositories/kugetsu/*); auto-rejecting
Error: The user rejected permission to use this specific tool call.

What We Tried

Set session directory to /home/shoko/repositories/kugetsu — still rejected
Set session directory to /home/shoko — still rejected
Tried permission patterns:
- - (all)
- /tmp/*
- /tmp/**
- /tmp/kugetsu/*
- /home/shoko/repositories/*
- /home/shoko/repositories/kugetsu
- /home/shoko/repositories/kugetsu/**
- /home/shoko
  All were rejected
Told PM agent NOT to clone (repo already exists at /home/shoko/repositories/kugetsu) — still blocked because agent tries to do git operations

Root Cause

The opencode external_directory permission system appears to have a bug where it cannot match subdirectory paths. The session directory is set correctly but opencode treats all subdirectory access as external and the permission glob patterns do not match.

Session Details

Session ID: ses_2c0dc6aeeffeewhtar1hgN4yFL
Project directory: /home/shoko/repositories/kugetsu
Session directory: /home/shoko/repositories/kugetsu (then tried /home/shoko)
Permission: [{"permission":"question","pattern":"","action":"deny"}, {"permission":"plan_enter","pattern":"","action":"deny"}, {"permission":"plan_exit","pattern":"*","action":"deny"}, {"permission":"external_directory","pattern":"/home/shoko","action":"allow"}]

Impact

PM Agent delegation is broken. All work must be done directly instead of via PM Agent.

Reproduction

Initialize kugetsu (kugetsu init)
Delegate task: ~/.local/bin/kugetsu-helper delegate-to-pm "work on issue #35"
Observe permission error for /home/shoko/repositories/kugetsu/*

Workaround

Do tasks directly (git checkout, add file, commit, push, create PR via API) instead of via PM Agent delegation.

## Context PM Agent delegation fails with permission errors when trying to access any directory outside the session root, even with broad permission patterns. ## Bug Description When delegating tasks to the PM Agent (via kugetsu-helper delegate-to-pm), the agent attempts to clone/access /home/shoko/repositories/kugetsu and gets rejected with: ! permission requested: external_directory (/home/shoko/repositories/kugetsu/*); auto-rejecting Error: The user rejected permission to use this specific tool call. ## What We Tried 1. Set session directory to /home/shoko/repositories/kugetsu — still rejected 2. Set session directory to /home/shoko — still rejected 3. Tried permission patterns: - * (all) - /tmp/* - /tmp/** - /tmp/kugetsu/* - /home/shoko/repositories/* - /home/shoko/repositories/kugetsu - /home/shoko/repositories/kugetsu/** - /home/shoko All were rejected 4. Told PM agent NOT to clone (repo already exists at /home/shoko/repositories/kugetsu) — still blocked because agent tries to do git operations ## Root Cause The opencode external_directory permission system appears to have a bug where it cannot match subdirectory paths. The session directory is set correctly but opencode treats all subdirectory access as external and the permission glob patterns do not match. ## Session Details - Session ID: ses_2c0dc6aeeffeewhtar1hgN4yFL - Project directory: /home/shoko/repositories/kugetsu - Session directory: /home/shoko/repositories/kugetsu (then tried /home/shoko) - Permission: [{"permission":"question","pattern":"*","action":"deny"}, {"permission":"plan_enter","pattern":"*","action":"deny"}, {"permission":"plan_exit","pattern":"*","action":"deny"}, {"permission":"external_directory","pattern":"/home/shoko","action":"allow"}] ## Impact PM Agent delegation is broken. All work must be done directly instead of via PM Agent. ## Reproduction 1. Initialize kugetsu (kugetsu init) 2. Delegate task: ~/.local/bin/kugetsu-helper delegate-to-pm "work on issue #35" 3. Observe permission error for /home/shoko/repositories/kugetsu/* ## Workaround Do tasks directly (git checkout, add file, commit, push, create PR via API) instead of via PM Agent delegation.

shoko commented

2026-03-31 07:58:55 +02:00

Options Analysis

Option B — opencode allowlist flag

Add a session creation flag (e.g., external_directory: "allow") that bypasses glob pattern matching for external directory access.

Pros	Cons
Clean, global fix — one flag covers all paths	Requires opencode code change (separate project)
No pattern management needed	Security concern: blanket allow defeats the purpose of the permission model
Low maintenance once implemented

Option C — kugetsu workaround

kugetsu init sets session workdir to a directory that covers all needed paths (e.g., /home/shoko), OR kugetsu pre-clones repos into the session workdir before delegating.

Pros	Cons
Works today — no opencode changes needed	Still limited to the chosen directory tree
Keeps PM agent constrained and predictable	If a task needs something outside (e.g., `/opt`, `/root`), it fails
No security implications	Requires kugetsu to be smart about workdir setup and repo pre-cloning

Recommendation

Option B in opencode + Option C in kugetsu as a fallback.

Option B provides the proper fix: a scoped allow flag that can be set per-session (not a global default)
Option C handles the immediate case: set session workdir to /home/shoko so most common paths are covered, or document that PM agent tasks must stay within the workdir

Immediate Workaround (Option C in practice)

# PM agent works when the target is inside its workdir:
# /home/shoko/repositories/* — works (inside workdir /home/shoko/repositories/kugetsu)

# PM agent fails for anything outside workdir:
# /tmp/* — always fails (permission denied regardless of pattern)
# /opt/* — always fails

PoC Confirmation

Bug confirmed. Tested patterns *, /tmp/*, /tmp/**, /tmp/perm-test/* — all stored correctly in SQLite but still auto-rejected by opencode. The workdir-relative operations work fine.

## Options Analysis ### Option B — opencode allowlist flag Add a session creation flag (e.g., `external_directory: "allow"`) that bypasses glob pattern matching for external directory access. | Pros | Cons | |------|------| | Clean, global fix — one flag covers all paths | Requires opencode code change (separate project) | | No pattern management needed | Security concern: blanket allow defeats the purpose of the permission model | | Low maintenance once implemented | | ### Option C — kugetsu workaround kugetsu init sets session workdir to a directory that covers all needed paths (e.g., `/home/shoko`), OR kugetsu pre-clones repos into the session workdir before delegating. | Pros | Cons | |------|------| | Works today — no opencode changes needed | Still limited to the chosen directory tree | | Keeps PM agent constrained and predictable | If a task needs something outside (e.g., `/opt`, `/root`), it fails | | No security implications | Requires kugetsu to be smart about workdir setup and repo pre-cloning | ### Recommendation **Option B in opencode + Option C in kugetsu as a fallback.** - Option B provides the proper fix: a scoped allow flag that can be set per-session (not a global default) - Option C handles the immediate case: set session workdir to `/home/shoko` so most common paths are covered, or document that PM agent tasks must stay within the workdir ### Immediate Workaround (Option C in practice) ```bash # PM agent works when the target is inside its workdir: # /home/shoko/repositories/* — works (inside workdir /home/shoko/repositories/kugetsu) # PM agent fails for anything outside workdir: # /tmp/* — always fails (permission denied regardless of pattern) # /opt/* — always fails ``` ## PoC Confirmation Bug confirmed. Tested patterns `*`, `/tmp/*`, `/tmp/**`, `/tmp/perm-test/*` — all stored correctly in SQLite but still auto-rejected by opencode. The workdir-relative operations work fine.

shoko commented

2026-04-01 00:45:47 +02:00

New Bug: PM trying to access /tmp/kugetsu/* instead of ~/.kugetsu/

When delegating "Merge PR #55" to PM, PM session tried to access:

permission requested: external_directory (/tmp/kugetsu/*); auto-rejecting

But kugetsu stores data at ~/.kugetsu/, not /tmp/kugetsu/.

PM should use ~/.kugetsu/ for all operations. This might be:

A bug in PM skill/context pointing to wrong path
Related to the external_directory permission issue in #36

Questions:

Where did /tmp/kugetsu come from?
Is this a corrupted session context?
Or is PM skill using wrong paths?

Need investigation.

## New Bug: PM trying to access /tmp/kugetsu/* instead of ~/.kugetsu/ When delegating "Merge PR #55" to PM, PM session tried to access: ``` permission requested: external_directory (/tmp/kugetsu/*); auto-rejecting ``` But kugetsu stores data at ~/.kugetsu/, not /tmp/kugetsu/. PM should use ~/.kugetsu/ for all operations. This might be: 1. A bug in PM skill/context pointing to wrong path 2. Related to the external_directory permission issue in #36 **Questions:** - Where did /tmp/kugetsu come from? - Is this a corrupted session context? - Or is PM skill using wrong paths? Need investigation.

shoko added the critical label 2026-04-01 01:17:04 +02:00

shoko commented

2026-04-01 05:00:59 +02:00

Fix Found

The PM agent session in SQLite has permission: NULL - no permissions stored at all. Adding external_directory permission via SQLite update fixes the issue.

UPDATE session SET permission = '[{"permission":"question","pattern":"*","action":"deny"},{"permission":"plan_enter","pattern":"*","action":"deny"},{"permission":"plan_exit","pattern":"*","action":"deny"},{"permission":"external_directory","pattern":"*","action":"allow"}]' WHERE id = 'ses_2b97dd7e1ffedGH26UfHu9Ex5k';

Verified working: PM agent can now access /home/shoko/repositories/kugetsu/*

Root Cause

The PM agent session was created without proper permissions - the permission column was NULL instead of containing the permission JSON array.

Recommendation

Update kugetsu to ensure new PM agents get proper permissions when created. The base session should also be updated with external_directory permission so new forks inherit it.

## Fix Found The PM agent session in SQLite has `permission: NULL` - no permissions stored at all. Adding external_directory permission via SQLite update fixes the issue. ```sql UPDATE session SET permission = '[{"permission":"question","pattern":"*","action":"deny"},{"permission":"plan_enter","pattern":"*","action":"deny"},{"permission":"plan_exit","pattern":"*","action":"deny"},{"permission":"external_directory","pattern":"*","action":"allow"}]' WHERE id = 'ses_2b97dd7e1ffedGH26UfHu9Ex5k'; ``` Verified working: PM agent can now access /home/shoko/repositories/kugetsu/* ## Root Cause The PM agent session was created without proper permissions - the permission column was NULL instead of containing the permission JSON array. ## Recommendation Update kugetsu to ensure new PM agents get proper permissions when created. The base session should also be updated with external_directory permission so new forks inherit it.

shoko added the task-delegation label 2026-04-02 00:30:39 +02:00

shoko referenced this issue from a commit

2026-04-02 01:18:35 +02:00

fix(kugetsu): add fix_session_permissions command for cmd_doctor

shoko referenced a pull request that will close this issue

2026-04-02 01:18:45 +02:00

fix(kugetsu): add fix_session_permissions command for cmd_doctor #87

shoko referenced this issue from a commit

2026-04-02 02:07:21 +02:00

docs: add opencode session internals documentation

shoko referenced this issue from a commit

2026-04-02 02:57:16 +02:00