Patch tool should fail fast on paths outside workspace

[ilepn]

Summary

When patch/apply_patch receives a file path outside the current workspace root, it should fail fast with a clear error and non-zero status instead of silently "succeeding" or writing to the wrong location.

Repro (Windows, but should be general)

1. Start OpenCode in a workspace on C:
   opencode C:/Users/me/project
2. Apply a patch targeting an absolute path on D:
   *** Update File: D:/.toolbox/docs/uv-install.md

Observed: patch reports success but no file is created/updated under D:, or paths are mis-interpreted.
Expected: validation error indicating path outside workspace root.

Expected behavior

• Normalize each patch target path.
• If target path resolves outside workspace root, abort before making changes.
• Return a non-zero tool error status, e.g. EOUTSIDE_ROOT, with a clear message:
  "Path outside workspace root. Start OpenCode in that directory or use an allowed root."

Nice-to-have (optional)

• Configurable allowlist of additional roots (multi-root).
• Or prompt for explicit approval when patch targets a path outside root.

Related

• Per-agent filesystem boundaries proposal: [FEATURE]: Add per-agent filesystem boundaries (allow/deny paths) + optional run-as user for bash #5529
• Allow explicitly changing working directory: Allow explicitly changing working directory #2177
• Multi-directory workspace PR (closed): feat: add workspace multi-directory support #2921

[github-actions]

This issue might be a duplicate of existing issues. Please check:

• Path traversal vulnerability via symlinks and cross-drive paths #8313: Path traversal vulnerability via symlinks and cross-drive paths - directly addresses missing path validation in Filesystem.contains()
• An agent is able to read all filesystem outside a project directory in Plan mode #7504: Agent able to read all filesystem outside project directory - comprehensive security audit including patch tool path validation failures
• External directory permission does not work on Windows #11042: External directory permission does not work on Windows - cross-drive path validation issues on Windows
• bash tool: external_directory prompt skipped when realpath is missing #10872: bash tool external_directory prompt skipped when realpath is missing - path resolution dependency on Windows
• Windows apply_patch fails #10360: Windows apply_patch fails - path handling failures in apply_patch tool on Windows

Related enhancement proposals:

• [FEATURE]: Add per-agent filesystem boundaries (allow/deny paths) + optional run-as user for bash #5529: Per-agent filesystem boundaries (allow/deny paths)
• Split external_directory permission into read vs write #5395: Split external_directory permission into read vs write
• [FEATURE]: more general external_directory permissions #4991: More general external_directory permissions
• [FEATURE]: Limit tool (e.g. write, edit) permissions to specific folders #6318: Limit tool permissions to specific folders

Feel free to ignore if none of these address your specific case.

[github-actions]

To stay organized issues are automatically closed after 90 days of no activity. If the issue is still relevant please open a new one.