Critical Bug: Kimi K2.5 bypasses "ask" permission for shell commands and commits autonomously (v1.2.10)

[lorenzoridolfi]

Description

Despite having my shell commands strictly set to "ask" in build mode, the Kimi K2.5 model completely bypassed this safety guardrail and executed a git add -A followed by a git commit without my permission and without me prompting it to do so. I have been using OpenCode on my Mac for a few months and this severe breach of trust has never happened before; it only started occurring after updating to version 1.2.10. This is a massive safety issue that renders the tool entirely untrustworthy for local development, as it is actively ignoring user-defined execution boundaries. Please fix this regression immediately.

Plugins

None

OpenCode version

1.2.10

Steps to reproduce

1. Set shell command permissions strictly to "ask" in Build mode.

2. Use the Kimi K2.5 model on a local repository (macOS, OpenCode v1.2.10).

3. Do absolutely nothing and wait for the AI to take matters into its own hands, autonomously deciding to run git add -A and git commit without any prompt or authorization.

4. Honestly, I sincerely hope you cannot reproduce this on your end, because having an AI go rogue and commit code on its own volition is a literal developer's nightmare.

Screenshot and/or share link

No response

Operating System

macOS 15.7.3

Terminal

iTerm2

[github-actions]

This issue might be a duplicate of existing issues. Please check:

• Agent keeps executing git commands even though its set as "ask for permission" #9853: Agent keeps executing git commands even though it's set as "ask for permission" — very similar report of git commands bypassing the permission setting
• opencode not respecting permissions #8832: opencode not respecting permissions — similar issue where configured permission rules are ignored
• Permission system broken #4642: Permission system broken — broader report of the permission system not being respected, including git commands

If your issue is distinct (e.g., specifically tied to the Kimi K2.5 model or v1.2.10 regression), please note that in your issue.

[OpeOginni]

Hey @lorenzoridolfi could you share what exactly you have in your config permissions, you talk about setting shell commands to "ask". Is it using the "bash" tool or specific commands?

Could you also in anyway share the session where this happened

[OpeOginni]

Tried out these two and they seem to work well.

  "permission": {
    "bash": "ask",
  }

and

  "permission": {
      "bash": {
        "git *": "ask"
      }
  }

[lorenzoridolfi]

Tried out these two and they seem to work well.

"permission": {
"bash": "ask",
}
and

"permission": {
"bash": {
"git *": "ask"
}
}

Yes, it's configured exactly like that.

[BoringBoredom]

I've just had this happen with a different model. This needs to be looked at ASAP.