fix(opencode): enforce read-only bash permissions in plan mode

[kzekiue]

Issue for this PR

Closes #24102

Type of change

• Bug fix
• New feature
• Refactor / code improvement
• Documentation

What does this PR do?

Plan mode could still run mutating bash commands because it inherited the default broad tool permissions and only denied edit tools.

This PR makes the native plan agent enforce bash as read-only by default. It denies bash commands unless they match a small allowlist of inspection commands such as git status, git log, git diff, git show, git branch, git stash list, ls, cat, grep, rg, find, wc, head, and tail.

It also adds Agent.permissions(...) so plan-mode rules remain authoritative when session-level permissions are merged in. That prevents session/config permissions from re-allowing mutating commands in plan mode while preserving the existing merge behavior for other agents.

How did you verify your code works?

• bun test test/agent/agent.test.ts
• bun typecheck
• bun test test/session/llm.test.ts test/session/prompt.test.ts

The session tests were run outside the sandbox because their local HTTP test servers could not bind ephemeral ports inside it.

Screenshots / recordings

Not a UI change.

Checklist

• I have tested my changes locally
• I have not included unrelated changes in this PR

[github-actions]

Hey! Your PR title Enforce read-only bash permissions in plan mode doesn't follow conventional commit format.

Please update it to start with one of:

• feat: or feat(scope): new feature
• fix: or fix(scope): bug fix
• docs: or docs(scope): documentation changes
• chore: or chore(scope): maintenance tasks
• refactor: or refactor(scope): code refactoring
• test: or test(scope): adding or updating tests

Where scope is the package name (e.g., app, desktop, opencode).

See CONTRIBUTING.md for details.

[github-actions]

The following comment was made by an LLM, it may be inaccurate:

Based on my search results, I found a related PR that may be relevant:

Related PR:

• feat: allow planning CLI tools (gh, glab) in plan mode #23985 - "feat: allow planning CLI tools (gh, glab) in plan mode"
  • This PR appears to be working on plan mode permission handling for CLI tools, which is closely related to the bash permissions enforcement in plan mode.

The other results are related to permissions and bash command handling but appear to be either older historical changes or addressing different aspects (like sandboxing, auto-approval, and subagent restrictions).

The most relevant connection is with PR #23985, which is also addressing plan mode tool permissions, though it focuses on allowing specific CLI tools rather than restricting bash commands.