OpenCode AI config to deny read access to .env, node_modules, build artifacts, cache dirs and ask before bash execution OpenCode AI released a security-focused configuration that denies read access to sensitive files like .env, node_modules, build artifacts, and cache directories, and requires user approval before executing any bash commands. The configuration aims to protect secrets and prevent accidental exposure of build outputs or dependencies. | { | | | "$schema": "https://opencode.ai/config.json", | | | "permission": { | | | "bash": { | | | " ": "ask" | | | }, | | | "read": { | | | " ": "allow", | | | " /.env": "deny", | | | " /.env. ": "deny", | | | " /.env.local": "deny", | | | " /.env.development": "deny", | | | " /.env.production": "deny", | | | " /.env.test": "deny", | | | " /.env.example": "allow", | | | " /node modules/ ": "deny", | | | " /.next/ ": "deny", | | | " /dist/ ": "deny", | | | " /build/ ": "deny", | | | " /out/ ": "deny", | | | " /.turbo/ ": "deny", | | | " /.cache/ ": "deny", | | | " /.parcel-cache/ ": "deny", | | | " /.vite/ ": "deny", | | | " /public/ ": "deny", | | | " /static/ ": "deny", | | | " /coverage/ ": "deny", | | | " / .log": "deny", | | | " /.git/ ": "deny", | | | " /.pnpm-store/ ": "deny", | | | " /.yarn/ ": "deny", | | | " /.DS Store": "deny", | | | " /tmp/ ": "deny", | | | " /temp/ ": "deny", | | | " /.vercel/ ": "deny", | | | " /.output/ ": "deny", | | | " /.nuxt/ ": "deny", | | | " /.svelte-kit/ ": "deny", | | | " /.angular/ ": "deny", | | | " /.astro/ ": "deny", | | | " /.firebase/ ": "deny", | | | " /.wrangler/ ": "deny", | | | " /.serverless/ ": "deny", | | | " /storybook-static/ ": "deny", | | | " /vendor/ ": "deny", | | | " / pycache / ": "deny", | | | " /.pytest cache/ ": "deny", | | | " /.mypy cache/ ": "deny", | | | " /.ruff cache/ ": "deny", | | | " /.venv/ ": "deny", | | | " /venv/ ": "deny" | | | } | | | } | | | } |