{ "$schema": "https://opencode.ai/config.json", // ============================================================================ // FULLSTACK AUTOCODE TEMPLATE // ============================================================================ // For: FastAPI + Next.js projects with autonomous autocode workflow // Copy to project root: cp ~/.config/opencode/templates/fullstack-autocode.jsonc ./opencode.jsonc // // This template is PERMISSIVE because verification comes from: // - VERIFICATION_SPEC.md (independent test criteria) // - review-modern subagent (auto-fix + bounded iteration) // - git history (atomic commits per step) // // NOT from permission prompts. // // For headless/CLI automation (ralph-loop.sh, opencode run), all tools that // might prompt must be pre-approved. See docs/opencode-server-mode.md for // details on server mode alternatives. // ============================================================================ "permission": { // Allow reading from global OpenCode assets (skills, commands, agents, scripts) // Also allow specs/** and vision/** to prevent sandbox false-positives // in parallel-feature clones where OpenCode may misidentify project root "external_directory": { "~/.config/opencode/skills/**": "allow", "~/.config/opencode/commands/**": "allow", "~/.config/opencode/agents/**": "allow", "~/.config/opencode/scripts/**": "allow", "specs/**": "allow", "vision/**": "allow" }, "read": "allow", "glob": "allow", "grep": "allow", // Needed for codebase exploration "list": "allow", // Directory listing tool "edit": "allow", // Trust git as safety net // Allow subagent invocation for autonomous workflows // CRITICAL: Without this, /autocode-next-step will hang in CLI mode "task": "allow", // Allow skill loading (for complex multi-skill workflows) "skill": "allow", // Allow web fetching for documentation lookups (optional, set to "ask" if concerned) "webfetch": "allow", "bash": { // Catch-all: ask for anything not explicitly allowed below // This ensures unknown commands still prompt rather than fail silently "*": "ask", // ======================================================================== // TASK RUNNERS // ======================================================================== "task": "allow", "task *": "allow", "make": "allow", "make *": "allow", // ======================================================================== // PYTHON / UV // ======================================================================== "uv": "allow", "uv *": "allow", "uv sync": "allow", "uv venv": "allow", "uv run *": "allow", "uv pip *": "allow", "uv add *": "allow", "uv remove *": "allow", "uv lock *": "allow", // Direct test/lint invocation (used by /techdebt and verification) "uv run pytest": "allow", "uv run pytest *": "allow", "uv run ruff *": "allow", "uv run mypy *": "allow", "uv run black *": "allow", // Direct invocation without uv (for projects not using uv) "pytest": "allow", "pytest *": "allow", "ruff": "allow", "ruff *": "allow", "ruff check *": "allow", "mypy": "allow", "mypy *": "allow", "black *": "allow", "isort *": "allow", // ======================================================================== // NODE / NPM / BUN // ======================================================================== "npm install": "allow", "npm ci": "allow", "npm run dev": "allow", "npm run build": "allow", "npm run lint": "allow", "npm run test": "allow", "npm run test *": "allow", "npm run start": "allow", "npm run format": "allow", "npm run typecheck": "allow", "npm run typecheck *": "allow", // ESLint direct invocation (used by /techdebt) "npx eslint": "allow", "npx eslint *": "allow", "npm outdated": "allow", "npm ls *": "allow", "npm audit": "allow", "npm audit *": "allow", "bun install": "allow", "bun run *": "allow", "bun test": "allow", "bun test *": "allow", "bun add *": "allow", "bun remove *": "allow", // ======================================================================== // GIT - Full workflow (autonomous commits/push) // ======================================================================== "git add *": "allow", "git commit *": "allow", "git push": "allow", "git push *": "allow", "git checkout *": "allow", "git switch *": "allow", "git branch": "allow", "git branch *": "allow", "git stash *": "allow", "git pull": "allow", "git pull *": "allow", "git fetch *": "allow", "git merge *": "allow", "git rebase *": "allow", "git tag *": "allow", "git cherry-pick *": "allow", // Git diagnostics (used by /commit-push-pr and /autocode-next-step) "git status": "allow", "git status *": "allow", "git diff": "allow", "git diff *": "allow", "git log *": "allow", "git rev-parse *": "allow", "git rev-list *": "allow", "git remote *": "allow", "git show *": "allow", "git ls-remote *": "allow", // EXPLICIT DENY: Force push (destructive, stays as ask) "git push --force": "ask", "git push --force *": "ask", "git push -f": "ask", "git push -f *": "ask", // ======================================================================== // GITHUB CLI - PR workflow (no merge) // ======================================================================== "gh auth status": "allow", "gh pr create *": "allow", "gh pr view *": "allow", "gh pr list *": "allow", "gh pr checkout *": "allow", "gh pr diff *": "allow", "gh pr status": "allow", "gh pr ready *": "allow", "gh pr comment *": "allow", "gh issue *": "allow", "gh repo view *": "allow", "gh repo clone *": "allow", // EXPLICIT DENY: Merge and dangerous API calls (stay as ask) // These inherit "ask" from global "*": "ask", but listed for clarity // "gh pr merge *": "ask" // "gh api *": "ask" // ======================================================================== // DOCKER (common safe commands) // ======================================================================== "docker build *": "allow", "docker run *": "allow", "docker ps": "allow", "docker ps *": "allow", "docker images": "allow", "docker images *": "allow", "docker logs *": "allow", "docker exec *": "allow", "docker stop *": "allow", "docker start *": "allow", "docker restart *": "allow", "docker rm *": "allow", "docker rmi *": "allow", "docker compose *": "allow", "docker-compose *": "allow", // ======================================================================== // PYTHON (JSON validation, scripting) // ======================================================================== "python3": "allow", "python3 *": "allow", "python": "allow", "python *": "allow", // ======================================================================== // FILE OPERATIONS (safe, commonly needed during development) // ======================================================================== "mv *": "allow", "mkdir *": "allow", "mkdir -p *": "allow", "cp *": "allow", "cp -r *": "allow", "rm *": "allow", "rm -r *": "allow", "rm -rf *": "allow", "touch *": "allow", // ======================================================================== // FILE/DIR CHECKS (used by scripts and agents) // ======================================================================== "test *": "allow", "test -f *": "allow", "test -d *": "allow", "test -e *": "allow", "[ *": "allow", // ======================================================================== // DIAGNOSTICS (inherited from global, but explicit for clarity) // ======================================================================== "ls": "allow", "ls *": "allow", "cat *": "allow", "head *": "allow", "tail *": "allow", "which *": "allow", "pwd": "allow", "echo *": "allow", "tr *": "allow", "wc *": "allow", "true": "allow", "false": "allow", "grep *": "allow", "find *": "allow", "tree *": "allow", "stat *": "allow", "file *": "allow", "basename *": "allow", "dirname *": "allow", "realpath *": "allow", // ======================================================================== // RUST / CARGO (if applicable) // ======================================================================== "cargo": "allow", "cargo *": "allow", "cargo build": "allow", "cargo build *": "allow", "cargo test": "allow", "cargo test *": "allow", "cargo clippy": "allow", "cargo clippy *": "allow", "cargo fmt": "allow", "cargo fmt *": "allow", "cargo check": "allow", "cargo check *": "allow", "cargo run": "allow", "cargo run *": "allow", // ======================================================================== // UTILITIES (timestamps for specs) // ======================================================================== "date": "allow", "date *": "allow" } }, "instructions": ["AGENTS.md"] }