fix(permission): gate opencli group on its own keys, not browser

[Astro-Han]

Summary

Permission.disabled() mapped every opencli_* tool to the browser permission key, so a configured permission.browser: deny hid the opencli discovery + run tools from the model. But the opencli adapters never ask browser at execution — they ask opencli_read / opencli_write. Decouple the two so the opencli group is gated by its own keys, and browser deny governs only browser_* tools.

Why

The visibility gate (disabled(), which hides deferred tool cards / repair hints) and the execution gate (what ask() actually checks) used different permission keys for the opencli group:

• Visibility treated opencli_* as browser-keyed (permission/index.ts, old disabled()).
• Execution asks opencli_read / opencli_write for the command, plus a per-navigation browser ask only when an adapter drives the embedded browser (tool/opencli-run.ts).

The keys are scoped differently — browser rules are URL-scoped, opencli_read/opencli_write are command-name-scoped — so conflating them let a browser rule appear to govern opencli in the tool listing while execution ignored it. This was the pre-existing inconsistency surfaced by Gemini's review of #1330.

Fix: opencli tools are hidden only when both opencli_read and opencli_write are a configured *: deny (either half allowed means an adapter is still runnable, so the discovery + run tools stay). browser deny still hides browser_* as before. A global *: deny still hides everything.

Related Issue

None — found while reviewing PR #1330 (embedded-browser permission prompts). Gemini's bot flagged the opencli/browser key mismatch on that PR; this is the focused fix.

Human Review Status

Pending

Review Focus

• The disabled() rewrite in permission/index.ts: opencli now gates on OPENCLI_KEYS (opencli_read + opencli_write) via isWildcardDeny, requiring both denied to hide the group. Confirm the both-vs-either choice matches intent (either half allowed ⇒ adapter runnable ⇒ keep visible).
• That browser deny still fully hides browser_* (unchanged path), and a global *: deny still hides opencli.

Risk Notes

Behavior change limited to tool visibility under a permission.browser: deny rule: opencli discovery/run tools are no longer hidden by a browser-only deny (they were already runnable at execution under that config, so this aligns the listing with execution — not a new capability). No schema/migration/UI/platform surface touched.

Deliberate scope deferral: I did not promote opencli_read / opencli_write to first-class keys in the permission config schema. They already work through the config catchall, and adding schema keys would ripple into generated SDK artifacts (packages/sdk/openapi.json, packages/sdk/js/src/v2/gen/types.gen.ts) requiring regen + commit — out of scope for this focused fix.

Skipped conditional checklist items: visible-UI item (no UI or copy changed); platform item (no Electron/packaging/updater/signing/paths surface — server-side permission-key logic).

How To Verify

opencode typecheck (tsgo --noEmit): clean
bun test test/permission/ test/tool/registry.test.ts test/tool/browser-tools.test.ts test/tool/opencli-tools.test.ts:
  193 pass / 0 fail
new disabled() cases:
  - opencli group hidden only when BOTH opencli_read + opencli_write denied (write-only ⇒ stays)
  - browser deny no longer hides opencli tools (browser_* still hidden)
  - global *: deny still hides opencli_run
registry tool_info group-hiding test: switched to deny via opencli_read + opencli_write keys; group still hides correctly

Screenshots or Recordings

None — no visible UI or copy changed.

Checklist

How to use this checklist:

• Tick a box by replacing [ ] with [x]. Do not edit, add, or remove items.
• The bot-applied label items can only be honestly ticked AFTER the PR is opened and the labeler / priority-triage bots have run — return to the PR description and tick them then.
• Most items are required. The few that are conditional are explicitly marked (conditional); for those, leave unticked if they truly do not apply and explain why in Risk Notes. All other items must be ticked before requesting human review.

• Type label — this PR carries exactly one of bug, enhancement, task, documentation. Type labels are author-added; the labeler bot does NOT assign them. Add the label in the GitHub UI, then tick this.
• Routing labels — this PR carries at least one of app, ui, platform, harness, ci. The labeler bot assigns these on PR open based on changed paths. Confirm the bot's choice (or override if wrong), then tick this.
• Priority label — this PR carries exactly one of P0, P1, P2, P3. The priority-triage bot suggests one on PR open. Confirm or override, then tick this.
• Human Review Status above is set to Pending, Approved by @<reviewer>, or Not required: <reason> (default is Pending; "not required" is restricted to bot-authored low-risk PRs).
• I linked the related issue, or stated in Summary why there is no issue.
• I described the review focus and any meaningful risks.
• I replaced the example block in How To Verify with the real verification steps and the key result for each.
• I did not introduce unrelated refactors, dependencies, generated files, or file changes beyond the stated scope.
• (conditional) I manually checked visible UI or copy changes when needed, with screenshots or recordings. Leave unticked only if no visible UI or copy changed.
• (conditional) I considered macOS and Windows impact for platform, packaging, updater, signing, paths, shell, or permissions changes. Leave unticked only if no platform/packaging surface was touched.
• (conditional) I called out docs, release notes, dependencies, permissions, credentials, deletion behavior, generated content, or local file changes when relevant. Leave unticked only if none of those surfaces was touched.
• I reviewed the final diff for unrelated changes and suspicious dependency changes.
• I am targeting dev, and my PR title and commit messages use Conventional Commits in English.

[coderabbitai]

Warning

Review limit reached

@Astro-Han, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 17 minutes and 45 seconds. Learn how PR review limits work.

Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file).

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 7e3a0a9f-7019-4127-80b5-9bd72532de97

📥 Commits

Reviewing files that changed from the base of the PR and between 1639478 and cbdd715.

📒 Files selected for processing (3)

• packages/opencode/src/permission/index.ts
• packages/opencode/test/permission/next.test.ts
• packages/opencode/test/tool/registry.test.ts

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch claude/fix-opencli-perm-consistency

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

Suggested priority: P2 (includes non-doc, non-test paths outside the low-risk bucket).

P1/P0 are reserved for maintainer confirmation. Please relabel manually if this is a release blocker, security issue, data-loss risk, or updater/runtime failure.

[gemini-code-assist]

Code Review

This pull request decouples the permission gating of the opencli tool group from browser permissions, ensuring that opencli tools are governed by their own opencli_read and opencli_write keys instead of URL-scoped browser rules. The opencli group is now only hidden when both read and write permissions are wildcard denied. Feedback on the changes points out a potential issue in isWildcardDeny where a redundant specific deny rule configured after a wildcard deny rule could cause the function to incorrectly return false, and suggests a robust backward-iteration approach to fix it.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.