Summary
The SPA cannot respond to permission requests because it authenticates with the client token (OPENWORK_TOKEN), but permission replies are gated to the host token (OPENWORK_HOST_TOKEN). Clicking "Deny" / "Allow once" / "Allow for session" returns 403 forbidden — Only owner tokens can reply to permission requests as toasts, and the underlying tool call stays in running limbo.
This is reproducible with the default external_directory permission category (which fires by default when opencode native file tools touch paths outside authorizedRoots / workspace.path).
Reproduction
- Vanilla
packaging/docker/docker-compose.dev.yml on v0.13.12 — auto-generated tokens (or .env-pinned).
- Workspace
opencode.json — no explicit permission block.
- In the SPA, prompt the agent to read a file outside
/workspace, e.g. Run bash 'cat /etc/passwd | head -3' (or any opencode native file op outside workspace).
- The "Access an external folder?" / "Run a shell command?" dialog appears.
- Click any of the three buttons.
Result
- Toast:
{"code":"forbidden","message":"Only owner tokens can reply to permission requests"} (×2)
- Tool call stays
status: "running"
- Dialog auto-dismisses ~10s later (per #1916)
- Session stuck "Responding"
Expected
Either the SPA should authenticate the permission-reply endpoint with the host token (so user clicks work), OR the gate should accept client-token replies for SPA-originated UIs. As shipped, the SPA is fundamentally unable to clear any permission request in dev-stack default config.
Workaround
None known short of: (a) patching the SPA to send host token on permission replies, (b) shipping host token to the SPA at boot, or (c) avoiding any operation that triggers a permission gate (which includes any opencode native file op outside workspace.path, fired silently by default).
Environment
OpenWork v0.13.12 (ef5ae9cc) · opencode 1.14.38 · vanilla packaging/docker/docker-compose.dev.yml · related issues: #1916 (dialog auto-dismiss), #1917 (auth.json wipe on restart)
🤖
Summary
The SPA cannot respond to permission requests because it authenticates with the client token (
OPENWORK_TOKEN), but permission replies are gated to the host token (OPENWORK_HOST_TOKEN). Clicking "Deny" / "Allow once" / "Allow for session" returns403 forbidden — Only owner tokens can reply to permission requestsas toasts, and the underlying tool call stays inrunninglimbo.This is reproducible with the default
external_directorypermission category (which fires by default when opencode native file tools touch paths outsideauthorizedRoots/workspace.path).Reproduction
packaging/docker/docker-compose.dev.ymlon v0.13.12 — auto-generated tokens (or.env-pinned).opencode.json— no explicitpermissionblock./workspace, e.g.Run bash 'cat /etc/passwd | head -3'(or any opencode native file op outside workspace).Result
{"code":"forbidden","message":"Only owner tokens can reply to permission requests"}(×2)status: "running"Expected
Either the SPA should authenticate the permission-reply endpoint with the host token (so user clicks work), OR the gate should accept client-token replies for SPA-originated UIs. As shipped, the SPA is fundamentally unable to clear any permission request in dev-stack default config.
Workaround
None known short of: (a) patching the SPA to send host token on permission replies, (b) shipping host token to the SPA at boot, or (c) avoiding any operation that triggers a permission gate (which includes any opencode native file op outside
workspace.path, fired silently by default).Environment
OpenWork v0.13.12 (
ef5ae9cc) · opencode 1.14.38 · vanillapackaging/docker/docker-compose.dev.yml· related issues: #1916 (dialog auto-dismiss), #1917 (auth.json wipe on restart)🤖