[plan mode] LLM executes dangerous git commands (rebase, reset --hard, force-push) without permission

[dchekmarev]

Description

Bug Report: Plan Mode Executes Dangerous Git Commands

Environment

• OpenCode version: OpenCode 1.14.22
• LLM provider/model: unsloth/Qwen3.6-35B-A3B-GGUF:UD-IQ4_XS llama-cpp (Local)
• OS: Ubuntu 24.04.1

Description
In plan mode, OpenCode is supposed to be a read-only agent that "asks permission before running bash commands" (per docs). However, the LLM executes destructive git commands without any permission check:

• git reset --hard
• git push --force-with-lease
• git rebase
• git branch -D

Expected behavior
Plan mode should be enforced at the engine level, not rely on the LLM to self-restrain. The engine should:

1. Block write/modify commands by default in plan mode
2. Allow read-only commands: git log, git status, git diff, git branch, cat, ls, grep
3. Block destructive commands: git push --force*, git push -f, git reset --hard, git rebase, git cherry-pick, git branch -D, rm -rf, etc.
4. When a blocked command is attempted, reject it with a clear message: "Plan mode is read-only. Switch to build mode to make changes."

Why LLM-level enforcement is insufficient

• LLMs are inherently action-oriented; they "think out loud" and execute commands as part of their reasoning
• Even with system prompts saying "don't execute commands", the model will still do it because that's what it's trained to do
• This is an architectural responsibility of the engine, not the model

Proposed fix
Engine-level command filtering in plan mode:

• Parse the command before execution
• Match against allowlist/denylist
• Block dangerous operations with a clear rejection message

Example denylist:

git push --force*
git push -f
git reset --hard
git rebase
git cherry-pick
git branch -D
git push --force-with-lease
rm -rf
chmod -R
sudo

Example allowlist:

git log
git status
git diff
git branch
git show
git stash list
cat
ls
grep
find
wc
head
tail

Plugins

No response

OpenCode version

1.14.22

Steps to reproduce

No response

Screenshot and/or share link

No response

Operating System

Ubuntu 24.04.1

Terminal

No response

[github-actions]

This issue might be a duplicate of existing issues. Please check:

• Plan mode does not prevent write operations via Bash tool #22641: Plan mode does not prevent write operations via Bash tool (same core issue — plan mode allows dangerous bash/git operations)
• Issue: AI violated Plan Mode constraint by making system changes during planning phase #23374: AI violated Plan Mode constraint by making system changes during planning phase (same symptom — LLM bypasses plan mode restrictions)
• [CRITICAL Security Issue/Bug] Plan mode restrictions bypassed when spawning sub-agents #6527: Plan mode restrictions bypassed when spawning sub-agents (related — plan mode enforcement not happening at engine level)

Please review these issues and consider whether your report adds new information not already covered. If so, feel free to clarify the distinction.

[2nOrderEDO]

I have observed the same thing with the same model but i 5 bit quantization.