MCP filesystem tools bypass plan mode `edit: deny` permission rule

[jpravetz]

Description

When plan mode is configured with "edit": "deny" in opencode.json, MCP filesystem tools (e.g., filesystem_edit_file, filesystem_write_file) are not blocked. They execute successfully despite the explicit deny rule.

The "edit" permission rule appears to only gate opencode's native edit tools, not MCP tools that perform equivalent file-modification operations. Since MCP tools are dispatched through the MCP protocol with their own permission namespace (e.g., filesystem_edit_file), the "edit" deny rule never sees them.

Steps to Reproduce

1. Configure an agent with "edit": "deny" (e.g., the default plan agent or a custom plan agent):

   "plan": {
     "mode": "primary",
     "permission": {
       "edit": "deny",
       ...
     }
   }

2. Ensure an MCP filesystem server is configured (e.g., @anthropic/claude-code's filesystem MCP or any MCP server providing filesystem_edit_file/filesystem_write_file tools).
3. Enter plan mode and ask the agent to modify a file.
4. The agent uses the MCP filesystem tool to write/edit the file successfully.

Expected Behavior

Plan mode with "edit": "deny" should block ALL file-modifying tools, including those provided by MCP servers. This is the core invariant of plan mode being read-only.

Actual Behavior

MCP filesystem tools bypass the "edit" deny rule because the permission system doesn't map MCP tool names to the edit permission key. The AI sees the MCP tools as available and uses them.

Environment

• opencode version: latest
• MCP filesystem server configured
• Plan mode active with "edit": "deny"

Related Issues

• plan agent bypass #24615 — plan agent bypass (similar symptom, different root cause — was about default permissions being lost)
• Opencode ignoring deny permissions? #25515 — edit: deny ignored at agent level
• Plan mode can execute bash commands that write files, bypassing read-only constraint #28467 — plan mode bash commands can write files (bash, not MCP tools)
• fix(opencode): inherit MCP tool allow permissions in subagent sessions #30288 — MCP tool allow permissions in subagent sessions (PR, related area)

[github-actions]

This issue might be a duplicate of or closely related to existing issues not listed above. Please check:

• Permission rules not enforced for "edit" operation performed by Task subagents #23519: Permission rules not enforced for edit operation performed by Task subagents — same root cause (permission system not covering non-native tool dispatches), different vector (Task subagents vs MCP tools)
• Bug Report: File Write Executed in Plan Mode #25263: File Write Executed in Plan Mode — similar symptom of plan mode write bypass

[jpravetz]

Should I not be using the filesystem mcp that I am using? opencode probably has it's own filesystem APIs and doesn't need this mcp?

• Thought: 2.6s
  That's exactly right. Opencode has built-in equivalents for all the standard filesystem MCP tools (filesystem_read_file, filesystem_write_file, filesystem_edit_file, filesystem_create_directory, filesystem_list_directory, filesystem_search_files, filesystem_get_file_info, etc.) — and they respect the permission system (plan mode's edit: deny, read rules, etc.).
  The MCP filesystem server is redundant and actively harmful because it creates a backdoor around permissions. I'd recommend removing it from your MCP config and relying on opencode's native filesystem tools.