Subagent loses inherited external_directory allow when spawned via task tool

[remorses]

Description

When a parent session has an explicit external_directory allow rule (set via SDK session.create({ permission }) or via the session permission API), spawning a subtask through the task tool creates a child session whose permission ruleset does not contain the inherited external_directory allow. The subagent then asks the user for permission to read files in a directory the parent had already approved.

Root cause is in packages/opencode/src/session/prompt.ts around line 1228. The task tool calls prompt() for the child session with tools: { task: false, todowrite: false }. SessionPrompt.prompt converts those into per-call permission rules and writes them to session.permission via sessions.setPermission, replacing whatever was there instead of merging. The child session is created moments earlier by sessions.create with the derived rules from deriveSubagentSessionPermission (including any inherited external_directory allows), and the prompt-time write then clobbers them.

The fix is one line: merge the per-call tool rules into the existing `session.permission` instead of replacing it.

if (permissions.length > 0) {
  const merged = Permission.merge(session.permission ?? [], permissions)
  session.permission = merged
  yield* sessions.setPermission({ sessionID: session.id, permission: merged })
}

Plugins

None

OpenCode version

dev (1.15.x, current upstream/dev as of this report)

Steps to reproduce

1. Create a parent session via SDK with `permission: [{ permission: "external_directory", pattern: "/tmp/foo/*", action: "allow" }]`.
2. Send a prompt with a `subtask` part targeting a subagent (e.g. `explore`).
3. The subagent attempts to read `/tmp/foo/secret.txt`.
4. A pending `external_directory` permission request is emitted instead of the read succeeding.

After the fix the child session permission contains the inherited `external_directory` allow and the subagent reads the file directly.

Related issues

Closed issues that share this code path:

• Subagents Bypass Plan Mode READ-ONLY Restrictions #26514 Subagents Bypass Plan Mode READ-ONLY Restrictions
• fix(task): subagent inherits parent agent's deny rules (Plan Mode security bypass) #26597 fix(task): subagent inherits parent agent's deny rules (the PR that introduced `deriveSubagentSessionPermission`)
• Subagent parent deny inheritance over-constrains delegated agents with explicit permissions #26700 Subagent parent deny inheritance over-constrains delegated agents with explicit permissions
• [Bug] Subagent permissions not transitive via task tool — own bash permissions ignored #26747 Subagent permissions not transitive via task tool

Open issues in the same area but not this exact bug:

• Redefining permission in subagents stopped working #27497 Redefining permission in subagents stopped working
• Bug: Los subagentes heredan permisos deny del agente primario via deriveSubagentSessionPermission(), sobrescribiendo sus propios allow (regresion desde v1.14.46) #28052 Subagents inherit deny permissions from primary agent via `deriveSubagentSessionPermission`
• [BUG] Subagents spawned via Task tool cannot execute MCP tools despite appearing in tool registry #16491 Subagents spawned via Task tool cannot execute MCP tools

Operating System

macOS 26

Terminal

iTerm2