From ac23d88ca9f037c1c16c02656c59c3c3edd2085f Mon Sep 17 00:00:00 2001
From: Hektor Misplon <hektor.misplon@pm.me>
Date: Sun, 22 Feb 2026 13:22:19 +0100
Subject: [PATCH] fix: deny opencode access to nix secret paths

---
 home/modules/ai-tools.nix | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/home/modules/ai-tools.nix b/home/modules/ai-tools.nix
index 8171084..feadd28 100644
--- a/home/modules/ai-tools.nix
+++ b/home/modules/ai-tools.nix
@@ -74,6 +74,15 @@ in
       home.packages = with pkgs; [
         opencode
       ];
+      home.file.".config/opencode/opencode.json".text = builtins.toJSON {
+        "$schema" = "https://opencode.ai/config.json";
+        permission = {
+          external_directory = {
+            "/run/secrets/" = "deny";
+            "~/.config/sops/age/keys.txt" = "deny";
+          };
+        };
+      };
     })
   ];
 }