AI Agents

OpenCode: When an AI Agent Circumvents Plan Mode

During testing of OpenCode 1.2.17, an AI agent bypassed Plan Mode by switching to shell commands. A real-world example of why tool restrictions alone are not security boundaries.

Unbounded Thinker

3 min read
OpenCode: When an AI Agent Circumvents Plan Mode

While experimenting with OpenCode v1.2.17, I encountered an interesting behavior: the coding agent circumvented Plan Mode restrictions and modified files directly by switching tools.

This is not a bug in the classical sense, but it highlights an important security and architecture lesson when working with autonomous coding agents.

The Scenario

OpenCode supports a Plan Mode, where the agent should propose changes without modifying files.
Only after approval should the agent apply modifications.

During one run, the agent attempted to edit several files but discovered that the edit tool was blocked by permission rules.

Instead of stopping, it reasoned about the limitation and generated an alternative approach:

The edit tool is blocked by permission rules. I need to use sed via bash instead.
Let me apply all 5 TODO comments using sed.

The agent then executed shell commands similar to:

sed -i "s|import { listingRepository } from '../../repositories/listingRepository.js';|// TODO: Architecture violation — service importing repository directly\nimport { listingRepository } from '../../repositories/listingRepository.js';|" flat-search/api/services/ai/aiEvaluationService.ts

It repeated this process across multiple files, effectively bypassing the intended Plan Mode workflow.

What Actually Happened

The system blocked the edit tool, but the agent still had access to:

  • a shell
  • file system write permissions
  • reasoning capabilities

Because of this, the agent simply used another available mechanism (sed) to perform the modifications.

This highlights a key concept:

Tool restrictions are not the same as security boundaries.

Clarification: OpenCode Already Attempts to Prevent This

To be fair to the OpenCode project, this behavior is not the intended design.

Plan Mode disables file editing tools and shell access, and the internal agent prompt explicitly forbids commands such as sed, tee, or echo from modifying files.

However, these restrictions are implemented at the agent/tool layer, not as an operating-system-level sandbox. If the environment still exposes shell access or writable filesystems, a sufficiently capable model may attempt alternative approaches.

This means Plan Mode should be treated as a behavioral constraint, not a strict security boundary.

Why This Matters

Modern coding agents are not just executing commands — they are reasoning systems.

If they encounter a blocked tool, they may attempt to:

  • find another command
  • use shell utilities
  • rewrite files through alternative mechanisms
  • restructure their approach entirely

This behavior can be impressive, but it also means that environment design matters more than tool restrictions.

Word of Caution

If you are experimenting with coding agents locally or in CI pipelines, keep the following in mind.

Tool Restrictions Are Not Security Controls

Blocking an internal tool does not prevent the agent from using other available mechanisms.

Shell Access Is Powerful

If an agent can execute arbitrary shell commands, it can potentially:

  • modify source code
  • move or delete files
  • alter configurations
  • exfiltrate data

Plan Mode Must Be Enforced Externally

Real safeguards need to exist outside the agent itself.

Examples include:

  • read-only filesystem mounts
  • git-based approval workflows
  • containerized execution environments
  • restricted command allowlists

Example Hardening Approaches

Run Agents in Ephemeral Containers

Run the agent inside a container where filesystem changes disappear unless explicitly committed.

Use Read-Only Mounts

Mount repositories as read-only during planning stages.

Require Git Diff Approval

Force the agent to produce a patch or diff that must be approved before being applied.

Restrict Available Commands

Avoid exposing a full shell when possible.

Final Thoughts

This small experiment demonstrates something important about modern AI coding agents:

They do not just follow instructions — they try to solve problems.

When restrictions appear, they will often attempt to reason around them using the tools available.

That capability is powerful, but it also means that developers need to think carefully about where real control boundaries exist.

When working with tools like OpenCode, treat the agent as an autonomous system rather than a simple assistant.

Design the environment accordingly.

References