docs: add "Order matters" section

Co-authored-by: rekram1-node <rekram1-node@users.noreply.github.com>
2026-02-01 22:48:16 +00:00 · 2026-01-06 04:44:01 +00:00
parent 8da890649f
commit f3cf6a3ec5
1 changed files with 41 additions and 3 deletions
--- a/packages/web/src/content/docs/permissions.mdx
+++ b/packages/web/src/content/docs/permissions.mdx
@@ -45,7 +45,7 @@ You can also set all permissions at once:

 ---

-## Granular Rules (Object Syntax)
+## Granular rules

 For most permissions, you can use an object to apply different actions based on the tool input.

@@ -67,9 +67,47 @@ For most permissions, you can use an object to apply different actions based on
 }
 ```

-Rules are evaluated by pattern match, with the **last matching rule winning**. A common pattern is to put the catch-all `"*"` rule first, and more specific rules after it.
+---

-### Wildcards
+## Order matters
+
+:::caution
+Rules are evaluated in declaration order and **the last matching rule wins**. Put your catch-all `"*"` rule first, and specific patterns last.
+:::
+
+This is a common mistake:
+
+```json title="opencode.json"
+{
+  "permission": {
+    "bash": {
+      "rm *": "deny",
+      "*": "allow"
+    }
+  }
+}
+```
+
+Here `rm foo` matches both `"rm *"` and `"*"`. Since `"*": "allow"` comes last, it wins — and the command runs. This is probably not what you want.
+
+Put the catch-all first:
+
+```json title="opencode.json"
+{
+  "permission": {
+    "bash": {
+      "*": "allow",
+      "rm *": "deny"
+    }
+  }
+}
+```
+
+Now `rm foo` is denied because `"rm *": "deny"` is the last matching rule.
+
+---
+
+## Wildcards

 Permission patterns use simple wildcard matching: