fix: strip inline env var prefixes from bash permission patterns

packages/opencode/src/tool/shell.ts

@@ -119,10 +119,6 @@ function parts(node: Node) {
   return out
 }
 
-function source(node: Node) {
-  return (node.parent?.type === "redirected_statement" ? node.parent.text : node.text).trim()
-}
-
 function commands(node: Node) {
   return node.descendantsOfType("command").filter((child): child is Node => Boolean(child))
 }
@@ -401,7 +397,20 @@ export const ShellTool = Tool.define(
         }
 
         if (tokens.length && (!cmd || !CWD.has(cmd))) {
-          scan.patterns.add(source(node))
+          // Build the pattern from parts() tokens, which already exclude variable_assignment
+          // nodes (e.g. GITHUB_TOKEN=x), so the pattern only contains the actual command.
+          let pattern = tokens.join(" ")
+          if (node.parent?.type === "redirected_statement") {
+            // Re-attach any redirection suffix (e.g. "2>&1", "> file") that lives on
+            // the parent but outside the command node itself.
+            // Guard with startsWith: tree-sitter guarantees child ranges are within
+            // parent ranges, but .text is a string slice so we verify before slicing.
+            if (node.parent.text.startsWith(node.text)) {
+              const redirectSuffix = node.parent.text.slice(node.text.length).trim()
+              if (redirectSuffix) pattern = pattern + " " + redirectSuffix
+            }
+          }
+          scan.patterns.add(pattern)
           scan.always.add(BashArity.prefix(tokens).join(" ") + " *")
         }
       }

packages/opencode/test/tool/shell.test.ts

@@ -1023,6 +1023,69 @@ describe("tool.shell permissions", () => {
       )
     }),
   )
+
+  each("strips inline env var prefix from permission pattern", () =>
+    Effect.gen(function* () {
+      const tmp = yield* tmpdirScoped()
+      yield* runIn(
+        tmp,
+        Effect.gen(function* () {
+          const err = new Error("stop after permission")
+          const requests: Array<Omit<Permission.Request, "id" | "sessionID" | "tool">> = []
+          yield* fail(
+            { command: 'CI=true git commit -m "test"', description: "Commit with env prefix" },
+            capture(requests, err),
+          )
+          const bashReq = requests.find((r) => r.permission === "bash")
+          expect(bashReq).toBeDefined()
+          expect(bashReq!.patterns).toContain('git commit -m "test"')
+          expect(bashReq!.patterns).not.toContain('CI=true git commit -m "test"')
+        }),
+      )
+    }),
+  )
+
+  each("strips multiple inline env var prefixes from permission pattern", () =>
+    Effect.gen(function* () {
+      const tmp = yield* tmpdirScoped()
+      yield* runIn(
+        tmp,
+        Effect.gen(function* () {
+          const err = new Error("stop after permission")
+          const requests: Array<Omit<Permission.Request, "id" | "sessionID" | "tool">> = []
+          yield* fail(
+            { command: "FOO=1 BAR=2 echo hello", description: "Echo with multiple env prefixes" },
+            capture(requests, err),
+          )
+          const bashReq = requests.find((r) => r.permission === "bash")
+          expect(bashReq).toBeDefined()
+          expect(bashReq!.patterns).toContain("echo hello")
+          expect(bashReq!.patterns).not.toContain("FOO=1")
+        }),
+      )
+    }),
+  )
+
+  each("strips env var prefix and preserves redirection in permission pattern", () =>
+    Effect.gen(function* () {
+      const tmp = yield* tmpdirScoped()
+      yield* runIn(
+        tmp,
+        Effect.gen(function* () {
+          const err = new Error("stop after permission")
+          const requests: Array<Omit<Permission.Request, "id" | "sessionID" | "tool">> = []
+          yield* fail(
+            { command: "CI=true echo hello > output.txt", description: "Redirect with env prefix" },
+            capture(requests, err),
+          )
+          const bashReq = requests.find((r) => r.permission === "bash")
+          expect(bashReq).toBeDefined()
+          expect(bashReq!.patterns).toContain("echo hello > output.txt")
+          expect(bashReq!.patterns).not.toContain("CI=true")
+        }),
+      )
+    }),
+  )
 })
 
 describe("tool.shell abort", () => {