diff --git a/packages/opencode/src/permission/hardener.ts b/packages/opencode/src/permission/hardener.ts
new file mode 100644
index 000000000000..f9f3231874c8
--- /dev/null
+++ b/packages/opencode/src/permission/hardener.ts
@@ -0,0 +1,12 @@
+/**
+ * PermissionHardener — Auto-allow rules for read-only tools
+ * 
+ * Pre-filters permission decisions for known safe tools.
+ */
+
+const AUTO_ALLOW_TOOLS = new Set(["read", "glob", "grep", "todowrite"])
+
+export function permissionPreFilter(tool: string): "allow" | "default" {
+  if (AUTO_ALLOW_TOOLS.has(tool)) return "allow"
+  return "default"
+}
diff --git a/packages/opencode/test/permission/hardener.test.ts b/packages/opencode/test/permission/hardener.test.ts
new file mode 100644
index 000000000000..e22b624750e4
--- /dev/null
+++ b/packages/opencode/test/permission/hardener.test.ts
@@ -0,0 +1,26 @@
+import { describe, expect, test } from "bun:test"
+import { permissionPreFilter } from "../../src/permission/hardener"
+
+describe("permissionPreFilter", () => {
+  test("auto-allows read", () => {
+    expect(permissionPreFilter("read")).toBe("allow")
+  })
+  test("auto-allows glob", () => {
+    expect(permissionPreFilter("glob")).toBe("allow")
+  })
+  test("auto-allows grep", () => {
+    expect(permissionPreFilter("grep")).toBe("allow")
+  })
+  test("auto-allows todowrite", () => {
+    expect(permissionPreFilter("todowrite")).toBe("allow")
+  })
+  test("bash defaults to ask", () => {
+    expect(permissionPreFilter("bash")).toBe("default")
+  })
+  test("write defaults to ask", () => {
+    expect(permissionPreFilter("write")).toBe("default")
+  })
+  test("unknown tool defaults", () => {
+    expect(permissionPreFilter("unknown_tool")).toBe("default")
+  })
+})