[BUG]: Question tool bypasses read-before-edit -- no runtime enforcement

[LifetimeVip]

Description

The Question tool can be used as a substitute for the Read tool because:

1. Question tool output is structurally identical -- question.ts returns answers as plain text. To the AI conversation history, a Question answer looks the same as Read output.

2. No runtime enforcement in edit tools -- edit.ts, write.ts, and bash.ts have zero checks verifying the file was read via the Read tool before editing. The tool descriptions claim read-before-edit is required, but there is no code backing this claim.

3. No session-level read tracking -- there is no mechanism to distinguish whether file content came from a Read call or a Question answer. The AI could ask "What is the content of src/main.ts?", receive the answer, then edit the file -- all without ever calling Read.

Reproduction steps

1. Start an opencode session
2. Ask the AI to modify a file it has not read yet
3. When the AI calls question asking "What is the current content of ?", paste the file content as your answer
4. The AI now has the content and can call edit/write with correct oldString -- the edit will succeed because there is no Read-tool check in the editing tools

Code paths

• question.ts returns plain text answers, structurally same as Read output
• edit.ts, write.ts -- zero read-before-edit enforcement
• bash.ts -- no enforcement either

Related

This is one instance of a broader pattern tracked in #30376 (missing code-level read-before-edit enforcement across all tools).

[github-actions]

This issue might be a duplicate of existing issues. Please check:

• AI providers skip reading files before editing due to missing code-level enforcement and inconsistent system prompts #30376: Covers the same missing code-level read-before-edit enforcement across edit.ts, write.ts, and apply_patch.ts — this issue appears to be a more specific case of that broader report (question tool as a bypass vector)
• [FEATURE]: optional runtime enforcement of edit tool's read-before-edit precondition #27901: Feature request for optional runtime enforcement of the edit tool's read-before-edit precondition, including a verified reproduction showing the same lack of enforcement

[LifetimeVip]

@StarpTech — this is now assigned to you. This issue covers the Question tool being usable as a Read tool bypass: AI can ask the user for file content instead of calling Read, then edit without ever having read the file. This is a security concern since there's no runtime enforcement distinguishing Question-provided content from Read-provided content.

[LifetimeVip]

已提交此问题的修复 PR #31892（tool error handling, read-before-edit enforcement）