From 6b6d6e9e07d120e0f7458af41503270a0be8c424 Mon Sep 17 00:00:00 2001
From: Dax Raad <d@ironbay.co>
Date: Wed, 14 Jan 2026 14:52:39 -0500
Subject: [PATCH] update security

---
 SECURITY.md | 47 ++++-------------------------------------------
 1 file changed, 4 insertions(+), 43 deletions(-)

diff --git a/SECURITY.md b/SECURITY.md
index cd7e4525b..3a653d01c 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -12,6 +12,10 @@ OpenCode does **not** sandbox the agent. The permission system exists as a UX fe
 
 If you need true isolation, run OpenCode inside a Docker container or VM.
 
+### Server Mode
+
+Server mode is opt-in only. When enabled, set `OPENCODE_SERVER_PASSWORD` to require HTTP Basic Auth. Without this, the server runs unauthenticated (with a warning). It is the end user's responsibility to secure the server - any functionality it provides is not a vulnerability.
+
 ### Out of Scope
 
 | Category                        | Rationale                                                               |
@@ -21,49 +25,6 @@ If you need true isolation, run OpenCode inside a Docker container or VM.
 | **LLM provider data handling**  | Data sent to your configured LLM provider is governed by their policies |
 | **MCP server behavior**         | External MCP servers you configure are outside our trust boundary       |
 
-### Architecture
-
-```
-┌─────────────────────────────────────────────────────────────────┐
-│                         User's Machine                          │
-│  ┌───────────────────────────────────────────────────────────┐  │
-│  │                    OpenCode Process                       │  │
-│  │  ┌─────────────┐  ┌─────────────┐  ┌─────────────────┐   │  │
-│  │  │   Agent     │  │ Permission  │  │    Storage      │   │  │
-│  │  │  (LLM +     │  │   System    │  │ (~/.local/share │   │  │
-│  │  │   Tools)    │  │             │  │   /opencode)    │   │  │
-│  │  └─────────────┘  └─────────────┘  └─────────────────┘   │  │
-│  │         │                                                 │  │
-│  │         ▼                                                 │  │
-│  │  ┌─────────────────────────────────────────────────────┐ │  │
-│  │  │              Project Directory (cwd)                │ │  │
-│  │  └─────────────────────────────────────────────────────┘ │  │
-│  └───────────────────────────────────────────────────────────┘  │
-│                              │                                   │
-│           ┌──────────────────┼──────────────────┐               │
-│           ▼                  ▼                  ▼               │
-│    ┌────────────┐    ┌─────────────┐    ┌─────────────┐        │
-│    │ External   │    │    LLM      │    │    MCP      │        │
-│    │ Filesystem │    │  Providers  │    │  Servers    │        │
-│    └────────────┘    └─────────────┘    └─────────────┘        │
-└─────────────────────────────────────────────────────────────────┘
-
-Optional (user must opt-in):
-┌─────────────────────────────────────────────────────────────────┐
-│                      HTTP Server Mode                           │
-│  ┌─────────────────────────────────────────────────────────┐   │
-│  │  Server (localhost:port)                                │   │
-│  │  - REST API endpoints                                   │   │
-│  │  - WebSocket PTY                                        │   │
-│  │  - SSE event stream                                     │   │
-│  └─────────────────────────────────────────────────────────┘   │
-└─────────────────────────────────────────────────────────────────┘
-```
-
-### Server Mode
-
-Server mode is opt-in only. When enabled, set `OPENCODE_SERVER_PASSWORD` to require HTTP Basic Auth. Without this, the server runs unauthenticated (with a warning).
-
 ---
 
 # Reporting Security Issues