# Security ## Threat Model ### Overview OpenCode is an AI-powered coding assistant that runs locally on your machine. It provides an agent system with access to powerful tools including shell execution, file operations, and web access. ### No Sandbox OpenCode does **not** sandbox the agent. The permission system exists as a UX feature to help users stay aware of what actions the agent is taking - it prompts for confirmation before executing commands, writing files, etc. However, it is not designed to provide security isolation. If you need true isolation, run OpenCode inside a Docker container or VM. ### Out of Scope | Category | Rationale | | ------------------------------- | ----------------------------------------------------------------------- | | **Server access when opted-in** | If you enable server mode, API access is expected behavior | | **Sandbox escapes** | The permission system is not a sandbox (see above) | | **LLM provider data handling** | Data sent to your configured LLM provider is governed by their policies | | **MCP server behavior** | External MCP servers you configure are outside our trust boundary | ### Architecture ``` ┌─────────────────────────────────────────────────────────────────┐ │ User's Machine │ │ ┌───────────────────────────────────────────────────────────┐ │ │ │ OpenCode Process │ │ │ │ ┌─────────────┐ ┌─────────────┐ ┌─────────────────┐ │ │ │ │ │ Agent │ │ Permission │ │ Storage │ │ │ │ │ │ (LLM + │ │ System │ │ (~/.local/share │ │ │ │ │ │ Tools) │ │ │ │ /opencode) │ │ │ │ │ └─────────────┘ └─────────────┘ └─────────────────┘ │ │ │ │ │ │ │ │ │ ▼ │ │ │ │ ┌─────────────────────────────────────────────────────┐ │ │ │ │ │ Project Directory (cwd) │ │ │ │ │ └─────────────────────────────────────────────────────┘ │ │ │ └───────────────────────────────────────────────────────────┘ │ │ │ │ │ ┌──────────────────┼──────────────────┐ │ │ ▼ ▼ ▼ │ │ ┌────────────┐ ┌─────────────┐ ┌─────────────┐ │ │ │ External │ │ LLM │ │ MCP │ │ │ │ Filesystem │ │ Providers │ │ Servers │ │ │ └────────────┘ └─────────────┘ └─────────────┘ │ └─────────────────────────────────────────────────────────────────┘ Optional (user must opt-in): ┌─────────────────────────────────────────────────────────────────┐ │ HTTP Server Mode │ │ ┌─────────────────────────────────────────────────────────┐ │ │ │ Server (localhost:port) │ │ │ │ - REST API endpoints │ │ │ │ - WebSocket PTY │ │ │ │ - SSE event stream │ │ │ └─────────────────────────────────────────────────────────┘ │ └─────────────────────────────────────────────────────────────────┘ ``` ### Server Mode Server mode is opt-in only. When enabled, set `OPENCODE_SERVER_PASSWORD` to require HTTP Basic Auth. Without this, the server runs unauthenticated (with a warning). --- # Reporting Security Issues We appreciate your efforts to responsibly disclose your findings, and will make every effort to acknowledge your contributions. To report a security issue, please use the GitHub Security Advisory ["Report a Vulnerability"](https://github.com/anomalyco/opencode/security/advisories/new) tab. The team will send a response indicating the next steps in handling your report. After the initial reply to your report, the security team will keep you informed of the progress towards a fix and full announcement, and may ask for additional information or guidance. ## Escalation If you do not receive an acknowledgement of your report within 6 business days, you may send an email to security@anoma.ly