80 lines
6.2 KiB
Markdown
80 lines
6.2 KiB
Markdown
# Security
|
|
|
|
## Threat Model
|
|
|
|
### Overview
|
|
|
|
OpenCode is an AI-powered coding assistant that runs locally on your machine. It provides an agent system with access to powerful tools including shell execution, file operations, and web access.
|
|
|
|
### No Sandbox
|
|
|
|
OpenCode does **not** sandbox the agent. The permission system exists as a UX feature to help users stay aware of what actions the agent is taking - it prompts for confirmation before executing commands, writing files, etc. However, it is not designed to provide security isolation.
|
|
|
|
If you need true isolation, run OpenCode inside a Docker container or VM.
|
|
|
|
### Out of Scope
|
|
|
|
| Category | Rationale |
|
|
| ------------------------------- | ----------------------------------------------------------------------- |
|
|
| **Server access when opted-in** | If you enable server mode, API access is expected behavior |
|
|
| **Sandbox escapes** | The permission system is not a sandbox (see above) |
|
|
| **LLM provider data handling** | Data sent to your configured LLM provider is governed by their policies |
|
|
| **MCP server behavior** | External MCP servers you configure are outside our trust boundary |
|
|
|
|
### Architecture
|
|
|
|
```
|
|
┌─────────────────────────────────────────────────────────────────┐
|
|
│ User's Machine │
|
|
│ ┌───────────────────────────────────────────────────────────┐ │
|
|
│ │ OpenCode Process │ │
|
|
│ │ ┌─────────────┐ ┌─────────────┐ ┌─────────────────┐ │ │
|
|
│ │ │ Agent │ │ Permission │ │ Storage │ │ │
|
|
│ │ │ (LLM + │ │ System │ │ (~/.local/share │ │ │
|
|
│ │ │ Tools) │ │ │ │ /opencode) │ │ │
|
|
│ │ └─────────────┘ └─────────────┘ └─────────────────┘ │ │
|
|
│ │ │ │ │
|
|
│ │ ▼ │ │
|
|
│ │ ┌─────────────────────────────────────────────────────┐ │ │
|
|
│ │ │ Project Directory (cwd) │ │ │
|
|
│ │ └─────────────────────────────────────────────────────┘ │ │
|
|
│ └───────────────────────────────────────────────────────────┘ │
|
|
│ │ │
|
|
│ ┌──────────────────┼──────────────────┐ │
|
|
│ ▼ ▼ ▼ │
|
|
│ ┌────────────┐ ┌─────────────┐ ┌─────────────┐ │
|
|
│ │ External │ │ LLM │ │ MCP │ │
|
|
│ │ Filesystem │ │ Providers │ │ Servers │ │
|
|
│ └────────────┘ └─────────────┘ └─────────────┘ │
|
|
└─────────────────────────────────────────────────────────────────┘
|
|
|
|
Optional (user must opt-in):
|
|
┌─────────────────────────────────────────────────────────────────┐
|
|
│ HTTP Server Mode │
|
|
│ ┌─────────────────────────────────────────────────────────┐ │
|
|
│ │ Server (localhost:port) │ │
|
|
│ │ - REST API endpoints │ │
|
|
│ │ - WebSocket PTY │ │
|
|
│ │ - SSE event stream │ │
|
|
│ └─────────────────────────────────────────────────────────┘ │
|
|
└─────────────────────────────────────────────────────────────────┘
|
|
```
|
|
|
|
### Server Mode
|
|
|
|
Server mode is opt-in only. When enabled, set `OPENCODE_SERVER_PASSWORD` to require HTTP Basic Auth. Without this, the server runs unauthenticated (with a warning).
|
|
|
|
---
|
|
|
|
# Reporting Security Issues
|
|
|
|
We appreciate your efforts to responsibly disclose your findings, and will make every effort to acknowledge your contributions.
|
|
|
|
To report a security issue, please use the GitHub Security Advisory ["Report a Vulnerability"](https://github.com/anomalyco/opencode/security/advisories/new) tab.
|
|
|
|
The team will send a response indicating the next steps in handling your report. After the initial reply to your report, the security team will keep you informed of the progress towards a fix and full announcement, and may ask for additional information or guidance.
|
|
|
|
## Escalation
|
|
|
|
If you do not receive an acknowledgement of your report within 6 business days, you may send an email to security@anoma.ly
|