diff options
| author | Dax Raad <[email protected]> | 2026-01-14 14:52:39 -0500 |
|---|---|---|
| committer | Dax Raad <[email protected]> | 2026-01-14 14:52:39 -0500 |
| commit | 6b6d6e9e07d120e0f7458af41503270a0be8c424 (patch) | |
| tree | ae351a6970c8670492f1b0cb742fcb8eb8c409e8 /SECURITY.md | |
| parent | 207a59aad48ea632e6e5d6fb580b12850069b5f7 (diff) | |
| download | opencode-6b6d6e9e07d120e0f7458af41503270a0be8c424.tar.gz opencode-6b6d6e9e07d120e0f7458af41503270a0be8c424.zip | |
update security
Diffstat (limited to 'SECURITY.md')
| -rw-r--r-- | SECURITY.md | 47 |
1 files changed, 4 insertions, 43 deletions
diff --git a/SECURITY.md b/SECURITY.md index cd7e4525b..3a653d01c 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -12,6 +12,10 @@ OpenCode does **not** sandbox the agent. The permission system exists as a UX fe If you need true isolation, run OpenCode inside a Docker container or VM. +### Server Mode + +Server mode is opt-in only. When enabled, set `OPENCODE_SERVER_PASSWORD` to require HTTP Basic Auth. Without this, the server runs unauthenticated (with a warning). It is the end user's responsibility to secure the server - any functionality it provides is not a vulnerability. + ### Out of Scope | Category | Rationale | @@ -21,49 +25,6 @@ If you need true isolation, run OpenCode inside a Docker container or VM. | **LLM provider data handling** | Data sent to your configured LLM provider is governed by their policies | | **MCP server behavior** | External MCP servers you configure are outside our trust boundary | -### Architecture - -``` -┌─────────────────────────────────────────────────────────────────┐ -│ User's Machine │ -│ ┌───────────────────────────────────────────────────────────┐ │ -│ │ OpenCode Process │ │ -│ │ ┌─────────────┐ ┌─────────────┐ ┌─────────────────┐ │ │ -│ │ │ Agent │ │ Permission │ │ Storage │ │ │ -│ │ │ (LLM + │ │ System │ │ (~/.local/share │ │ │ -│ │ │ Tools) │ │ │ │ /opencode) │ │ │ -│ │ └─────────────┘ └─────────────┘ └─────────────────┘ │ │ -│ │ │ │ │ -│ │ ▼ │ │ -│ │ ┌─────────────────────────────────────────────────────┐ │ │ -│ │ │ Project Directory (cwd) │ │ │ -│ │ └─────────────────────────────────────────────────────┘ │ │ -│ └───────────────────────────────────────────────────────────┘ │ -│ │ │ -│ ┌──────────────────┼──────────────────┐ │ -│ ▼ ▼ ▼ │ -│ ┌────────────┐ ┌─────────────┐ ┌─────────────┐ │ -│ │ External │ │ LLM │ │ MCP │ │ -│ │ Filesystem │ │ Providers │ │ Servers │ │ -│ └────────────┘ └─────────────┘ └─────────────┘ │ -└─────────────────────────────────────────────────────────────────┘ - -Optional (user must opt-in): -┌─────────────────────────────────────────────────────────────────┐ -│ HTTP Server Mode │ -│ ┌─────────────────────────────────────────────────────────┐ │ -│ │ Server (localhost:port) │ │ -│ │ - REST API endpoints │ │ -│ │ - WebSocket PTY │ │ -│ │ - SSE event stream │ │ -│ └─────────────────────────────────────────────────────────┘ │ -└─────────────────────────────────────────────────────────────────┘ -``` - -### Server Mode - -Server mode is opt-in only. When enabled, set `OPENCODE_SERVER_PASSWORD` to require HTTP Basic Auth. Without this, the server runs unauthenticated (with a warning). - --- # Reporting Security Issues |