opencode icon indicating copy to clipboard operation
opencode copied to clipboard
Published 2 days ago verified publisher icon anomalyco

[FEATURE]: Managed settings with admin-controlled priority for enterprise

Open Mishkun opened this issue 3 weeks ago • 8 comments

Feature hasn't been suggested before.

  • [x] I have verified this feature I'm about to request hasn't been suggested before.

Describe the enhancement you want to request

Problem

Organizations deploying OpenCode to teams need a way to enforce certain settings that users cannot override. Currently, there's no mechanism for administrators to set high-priority configurations that take precedence over user/project settings.

E.g. claude code solves this with /Library/Application Support/ClaudeCode/managed-settings.json - a system-level config file that can be deployed by admins and takes precendence over user rules

Usecases for managed settings

  • configuring company-wide approved providers and models
  • disabling share functionality to comply with cybersec rules
  • disabling autoupdate

Proposed Solution

Add support for a managed settings file, taking precedence over user settings. Meaning that configs will be applied in this priority:

  1. Managed settings (admin-controlled, read-only for users)
    • macOS: /Library/Application Support/opencode/managed-settings.json
    • Linux: /etc/opencode/managed-settings.json
    • Windows: %ProgramData%\opencode\managed-settings.json
  2. Project settings (./opencode.json)
  3. User settings (~/.config/opencode/config.json)

That way the config will override the user provided settings

Mishkun avatar Dec 29 '25 13:12 Mishkun

This issue might be a duplicate of or related to existing issues. Please check:

  • #4881: [FEATURE]: Setting global permissions for custom tool - covers controlling tool permissions across the system
  • #5965: [FEATURE]: SDK-level permission overrides for tools - discusses enforcing permission constraints programmatically
  • #5076: OpenCode should have better/safer defaults to be more security minded - addresses security-first default configurations and enforcing security policies
  • #6207: [FEATURE]: Easily import settings/agents/MCP servers from other tools - related to importing and managing configuration from external sources

Your feature request is more comprehensive as it proposes a hierarchical configuration system with admin-controlled overrides, which goes beyond these individual issues. Feel free to ignore if this specifically addresses a different use case.

github-actions[bot] avatar Dec 29 '25 13:12 github-actions[bot]

yep this was on my list

btw curious at your organization what is the mechanism to distribute that file?

thdxr avatar Dec 30 '25 05:12 thdxr

btw curious at your organization what is the mechanism to distribute that file?

I believe for macs they use jamf. I'll check and come back

Mishkun avatar Dec 30 '25 07:12 Mishkun

@thdxr yep, they use jamf to put these files, but this doesn't protect them from being changed by end user really. It is a feasible workaround, but other software is managed by reading userdefaults

Mishkun avatar Dec 30 '25 11:12 Mishkun

yep this was on my list

mind if I submit a pr?

Mishkun avatar Dec 30 '25 11:12 Mishkun

Thanks for doing this @Mishkun! It's definitely somewhat helpful to add this to /Library/Application Support/opencode/managed-settings.json, as you're doing in a5479a80588baaf9451254fc71fa59929ea58e24, but I want to echo your point above:

other software is managed by reading userdefaults

End users are going to be able to edit the managed-settings.json file, but can't edit MDM-enforced userdefaults settings, which should always take precedence.

@thdxr, regarding your question, we also use Jamf but every MDM out there (Jamf, Mosyle, Kandji, etc...) supports distributing preference overrides in this way. For reference, here's how VS Code handles this: https://code.visualstudio.com/docs/setup/enterprise#_centrally-manage-vs-code-settings

They allow MDM-controlled preference files to override any other settings. For example, here's how it works on macs: https://code.visualstudio.com/docs/setup/enterprise#_configuration-profiles-on-macos

That plist file format (for Macs) or group policy (for Windows) itself isn't something super complex for admins, this is very common and how other software is configured on MDM settings also.

I appreciate your consideration of this! It's definitely very important for us to be able to roll this out more broadly within our company.

mrw avatar Jan 01 '26 15:01 mrw

Not sure if this is being considered yet, but i don't see it mentioned anywhere above.

Following other standard practice solutions out there (i like to use Ansible as an example, since it's quite granular), the OPENCODE_CONFIG env var should take priority over flat files.

https://opencode.ai/docs/config/#custom-path

scottrbaxter avatar Jan 06 '26 17:01 scottrbaxter