opencode icon indicating copy to clipboard operation
opencode copied to clipboard
Published 4 hours ago verified publisher icon sst

Add Protected Mode for macOS

Open will-marella opened this issue 1 week ago • 0 comments

Addresses Issue #5076

Problem

AI agents in OpenCode have full filesystem access, creating security risks for credentials and sensitive files. Recent vulnerabilities (including the Antigravity credential leak) demonstrate that prompt-level protections are insufficient to prevent AI from accessing and leaking credentials.

Solution

Protected Mode uses Unix file permissions to enforce file restrictions at the kernel level. Commands run as a restricted user (opencode-agent) that cannot read protected files. Even if prompt injection succeeds, the OS blocks unauthorized access before data is read.

Demo

OpenCodeProtectDemo

Commands

opencode protect setup Creates the opencode-agent user, initializes ~/.opencode/security.json, configures sudo rules

opencode protect lock Applies protections to files specified in security.json

opencode protect status Shows currently protected files and security configuration state

How It Works

File Protection via Unix Permissions

Users specify sensitive files in .opencode/security.json. The setup modifies file permissions (chmod 600) to make files owner-only readable, preventing the opencode-agent user from accessing them. These restrictions are enforced at the kernel level—even successful prompt injection cannot bypass OS security.

Command Whitelisting

Development commands may be committed via a sudo wrapper with explicit allow-lists. This is particularly important for commands like git which enforce particular permissions. Users can configure which commands the agent can run without additional restrictions, balancing security with workflow convenience.

Potential Roadmap

File protection is only one step toward making OpenCode the most secure AI coding agent. Clear next steps include:

  • Linux support
  • Network isolation
  • Full sandboxing (sandbox-exec for macOS, bubblewrap for Linux)

Implementation

~1,000 lines within the src/util/security module ~70 lines integration

Duplication Note: The protected executor duplicates ~100 LOC from bash.ts (process management, timeout handling, result formatting). Kept separate in this PR to maintain focus on the security feature. Happy to propose a refactor extracting shared utilities if desired.

will-marella avatar Dec 20 '25 22:12 will-marella