This repository ships a bootstrap kit and a configuration bundle for OpenCode.

Security-sensitive areas include:

• shell command execution in bootstrap.sh
• file replacement and backup logic
• bundle integrity verification
• accidental inclusion of secrets in bundle/
• overly broad default permissions in bundle/opencode.json

If you discover a security issue, please do not open a public issue with exploit details.

Report it privately to the maintainer first and include:

• affected file(s)
• reproduction steps
• impact
• suggested fix, if available

• This project does not ship provider credentials or auth tokens.
• Authentication remains a manual post-install step.
• The default bundle allows broad bash execution because OpenCode is intended to be an active coding agent.
• Review bundle/opencode.json before using this setup in sensitive environments.