| Version | Supported |
|---|---|
| 0.2.x | ✅ |
| 0.1.x | ❌ |
If you discover a security vulnerability within hiai-opencode, please follow our responsible disclosure process:
- Do NOT open a public GitHub issue for security vulnerabilities
- Send details to the maintainers via private disclosure
- Include in your report:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Any suggested mitigations (optional)
We aim to respond within 48 hours and will work with you on a disclosure timeline.
- Never commit API keys or credentials to the repository
- Use environment variables or secure secret management
- The plugin uses
{env:VARIABLE_NAME}placeholder syntax in config files - Never print, invent, or hardcode secret values
Model provider credentials (OpenAI, Anthropic, OpenRouter, etc.) are handled by OpenCode Connect, not by hiai-opencode directly. The plugin only stores model IDs.
- MCP servers run as local processes with access to your system
- Only enable MCP servers you trust
- Review
src/mcp/registry.tsto understand what each MCP server does - The plugin does not add MCP server packages to OpenCode plugin array (MCP servers are not plugins)
Global skill folders (OpenCode, Claude, Agents) are disabled by default to keep the skill tree deterministic and prevent accidental code execution from untrusted sources.
The plugin uses Zod for configuration validation. Never bypass schema validation when making changes.
Security updates are released as patch versions. Major versions may introduce breaking changes for security reasons.
For questions about security, open a private advisory on the GitHub repository.