OpenCode configurations use environment variable references for external API key management. Configuration files use placeholder variables instead of actual secrets for safe version control and sharing.

This repository contains OpenCode configuration templates with environment variable placeholders. Configuration files reference variables rather than storing actual secrets.

Create a .env file from the template or set variables directly:

# Copy template (recommended)
cp .env.example .env

# Edit with your actual values
# Required for external providers
export OLLAMA_VAST_BASE_URL="https://your-instance.com/v1"
export OLLAMA_VAST_API_KEY="your-api-key-here"

# Optional for local development
export OLLAMA_LOCAL_BASE_URL="http://localhost:11434/v1"

No environment variables required for current configuration. Config uses GitHub Copilot models via OpenCode's built-in authentication.

If using custom providers, check config.json for ${VARIABLE_NAME} patterns.

• Configuration templates: Use ${VARIABLE} placeholders in JSON files
• Environment variables: Store secrets outside version control
• Template sharing: Commit .env.example with placeholder values
• Documentation: Reference security practices in AGENTS.md and OpenCode-Tool-System-Documentation.md

• Never commit actual API keys or passwords
• Never replace environment variables with literal values in config files
• Never add .env files to version control
• Always validate environment variable patterns before committing

• Use secure password managers for key storage
• Rotate keys regularly (monthly/quarterly)
• Use environment-specific keys (dev/staging/prod)
• Monitor usage for unusual activity
• Revoke unused or compromised keys immediately

• Prefer HTTPS endpoints for external services
• Use localhost/127.0.0.1 for local development defaults
• Validate all external URLs before use
• Document required permissions in AGENTS.md and OpenCode-Tool-System-Documentation.md

# No environment variables needed
# Uses gh CLI authentication: gh auth login

# If adding custom Ollama or other providers
export CUSTOM_BASE_URL="https://your-instance.com/v1"
export CUSTOM_API_KEY="your-api-key"

If you encounter errors about missing variables:

1. Check variable names - They are case-sensitive
2. Verify values are set - Use echo $VARIABLE_NAME to test
3. Restart applications after setting new variables
4. Check .env loading if using environment files

1. Validate JSON syntax in config.json
2. Check file permissions for configuration files
3. Verify variable expansion using envsubst < [config.json](config.json)

Immediate actions:

1. Rotate all exposed credentials immediately
2. Revoke API keys at the provider level
3. Update environment variables with new values
4. Monitor for unauthorized usage

Git history cleanup:

# Remove secrets from Git history (DESTRUCTIVE)
git filter-branch --env-filter 'unset API_KEY' HEAD
git push --force-with-lease

Warning: Force pushing rewrites history - coordinate with your team.

• Use pre-commit hooks to scan for secrets
• Regular security audits of configuration files
• Follow practices documented in AGENTS.md and OpenCode-Tool-System-Documentation.md
• Reference OpenCode security guidelines at opencode.ai

• AGENTS.md - Agent security, permission requirements, and advanced techniques
• OpenCode-Tool-System-Documentation.md - Tool system architecture and security considerations
• README.md - Configuration overview and file structure
• config.json - OpenCode configuration with environment variable placeholders

For advanced security techniques and OpenCode-specific considerations, see AGENTS.md.