opencode-mcp

The server wraps the OpenCode CLI, executing commands via `subprocess.create_subprocess_exec` with user-provided arguments. Key security risks, as identified in the `PLAN.md` and confirmed by code analysis, include: 1) Lack of validation for `allowed_operations` in `settings.py` (it's defined but not enforced). 2) Missing validation for `files` paths, extensions (`allowed_file_extensions`), and sizes (`max_file_size`) when provided to `opencode_run`. 3) Prompts and tool arguments are logged directly (e.g., in `server.py` `call_tool` and `execution.py`), posing a risk of sensitive information leakage. 4) The `execute_generic` tool and others pass user-controlled strings (e.g., `prompt`) directly to the underlying `opencode` CLI, which could potentially be exploited if the CLI itself has injection vulnerabilities, although `subprocess.create_subprocess_exec` is generally safer than `shell=True`. These unaddressed points significantly lower the score for an AI agent wrapper.