CR: OpenCode Config Hardening — Risk & Communications

Risk Assessment

Risk Mitigation

Risk	Mitigation
Rule loading changes behavior	Rules were already loaded globally via `opencode.jsonc` — this only syncs the project-scoped manifest
npx ask interrupts workflows	npx is rarely used in normal sessions — the ask prompt is minimal friction
curl deny patterns too broad	Patterns only match data-sending flags — GET/HEAD/OPTIONS requests are unaffected
doc-auditor constraints break functionality	Agent’s documented purpose is read-only auditing — constraints enforce its design intent

Rule loading changes behavior

Rules were already loaded globally via opencode.jsonc — this only syncs the project-scoped manifest

npx ask interrupts workflows

npx is rarely used in normal sessions — the ask prompt is minimal friction

curl deny patterns too broad

Patterns only match data-sending flags — GET/HEAD/OPTIONS requests are unaffected

doc-auditor constraints break functionality

Agent’s documented purpose is read-only auditing — constraints enforce its design intent