CR: OpenCode Config Hardening — Verification

Pre-Change Checklist

Check Status

Check	Status
`opencode.json` loads only 2 of 5 instruction rules	[ ]
`doc-auditor.md` has no model or permission constraints in frontmatter	[ ]
`README.adoc` describes Ollama as "Commented placeholder (not installed)"	[ ]
`opencode.jsonc` has `npx` set to `allow`	[ ]
No curl deny patterns exist for data exfiltration prevention	[ ]

opencode.json loads only 2 of 5 instruction rules

[ ]

doc-auditor.md has no model or permission constraints in frontmatter

[ ]

README.adoc describes Ollama as "Commented placeholder (not installed)"

[ ]

opencode.jsonc has npx set to allow

[ ]

No curl deny patterns exist for data exfiltration prevention

[ ]

Check Status

Check	Status
`cat opencode.json \| jq '.instructions'` shows all 5 rules loaded	[ ]
`doc-auditor.md` frontmatter includes `model: anthropic/claude-haiku-4-5`	[ ]
`doc-auditor.md` frontmatter includes `permission.edit: deny`	[ ]
`doc-auditor.md` frontmatter includes `permission.bash: deny`	[ ]
`doc-auditor.md` frontmatter includes `permission.webfetch: deny`	[ ]
`grep "npx" opencode.jsonc` shows `ask` (not `allow`)	[ ]
`grep -c "curl.*deny" opencode.jsonc` returns 5	[ ]
`README.adoc` Ollama row shows correct active description	[ ]
`stow -R -t ~ opencode && ls -la ~/.config/opencode/` confirms symlinks intact	[ ]

cat opencode.json | jq '.instructions' shows all 5 rules loaded

[ ]

doc-auditor.md frontmatter includes model: anthropic/claude-haiku-4-5

[ ]

doc-auditor.md frontmatter includes permission.edit: deny

[ ]

doc-auditor.md frontmatter includes permission.bash: deny

[ ]

doc-auditor.md frontmatter includes permission.webfetch: deny

[ ]

grep "npx" opencode.jsonc shows ask (not allow)

[ ]

grep -c "curl.*deny" opencode.jsonc returns 5

[ ]

README.adoc Ollama row shows correct active description

[ ]

stow -R -t ~ opencode && ls -la ~/.config/opencode/ confirms symlinks intact

[ ]