opencode icon indicating copy to clipboard operation
opencode copied to clipboard
Published 2 days ago verified publisher icon anomalyco

Config variables in `opencode.json` overwritten with actual values on start up

Open spenceforce opened this issue 3 days ago • 5 comments

Description

I set api keys following guidance on variables in config files here. When I start opencode, the variables are overwritten with the actual value in opencode.json.

This defeats the purpose of using variables to keep secrets outside of opencode.json and makes it impossible to commit opencode.json as it can expose secrets.

Plugins

No response

OpenCode version

1.1.25

Steps to reproduce

  1. Use the env variable in opencode.json for a provider API key.
  2. Start opencode.
  3. Reload opencode.json to see if the variable was replaced with the actual value.

Screenshot and/or share link

No response

Operating System

Ubuntu 25.10

Terminal

Ubuntu terminal

spenceforce avatar Jan 17 '26 14:01 spenceforce

This issue might be a duplicate of or related to existing issues. Please check:

  • #231: add ability to load secrets from external command or environment variables in the config file
  • #5299: {env:...} variable substitution inconsistently fails for specific MCP server URLs
  • #5054: {env:MY_VAR} support in agent yaml
  • #5423: Store provider credentials in environment variables
  • #4961: Feature Request: Zero-Trust Architecture for Environment Variable Security

These issues all relate to how environment variables and secrets are handled in configuration files. If your case is specific to the overwriting behavior you described, it may be a distinct bug worth investigating separately.

Feel free to ignore if none of these address your specific case.

github-actions[bot] avatar Jan 17 '26 14:01 github-actions[bot]

I couldn't reproduce this. Where is your opencode.json file? Also, what is the output of opencode debug config? Does your api key appear there?

cravenceiling avatar Jan 17 '26 15:01 cravenceiling

This happens in .config/opencode/opencode.json and my project specific opencode.json. I put the {env:API_KEY} back and when I opened opencode it didn't change it. But when I removed "$schema": "https://opencode.ai/config.json" from opencode.json and restarted opencode, it replaced the variable again. I assume it reads the config, then rewrites it if "$schema": "https://opencode.ai/config.json" is missing and writes the values for each field instead of the original string.

spenceforce avatar Jan 17 '26 19:01 spenceforce

yes that is the case, if that schema field is missing

rekram1-node avatar Jan 17 '26 19:01 rekram1-node

Ok, thats a security issue. Opencode should never write secrets to its config files. I find it odd that it rewrites my config at all instead of using a default value for "$schema" considering it uses default values for everything else.

spenceforce avatar Jan 17 '26 23:01 spenceforce

fixed: https://github.com/anomalyco/opencode/commit/052f887a9a7aaf79d9f1a560f9b686d59faa8348

rekram1-node avatar Jan 18 '26 03:01 rekram1-node

Awesome, thank you!

spenceforce avatar Jan 18 '26 14:01 spenceforce