Granted, I just started playing around with OpenCode (but been using Codex and Claude Code since they were initially available, so not first time with agents), but anyways:
reply> they need broad file system access to be useful, but that access surface is also the attack surface
Do they? You give them access to one directory typically (my way is to create a temporary docker container that literally only has that directory available, copied into the container on boot, copied back to the host once the agent completed), and I don't think I've needed them to have "broad file system access" at any point, to be useful or otherwise.
So that leads me to think I'm misunderstanding either what you're saying, or what you're doing?
This is the way. If you’re not running your agent harness/framework in a container with explicit bind mounts or copy-on-build then you’re doing it wrong. Whenever I see someone complain about filesystem access and sequirity risk it’s a clear signal of incompetence imo.
replyOr just run it in your VPS?
replyCodex has some OS-level sandboxing by default that confines its actions to the current workspace [1].
replyOpenCode has no sandboxing, as far as I know.
That makes Codex a much better choice for security.
Greywall/Greyproxy aims to address this. I haven't tried it yet though.
reply