diff --git a/.config/opencode/AGENTS.md b/.config/opencode/AGENTS.md
new file mode 100644
index 0000000..9843d23
--- /dev/null
+++ b/.config/opencode/AGENTS.md
@@ -0,0 +1,54 @@
+# Global Security Rules for OpenCode
+
+## CRITICAL: Forbidden File Patterns
+
+**NEVER read, access, or attempt to open the following:**
+
+### Environment & Secret Files
+- `.env` and all variants EXCEPT `.env.example` (`.env.local`, `.env.development`, `.env.production`, `.env.*`)
+- `.envrc` (direnv files)
+- `.secret` and `.secrets`
+- `.api`, `.apis`, `.apikey`
+
+### Secret Directories (anywhere in the project)
+- Any file under `secrets/` directory at ANY level
+- Any file under `.secrets/` directory at ANY level
+- Any file under `.secret/` directory at ANY level
+
+### Credential & Key Files
+- Files ending in: `.pem`, `.key`, `.p12`, `.pfx`
+- `credentials.json`, `credentials.yml`, `credentials.yaml`
+- `private_key`, `privatekey`, `id_rsa`, `id_dsa`, `id_ecdsa`, `id_ed25519`
+- `*.keystore`, `*.jks` (Java keystores)
+- `token`, `tokens`, `.token`, `.tokens`
+- `password`, `passwords`, `.password`, `.passwords`
+
+### Rationale
+These locations contain sensitive data: API keys, passwords, tokens, private keys, database credentials, certificates, and configuration secrets that must NEVER be exposed to LLM context or logged.
+
+### Allowed Exception
+- `.env.example` files CAN be read (they contain example/placeholder values, not real secrets)
+
+### What To Do Instead
+- If environment variables are needed, ask the user to provide them explicitly
+- Use placeholder values or reference `.env.example` when demonstrating code
+- Work without secrets when possible
+- When in doubt, ask the user before accessing any file that might contain sensitive data
+
+## AGENTS.md File Editing Rule
+
+**When editing the global AGENTS.md file:**
+
+If the user asks to edit the global AGENTS.md file, then only edit the file located at `~/.config/opencode/AGENTS.md`. Do not search for or attempt to edit other AGENTS.md files that may exist in the workspace or project directories.
+
+## Context7 Rule
+
+**Always use Context7 when I need library/API documentation, code generation, setup or configuration steps without me having to explicitly ask.**
+
+When you need to search docs, use Context7.
+
+## Question Asking Rule
+
+**When you need to ask the user multiple questions - DO NOT ask all of them at once, instead ask 1 by 1.**
+
+Ask questions sequentially, waiting for the user's response to each question before asking the next one. This prevents overwhelming the user and allows them to focus on one decision at a time.