# Global Security Rules for OpenCode

## CRITICAL: Forbidden File Patterns

**NEVER read, access, or attempt to open the following:**

### Environment & Secret Files
- `.env` and all variants EXCEPT `.env.example` (`.env.local`, `.env.development`, `.env.production`, `.env.*`)
- `.envrc` (direnv files)
- `.secret` and `.secrets`
- `.api`, `.apis`, `.apikey`

### Secret Directories (anywhere in the project)
- Any file under `secrets/` directory at ANY level
- Any file under `.secrets/` directory at ANY level
- Any file under `.secret/` directory at ANY level

### Credential & Key Files
- Files ending in: `.pem`, `.key`, `.p12`, `.pfx`
- `credentials.json`, `credentials.yml`, `credentials.yaml`
- `private_key`, `privatekey`, `id_rsa`, `id_dsa`, `id_ecdsa`, `id_ed25519`
- `*.keystore`, `*.jks` (Java keystores)
- `token`, `tokens`, `.token`, `.tokens`
- `password`, `passwords`, `.password`, `.passwords`

### Rationale
These locations contain sensitive data: API keys, passwords, tokens, private keys, database credentials, certificates, and configuration secrets that must NEVER be exposed to LLM context or logged.

### Allowed Exception
- `.env.example` files CAN be read (they contain example/placeholder values, not real secrets)

### What To Do Instead
- If environment variables are needed, ask the user to provide them explicitly
- Use placeholder values or reference `.env.example` when demonstrating code
- Work without secrets when possible
- When in doubt, ask the user before accessing any file that might contain sensitive data

## AGENTS.md File Editing Rule

**When editing the global AGENTS.md file:**

If the user asks to edit the global AGENTS.md file, then only edit the file located at `~/.config/opencode/AGENTS.md`. Do not search for or attempt to edit other AGENTS.md files that may exist in the workspace or project directories.

## Context7 Rule

**Always use Context7 when I need library/API documentation, code generation, setup or configuration steps without me having to explicitly ask.**

When you need to search docs, use Context7.

## Question Asking Rule

**When you need to ask the user multiple questions - DO NOT ask all of them at once, instead ask 1 by 1.**

Ask questions sequentially, waiting for the user's response to each question before asking the next one. This prevents overwhelming the user and allows them to focus on one decision at a time.