OpenCode CLI scans outside workspace on macOS (triggers internal security alerts)

[zhouxwyeah]

Question

Question

On macOS, opencode-cli appears to scan/index far beyond the intended project/workspace scope, touching many files under ~/Library and other application cache/container directories，Including many internal sensitive files, which triggered alerts. This triggered an internal security alert

Security tools flagged:

• Process: /Applications/OpenCode.app/Contents/MacOS/opencode-cli
• Child processes observed: rg (ripgrep), git
• File access volume: ~18,000+ files (non-repo / non-workspace)

Examples of accessed paths (non-workspace):

• ~/Library/Caches/Google/Chrome/...
• ~/Library/Containers/com.XXX.XXX/...
• ~/.AppData/com.XXXX.XXXX/...
• ~/Library/Application Support/...

Actual behavior

• Scans many unrelated directories under the user home (especially ~/Library/**), including browser/app caches and container data.
• This looks suspicious to endpoint security systems and may violate corporate security policies.

Impact

• Security incident/alert requiring manual confirmation and investigation.
• Potential privacy concern (unrelated personal/app data is being traversed).

Environment

• macOS:
• OpenCode/OpenCode CLI version:
• Install method: /Applications/OpenCode.app
• Workspace path: <e.g. /Users/.../work/...>

[github-actions]

This issue might be a duplicate of existing issues. Please check:

• Unexpected Requests for iCloud, Photos Access #14982: Same concern about OpenCode unexpectedly accessing directories outside the workspace on macOS (iCloud, Photos, Downloads)
• perf: ripgrep config file search scans entire home directory including large hidden directories #6741: Directly reports ripgrep scanning the entire home directory including hidden/cache directories, with the same root cause and similar symptoms

If your issue is the same or closely related, please add a comment there instead so discussion stays consolidated. If it is distinct, please clarify what differs.

[zhouxwyeah]

accessing directories are different with #14982

[zhouxwyeah]

Version 1.2.13 (1.2.13)

[FH-SRH]

This is really concerning and the reason I uninstalled OpenCode 1.2.15 immediatly.
I got all kind of requests of it to scan any directory on my mac m1.
It was installed via brew with opencode and opencode-desktop
Just the bare installation, nothing was added. I just let it sit for maybe 30 minutes and it started to try to scan all directories.