Security
Trust model for registry install, local launch, and hosted services.
Registry install
Approved entries point to GitHub repositories. Installing clones source you should trust. Review manifests on the registry before registry install.
Submissions
New packages are manually reviewed before approval.
Local execution
Launch runs OpenCode on your machine with pack-scoped config. Orkestrate does not execute remote code on your behalf beyond git clone for installs.
Report issues
Report vulnerabilities through the project GitHub security contact or issues.