This script makes opencode run in a secure context where it only gets write-access to the project-folder you launch it in.

Install 'bubblewrap' package on your system. This should most probably be available via your package manager.

On ArchLinux:

$ yay opencode

On other distributions you need to check what folders things get installed in and update the opencode script with more read-only bind's.

• Add the script to : ~/.local/my_scripts/

• Add ~/.local/my_scripts/ to PATH

export PATH=~/.local/my_scripts/:${PATH} >>~/.profile

• After logout/login, or "source ~/.profile" you should see:

$ which opencode
<your homefolder>/.local/my_scripts/opencode

Now you are setup to use opencode as you would normally do. Arguments are parsed and forwarded to the actual opencode binary.

$ cd <project folder>
$ opencode --whatever

• If opencode is located anywhere else than /usr/bin/opencode you need to update the hardcoded path
• This has been tested on ArchLinux so required path's on your system be different.

• Replace /usr/bin/opencode in the script with /usr/bin/bash and run it. Allows you to look around within the the container to see what's available.