Skip to content
LatchGate

OpenCode

Connect OpenCode to LatchGate so every tool call goes through the execution security kernel.

Prerequisites

Section titled “Prerequisites”
  • LatchGate running (latchgate up or production deployment)
  • latchgate-mcp binary on PATH (from GitHub Releases or brew install latchgate-ai/tap/latchgate)
  • OpenCode installed

Automatic setup

Section titled “Automatic setup”
Terminal window
latchgate-mcp install --ide open-code

This writes the MCP server entry to the global OpenCode config at ~/.config/opencode/opencode.json (or $XDG_CONFIG_HOME/opencode/opencode.json). Start a new OpenCode session to pick up the configuration.

Preview first without writing:

Terminal window
latchgate-mcp install --ide open-code --dry-run

Manual setup

Section titled “Manual setup”

Add to your opencode.json (global at ~/.config/opencode/opencode.json or project-local at ./opencode.json):

{
  "mcp": {
    "latchgate": {
      "type": "local",
      "command": "latchgate-mcp",
      "args": ["serve", "--gate-url", "http://localhost:3000"],
      "env": {
        "LATCHGATE_AGENT_ID": "opencode",
        "RUST_LOG": "warn"
      }
    }
  }
}

Adjust the binary path if installed elsewhere. Use which latchgate-mcp to find it.

Project-scoped configuration

Section titled “Project-scoped configuration”

Place opencode.json at the project root. Project config has the highest precedence — it overrides global config. You can commit it to git for team sharing.

Per-agent filtering

Section titled “Per-agent filtering”

OpenCode supports per-agent MCP configuration. If you use multiple agents (e.g. a coding agent and a review agent), you can restrict LatchGate tools to specific agents:

{
  "mcp": {
    "latchgate": {
      "type": "local",
      "command": "latchgate-mcp",
      "args": ["serve", "--gate-url", "http://localhost:3000"],
      "env": {
        "LATCHGATE_AGENT_ID": "opencode",
        "RUST_LOG": "warn"
      },
      "enabled": true
    }
  }
}

End-to-end verification

Section titled “End-to-end verification”
  1. Start LatchGate: latchgate up --expose-http 127.0.0.1:3000
  2. Install config: latchgate-mcp install --ide open-code
  3. Start a new OpenCode session (opencode).
  4. Ask the agent to perform an HTTP request.
  5. Verify the audit trail: latchgate audit --limit 5
  6. Confirm the full pipeline: lease ⇒ policy ⇒ WASM sandbox ⇒ receipt.

Context budget

Section titled “Context budget”

OpenCode MCP tools share the agent’s context window. LatchGate actions add tool definitions to the context, which counts against the token limit. If you have many registered actions and hit context limits, use Presets to restrict the active action set, or filter actions with latchgate-mcp serve flags.

Production (UDS transport)

Section titled “Production (UDS transport)”

Replace --gate-url with UDS + public base URL for production:

{
  "mcp": {
    "latchgate": {
      "type": "local",
      "command": "latchgate-mcp",
      "args": ["serve", "--public-base-url", "http://localhost:3000"],
      "env": {
        "LATCHGATE_AGENT_ID": "opencode",
        "RUST_LOG": "warn"
      }
    }
  }
}

This connects via /run/latchgate/gate.sock (default) — no TCP exposure.

For production hardening with UDS transport, see Deployment.