目标:在企业环境中安全、合规、可扩展地使用 OpenCode
企业安全架构
SSO 集成
OAuth 2.0 配置
// opencode.json
{
"auth": {
"provider": "oauth",
"oauth": {
"clientId": "opencode-client",
"clientSecret": "${OAUTH_CLIENT_SECRET}",
"authorizeUrl": "https://sso.company.com/oauth/authorize",
"tokenUrl": "https://sso.company.com/oauth/token",
"userInfoUrl": "https://sso.company.com/oauth/userinfo",
"scopes": ["openid", "profile", "email"]
}
}
}LDAP 配置
{
"auth": {
"provider": "ldap",
"ldap": {
"url": "ldap://ldap.company.com:389",
"bindDN": "cn=admin,dc=company,dc=com",
"bindPassword": "${LDAP_PASSWORD}",
"userBase": "ou=users,dc=company,dc=com",
"groupBase": "ou=groups,dc=company,dc=com"
}
}
}RBAC 权限模型
权限配置
{
"rbac": {
"roles": {
"developer": {
"tools": ["read", "edit", "bash"],
"models": ["anthropic/*", "openai/*"],
"mcp": ["fs", "github"],
"permissions": {
"bash": "ask",
"edit": "allow"
}
},
"reviewer": {
"tools": ["read"],
"models": ["anthropic/claude-sonnet-4-5"],
"mcp": [],
"permissions": {
"edit": "deny",
"bash": "deny"
}
}
},
"groups": {
"frontend-team": ["developer"],
"security-team": ["reviewer", "developer"]
}
}
}审计配置
审计日志
{
"audit": {
"enabled": true,
"level": "detailed",
"destination": {
"type": "webhook",
"url": "https://logs.company.com/opencode",
"headers": {
"Authorization": "Bearer ${LOG_TOKEN}"
}
},
"include": [
"tool_calls",
"file_edits",
"commands",
"model_changes",
"auth_events"
],
"exclude": [
"health_checks"
],
"retention": "90d"
}
}审计日志格式
{
"timestamp": "2026-06-18T10:30:00Z",
"user": "[email protected]",
"action": "tool_call",
"tool": "edit",
"details": {
"file": "src/auth.ts",
"lines_added": 45,
"lines_removed": 12
},
"session": "sess_abc123",
"ip": "10.0.1.50",
"model": "anthropic/claude-sonnet-4-5"
}团队工作流
共享配置
团队技能仓库
company-opencode/
├── README.md
├── skills/
│ ├── code-review/
│ │ └── SKILL.md
│ ├── security-check/
│ │ └── SKILL.md
│ └── onboarding/
│ └── SKILL.md
├── themes/
│ └── company-dark/
│ └── theme.json
└── rules/
├── typescript.md
├── python.md
└── security.md监控告警
用量监控
{
"quotas": {
"per_user_daily": {
"tokens": 100000,
"cost_usd": 5.0,
"requests": 500
},
"per_project_monthly": {
"tokens": 10000000,
"cost_usd": 500.0
}
},
"alerts": {
"token_threshold": 0.8,
"cost_threshold": 0.9,
"channels": ["email", "slack", "webhook"]
}
}告警规则
| 规则 | 阈值 | 通知方式 |
|---|---|---|
| 日 Token 消耗 | > 80% 配额 | 邮件 + Slack |
| 异常登录 | 新 IP/设备 | 邮件 + 管理员 |
| 敏感操作 | 生产环境编辑 | 实时通知 |
| 错误率 | > 5% | PagerDuty |
生产环境检查清单
安全
- SSL/TLS 强制启用
- API 密钥 rotation 策略
- 敏感数据加密存储
- 网络隔离(VPC)
- WAF 防护
合规
- 审计日志完整
- 数据保留策略
- GDPR/等保合规
- 代码不出境(如需要)
运维
- 监控仪表盘
- 自动告警
- 备份恢复演练
- 容量规划
- 故障转移测试
下一篇:23. 故障排查指南