OpenCode audit flags telemetry, disclosure gaps

The criticism lands because "local-first" only matters if the network boundary is obvious, documented, and easy to control. OpenCode can absolutely use cloud services, but it needs to make those tradeoffs explicit instead of discoverable only through source spelunking.

• –The most serious path is session sharing: when enabled, conversation history syncs to OpenCode servers and can expose prompts or project context.
• –OpenCode's docs now cover sharing, autoupdate, GitHub workflows, and network/proxy setup, the GitHub docs say `share` defaults to true for public repositories, and the site has a privacy policy effective Mar. 6, 2026, so the "no docs/no policy" framing is partly stale even if disclosure is still scattered.
• –The stronger complaint is default clarity: analytics, update checks, and GitHub-linked behavior make the product feel less local than the branding implies.
• –For teams, the real test is whether they can run OpenCode in a locked-down environment with every outbound call accounted for; if not, transparency and opt-outs need to be first-class.
• –The unmerged PR backlog turns a technical dispute into a governance one; when privacy complaints stall, users start forking or blocking traffic themselves.