From e5f71dcdbb9125e81f05257815bce74b8f94b1b8 Mon Sep 17 00:00:00 2001
From: orbisai0security <orbisai0security@users.noreply.github.com>
Date: Sat, 6 Dec 2025 07:12:25 +0000
Subject: [PATCH] fix: resolve high vulnerability V-002

Automatically generated security fix
---
 packages/opencode/src/server/server.ts | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/packages/opencode/src/server/server.ts b/packages/opencode/src/server/server.ts
index 7a105e7467c..4762e2e0b53 100644
--- a/packages/opencode/src/server/server.ts
+++ b/packages/opencode/src/server/server.ts
@@ -5,6 +5,7 @@ import { Hono } from "hono"
 import { cors } from "hono/cors"
 import { stream, streamSSE } from "hono/streaming"
 import { proxy } from "hono/proxy"
+import { rateLimitMiddleware } from "hono/rate-limit"
 import { Session } from "../session"
 import z from "zod"
 import { Provider } from "../provider/provider"
@@ -93,6 +94,10 @@ export namespace Server {
           timer.stop()
         }
       })
+      .use(rateLimitMiddleware({
+        windowMs: 15 * 60 * 1000, // 15 minutes
+        limit: 100, // limit each IP to 100 requests per windowMs
+      }))
       .use(cors())
       .get(
         "/global/event",