[Unit]
Description=OpenCode Authentication Broker
Documentation=https://github.com/pRizz/opencode
After=network.target

[Service]
Type=notify
ExecStart=/usr/local/bin/opencode-broker
ExecReload=/bin/kill -HUP $MAINPID
Restart=always
RestartSec=5

# Security hardening
NoNewPrivileges=false
ProtectSystem=strict
ProtectHome=read-only
PrivateTmp=true
ReadWritePaths=/run/opencode

# Socket directory
RuntimeDirectory=opencode
RuntimeDirectoryMode=0755

# Logging
StandardOutput=journal
StandardError=journal
SyslogIdentifier=opencode-broker

[Install]
WantedBy=multi-user.target