(no title)

* Not running the server by default * Patched the wide open CORS policy which left the server open to execution by any page you visited.

The server is still there but you have to explicitly enable it via `opencode serve`

The original disclosure has a table of fixes that have landed: https://cy.md/opencode-rce/