diff --git a/packages/opencode/src/flag/flag.ts b/packages/opencode/src/flag/flag.ts
index 0049d716d095..09bb06f7f187 100644
--- a/packages/opencode/src/flag/flag.ts
+++ b/packages/opencode/src/flag/flag.ts
@@ -29,6 +29,7 @@ export namespace Flag {
   export const OPENCODE_FAKE_VCS = process.env["OPENCODE_FAKE_VCS"]
   export declare const OPENCODE_CLIENT: string
   export const OPENCODE_SERVER_PASSWORD = process.env["OPENCODE_SERVER_PASSWORD"]
+  delete process.env["OPENCODE_SERVER_PASSWORD"]
   export const OPENCODE_SERVER_USERNAME = process.env["OPENCODE_SERVER_USERNAME"]
   export const OPENCODE_ENABLE_QUESTION_TOOL = truthy("OPENCODE_ENABLE_QUESTION_TOOL")
 
diff --git a/packages/opencode/test/bun.test.ts b/packages/opencode/test/bun.test.ts
index d607ae47820f..2e309f88f952 100644
--- a/packages/opencode/test/bun.test.ts
+++ b/packages/opencode/test/bun.test.ts
@@ -51,3 +51,25 @@ describe("BunProc registry configuration", () => {
     }
   })
 })
+
+describe("Flag server password", () => {
+  test("removes OPENCODE_SERVER_PASSWORD from env on load", async () => {
+    const key = "OPENCODE_SERVER_PASSWORD"
+    const original = process.env[key]
+    process.env[key] = "secret"
+
+    try {
+      const flagPath = path.join(__dirname, "../src/flag/flag.ts")
+      const tempPath = path.join(path.dirname(flagPath), `flag-${Date.now()}-${Math.random().toString(16).slice(2)}.ts`)
+      const content = await fs.readFile(flagPath, "utf-8")
+      await fs.writeFile(tempPath, content)
+
+      const { Flag } = await import(tempPath)
+      expect(Flag.OPENCODE_SERVER_PASSWORD).toBe("secret")
+      expect(process.env[key]).toBeUndefined()
+    } finally {
+      if (original === undefined) delete process.env[key]
+      else process.env[key] = original
+    }
+  })
+})