npm - opencode-immune - Versions diffs - 1.0.76 → 1.0.77 - Mend

opencode-immune 1.0.76 → 1.0.77

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/dist/plugin/server.js +62 -52
package/package.json +2 -2

package/dist/plugin/server.js CHANGED Viewed

@@ -3777,7 +3777,7 @@ import { fileURLToPath } from "url";
 import { createHash } from "crypto";
 import { tmpdir } from "os";
 import { execFile } from "child_process";
-var PLUGIN_VERSION = "1.0.76";
+var PLUGIN_VERSION = "1.0.77";
 var PLUGIN_PACKAGE_NAME = "opencode-immune";
 var PLUGIN_DIRNAME = dirname(fileURLToPath(import.meta.url));
 function getServerAuthHeaders() {
@@ -3852,7 +3852,6 @@ function createState(input) {
     providerRetryWatchdogs: /* @__PURE__ */ new Map(),
     childFallbackRequests: /* @__PURE__ */ new Map(),
     sessionErrorRetryCount: /* @__PURE__ */ new Map(),
-    ultraworkPermissionSessions: /* @__PURE__ */ new Set(),
     fallbackAgentByAgent: /* @__PURE__ */ new Map(),
     baseAgentByFallbackAgent: /* @__PURE__ */ new Map(),
     fallbackModelCandidates: [],
@@ -3889,23 +3888,6 @@ function createState(input) {
   };
 }
 var ULTRAWORK_AGENT = "0-ultrawork";
-var ULTRAWORK_SESSION_PERMISSION = [
-  { permission: "read", pattern: "*", action: "allow" },
-  { permission: "edit", pattern: "*", action: "allow" },
-  { permission: "glob", pattern: "*", action: "allow" },
-  { permission: "grep", pattern: "*", action: "allow" },
-  { permission: "list", pattern: "*", action: "allow" },
-  { permission: "bash", pattern: "*", action: "allow" },
-  { permission: "task", pattern: "*", action: "allow" },
-  { permission: "external_directory", pattern: "*", action: "allow" },
-  { permission: "todowrite", pattern: "*", action: "allow" },
-  { permission: "question", pattern: "*", action: "allow" },
-  { permission: "webfetch", pattern: "*", action: "allow" },
-  { permission: "websearch", pattern: "*", action: "allow" },
-  { permission: "codesearch", pattern: "*", action: "allow" },
-  { permission: "lsp", pattern: "*", action: "allow" },
-  { permission: "skill", pattern: "*", action: "allow" }
-];
 var DIAGNOSTIC_LOG_MAX_BYTES = 5 * 1024 * 1024;
 var activeLogDirectory = null;
 var MANAGED_SESSION_TTL_MS = 7 * 24 * 60 * 60 * 1e3;
@@ -3913,6 +3895,8 @@ var PROVIDER_RETRY_WATCHDOG_MS = 3e4;
 var RETRY_PROMPT_DELIVERY_ATTEMPTS = 3;
 var CHILD_FALLBACK_REQUEST_TTL_MS = 10 * 60 * 1e3;
 var AUTO_CYCLE_LOCK_TTL_MS = 30 * 60 * 1e3;
+var PROJECT_TMP_RELATIVE_PATH = ".opencode/tmp";
+var PROJECT_LOG_RELATIVE_PATH = ".opencode/state/logs";
 var MODEL_NAME_CAPABILITY_SCORE = {
   "claude-opus-4-7": 100,
   "gpt-5.5": 100,
@@ -3932,11 +3916,16 @@ function isManagedRootUltraworkSession(state, sessionID) {
   const record = getManagedSession(state, sessionID);
   return !!record && record.kind === "root";
 }
+function getProjectTmpDir(state) {
+  return join(state.input.directory, PROJECT_TMP_RELATIVE_PATH);
+}
+function getProjectLogDir(state) {
+  return join(state.input.directory, PROJECT_LOG_RELATIVE_PATH);
+}
 async function createManagedUltraworkSession(state, title) {
   const result = await state.client.session.create({
     directory: state.input.directory,
-    title,
-    permission: ULTRAWORK_SESSION_PERMISSION
+    title
   });
   if (result.error || !result.response.ok) {
     throw new Error(
@@ -3984,31 +3973,7 @@ async function startAutoCycleInNewSession(state, options) {
     state.autoResumeInFlight = false;
   }
 }
-async function applyUltraworkSessionPermissions(state, sessionID) {
-  if (state.ultraworkPermissionSessions.has(sessionID)) return;
-  try {
-    const result = await state.client.session.update({
-      directory: state.input.directory,
-      sessionID,
-      permission: ULTRAWORK_SESSION_PERMISSION
-    });
-    if (result.error || !result.response.ok) {
-      pluginLog.warn(
-        `[opencode-immune] Failed to apply ultrawork permissions to session ${sessionID}:`,
-        result.error ?? result.response.status
-      );
-      return;
-    }
-    state.ultraworkPermissionSessions.add(sessionID);
-  } catch (err) {
-    pluginLog.warn(
-      `[opencode-immune] Failed to apply ultrawork permissions to session ${sessionID}:`,
-      err
-    );
-  }
-}
 async function promptManagedSession(state, sessionID, text, options = {}) {
-  await applyUltraworkSessionPermissions(state, sessionID);
   const result = await state.client.session.promptAsync({
     directory: state.input.directory,
     sessionID,
@@ -4149,7 +4114,6 @@ async function addManagedUltraworkSession(state, sessionID, timestamp = Date.now
     return;
   }
   state.managedUltraworkSessions.set(sessionID, nextRecord);
-  await applyUltraworkSessionPermissions(state, sessionID);
 }
 async function addManagedChildSession(state, sessionID, parentSessionID, timestamp = Date.now()) {
   const parent = state.managedUltraworkSessions.get(parentSessionID);
@@ -4202,7 +4166,6 @@ async function removeManagedUltraworkSession(state, sessionID, reason) {
   cancelPendingSessionRetry(state, sessionID, reason);
   cancelProviderRetryWatchdog(state, sessionID, reason);
   state.sessionErrorRetryCount.delete(sessionID);
-  state.ultraworkPermissionSessions.delete(sessionID);
   const existed = state.managedUltraworkSessions.delete(sessionID);
   if (!existed) return;
   writePluginLog(
@@ -6083,17 +6046,59 @@ function createPermissionAskHandler(state) {
       state.recoveryContext = recovery;
       await addManagedUltraworkSession(state, sessionID);
       pluginLog.info(
-        `[opencode-immune] Permission request recovered AUTO-RESUME session ${sessionID}; applying managed ultrawork auto-allow.`
+        `[opencode-immune] Permission request recovered AUTO-RESUME session ${sessionID}; tracking as managed ultrawork session.`
       );
     }
-    output.status = "allow";
-    await writeDiagnosticLog(state, "permission:auto-allow", {
+    const permissionType = getPermissionType(input);
+    const patterns = getPermissionPatterns(input);
+    if (isManagedUltraworkSession(state, sessionID) && permissionType === "external_directory" && patterns.some(isExternalTmpPattern)) {
+      output.status = "deny";
+      await writeDiagnosticLog(state, "permission:auto-deny-external-tmp", {
+        sessionID,
+        status: output.status,
+        permission: permissionType,
+        patterns,
+        projectTmpDir: getProjectTmpDir(state),
+        projectLogDir: getProjectLogDir(state)
+      });
+      return;
+    }
+    await writeDiagnosticLog(state, "permission:ask", {
       sessionID,
-      permission: input.permission,
-      patterns: input.patterns
+      status: output.status,
+      permission: permissionType,
+      patterns
     });
   };
 }
+function getPermissionType(input) {
+  if (!input || typeof input !== "object") return void 0;
+  const value = input;
+  return typeof value.type === "string" ? value.type : typeof value.permission === "string" ? value.permission : void 0;
+}
+function getPermissionPatterns(input) {
+  if (!input || typeof input !== "object") return [];
+  const value = input;
+  const source = value.pattern ?? value.patterns;
+  if (Array.isArray(source)) return source.filter((item) => typeof item === "string");
+  return typeof source === "string" ? [source] : [];
+}
+function isExternalTmpPattern(pattern) {
+  return pattern === "/tmp" || pattern.startsWith("/tmp/") || pattern === "/tmp/*";
+}
+function createShellEnvHandler(state) {
+  return async (_input, output) => {
+    const projectTmpDir = getProjectTmpDir(state);
+    const projectLogDir = getProjectLogDir(state);
+    await mkdir(projectTmpDir, { recursive: true });
+    await mkdir(projectLogDir, { recursive: true });
+    output.env.TMPDIR = projectTmpDir;
+    output.env.TMP = projectTmpDir;
+    output.env.TEMP = projectTmpDir;
+    output.env.OPENCODE_TMP_DIR = projectTmpDir;
+    output.env.OPENCODE_LOG_DIR = projectLogDir;
+  };
+}
 async function server(input) {
   const state = createState(input);
   checkPluginUpdate(state).catch(() => {
@@ -6233,6 +6238,11 @@ async function server(input) {
       state,
       "permission.ask",
       createPermissionAskHandler(state)
+    ),
+    "shell.env": withErrorBoundary(
+      state,
+      "shell.env",
+      createShellEnvHandler(state)
     )
   };
 }

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "opencode-immune",
-  "version": "1.0.76",
+  "version": "1.0.77",
   "type": "module",
   "description": "OpenCode plugin: session recovery, auto-retry, multi-cycle automation, context monitoring",
   "exports": {
@@ -12,7 +12,7 @@
     "dist/plugin/server.js"
   ],
   "scripts": {
-    "build": "esbuild plugin.ts --bundle --platform=node --format=esm --target=node22 --outfile=dist/plugin/server.js",
+    "build": "esbuild plugin.ts --bundle --platform=node --format=esm --target=node22 --outfile=dist/plugin/server.js && esbuild plugin.ts --bundle --platform=node --format=esm --target=node22 --outfile=dist/plugin.js",
     "dev": "node ./node_modules/typescript/bin/tsc --project tsconfig.json --watch",
     "prepublishOnly": "npm run build"
   },