opencode-landstrip 0.14.2 → 0.15.1

package/index.ts

@@ -11,14 +11,18 @@ import { basename, dirname, isAbsolute, join, resolve } from 'node:path';
 import { URL } from 'node:url';
 
 import {
+  type LandstripTrap,
   type SandboxConfig,
   type SandboxFilesystemConfig,
   extractDomainsFromCommand,
+  formatLandstripTraps,
   getConfigPaths,
   isRecord,
   landstripBinaryPath,
   loadConfig,
   normalizeOptions,
+  parseLandstripTraps,
+  readDiscoveryPort,
 } from './shared.js';
 
 interface LandstripPolicy {
@@ -32,13 +36,6 @@ interface LandstripPolicy {
   filesystem: SandboxFilesystemConfig;
 }
 
-type LandstripTrap =
-  | { kind: 'Filesystem'; operation: 'read' | 'write'; path: string; mechanism: string }
-  | { kind: 'Network'; operation: string; target: string; mechanism: string }
-  | { kind: 'Launch'; program: string; message: string }
-  | { kind: 'Usage'; message: string }
-  | { kind: 'Internal'; fields: Record<string, string> };
-
 interface BashSandboxState {
   originalCommand: string;
   wrappedCommand: string;
@@ -58,15 +55,10 @@ interface SandboxPermissionDecision {
 
 type ToastVariant = 'info' | 'success' | 'warning' | 'error';
 
-const LANDSTRIP_VERSION = [0, 14, 5] as const;
+const LANDSTRIP_VERSION = [0, 15, 8] as const;
 const REQUIRED_LANDSTRIP_VERSION = LANDSTRIP_VERSION.join('.');
-const LANDSTRIP_OPERATIONS = new Set<'read' | 'write'>(['read', 'write']);
 const SUPPORTED_PLATFORMS = new Set<NodeJS.Platform>(['linux', 'darwin', 'win32']);
 
-function isLandstripOperation(value: unknown): value is 'read' | 'write' {
-  return typeof value === 'string' && LANDSTRIP_OPERATIONS.has(value as 'read' | 'write');
-}
-
 function expandPath(filePath: string, baseDirectory: string): string {
   const expanded = filePath.replace(/^~(?=$|[/])/, homedir());
   return resolve(isAbsolute(expanded) ? expanded : join(baseDirectory, expanded));
@@ -245,17 +237,17 @@ function extractBlockedPath(
   if (match) return normalizeBlockedPath(match[1], baseDirectory);
 
   // Landstrip structured trap format carrying a denied path
-  const landstripErrors = parseLandstripErrors(output);
-  for (const trap of landstripErrors) {
-    if (trap.kind === 'Filesystem') return normalizeBlockedPath(trap.path, baseDirectory);
-    if (trap.kind === 'Internal' && trap.fields.file) {
-      return normalizeBlockedPath(trap.fields.file, baseDirectory);
+  const landstripTraps = parseLandstripTraps(output);
+  for (const trap of landstripTraps) {
+    if (trap.kind === 'filesystem') return normalizeBlockedPath(trap.path, baseDirectory);
+    if (trap.kind === 'internal' && trap.detail.file) {
+      return normalizeBlockedPath(trap.detail.file, baseDirectory);
     }
   }
 
   // If landstrip reported a trap but without a path, try to
   // extract the blocked path from the command itself
-  if (landstripErrors.length > 0 && command) {
+  if (landstripTraps.length > 0 && command) {
     for (const candidate of extractCandidatePaths(command)) {
       const resolved = canonicalizePath(candidate, baseDirectory);
       return resolved;
@@ -405,96 +397,6 @@ function hasMinimumVersion(version: string, minimum: readonly [number, number, n
   return true;
 }
 
-function decodeLandstripTrap(value: unknown): LandstripTrap | null {
-  if (typeof value !== 'object' || value === null || Array.isArray(value)) return null;
-  const entries = Object.entries(value as Record<string, unknown>);
-  if (entries.length !== 1) return null;
-  const [kind, payload] = entries[0];
-
-  switch (kind) {
-    case 'Filesystem': {
-      if (!Array.isArray(payload)) return null;
-      const [operation, path, mechanism] = payload;
-      if (!isLandstripOperation(operation) || typeof path !== 'string') return null;
-      return { kind, operation, path, mechanism: typeof mechanism === 'string' ? mechanism : '' };
-    }
-    case 'Network': {
-      if (!Array.isArray(payload)) return null;
-      const [operation, target, mechanism] = payload;
-      if (typeof operation !== 'string' || typeof target !== 'string') return null;
-      return { kind, operation, target, mechanism: typeof mechanism === 'string' ? mechanism : '' };
-    }
-    case 'Launch': {
-      if (!Array.isArray(payload)) return null;
-      const [program, message] = payload;
-      if (typeof program !== 'string') return null;
-      return { kind, program, message: typeof message === 'string' ? message : '' };
-    }
-    case 'Usage': {
-      if (typeof payload !== 'string') return null;
-      return { kind, message: payload };
-    }
-    case 'Internal': {
-      if (typeof payload !== 'object' || payload === null || Array.isArray(payload)) return null;
-      const fields: Record<string, string> = {};
-      for (const [key, val] of Object.entries(payload as Record<string, unknown>)) {
-        fields[key] = typeof val === 'string' ? val : JSON.stringify(val);
-      }
-      return { kind, fields };
-    }
-    default:
-      return null;
-  }
-}
-
-function parseLandstripErrors(output: string): LandstripTrap[] {
-  const traps: LandstripTrap[] = [];
-
-  for (const line of output.split('\n')) {
-    const trimmed = line.trim();
-    if (trimmed.length === 0 || trimmed[0] !== '{') continue;
-
-    let parsed: unknown;
-    try {
-      parsed = JSON.parse(trimmed);
-    } catch {
-      continue;
-    }
-
-    const trap = decodeLandstripTrap(parsed);
-    if (trap) traps.push(trap);
-  }
-
-  return traps;
-}
-
-function formatLandstripTrap(trap: LandstripTrap): string {
-  switch (trap.kind) {
-    case 'Filesystem':
-      return `landstrip: filesystem ${trap.operation} denied (${trap.path})${
-        trap.mechanism ? ` [${trap.mechanism}]` : ''
-      }`;
-    case 'Network':
-      return `landstrip: network ${trap.operation} denied (${trap.target})${
-        trap.mechanism ? ` [${trap.mechanism}]` : ''
-      }`;
-    case 'Launch':
-      return `landstrip: launch failed (${trap.program})${trap.message ? `: ${trap.message}` : ''}`;
-    case 'Usage':
-      return `landstrip: usage error: ${trap.message}`;
-    case 'Internal': {
-      const detail = Object.entries(trap.fields)
-        .map(([key, val]) => `${key}: ${val}`)
-        .join(', ');
-      return `landstrip: internal error${detail ? ` (${detail})` : ''}`;
-    }
-  }
-}
-
-function formatLandstripErrors(traps: LandstripTrap[]): string {
-  return traps.map(formatLandstripTrap).join('\n');
-}
-
 function splitHostPort(target: string, defaultPort: number): { host: string; port: number } | null {
   const bracketMatch = target.match(/^\[([^\]]+)\](?::(\d+))?$/);
   if (bracketMatch) {
@@ -728,15 +630,37 @@ function shellArgs(shell: string, command: string): string[] {
   return [shell, '-lc', command];
 }
 
-function buildWrappedCommand(policyPath: string, shell: string, command: string): string {
-  const args = ['-p', policyPath, ...shellArgs(shell, command)];
+// The query-response port is published by the TUI plugin and is Linux-only (the
+// socket protocol exists only in landstrip's seccomp broker).
+function socketQueryPort(baseDirectory: string): number | null {
+  if (process.platform !== 'linux') return null;
+  return readDiscoveryPort(baseDirectory);
+}
 
-  return [landstripBinaryPath(), ...args].map(shellQuote).join(' ');
+function buildWrappedCommand(
+  policyPath: string,
+  shell: string,
+  command: string,
+  trapPort: number | null,
+): string {
+  const baseArgs = ['-p', policyPath, ...shellArgs(shell, command)];
+  const plain = [landstripBinaryPath(), ...baseArgs].map(shellQuote).join(' ');
+  if (trapPort === null) return plain;
+
+  // Connect fd 3 to the TUI's query-response socket BEFORE landstrip applies the
+  // sandbox, so a denied write can be approved live instead of forcing a re-run.
+  // The `&&`/`||` guard falls back to the plain (no --trap-fd) invocation when the
+  // redirect fails — a dead port, a non-bash outer shell without /dev/tcp, or an
+  // outer `set -e` — so a failed connect never hands the broker a dead fd 3.
+  const trapped = [landstripBinaryPath(), '--trap-fd', '3', ...baseArgs].map(shellQuote).join(' ');
+  return `{ exec 3<>/dev/tcp/127.0.0.1/${trapPort} ; } 2>/dev/null && ${trapped} || ${plain}`;
 }
 
 function isGeneratedWrappedCommand(command: string): boolean {
   return (
-    command.startsWith(`${shellQuote(landstripBinaryPath())} `) &&
+    // `.includes` rather than `.startsWith`: the query-response form prefixes a
+    // `{ exec 3<>/dev/tcp/...; } && ` redirect before the landstrip invocation.
+    command.includes(`${shellQuote(landstripBinaryPath())} `) &&
     command.includes(` ${shellQuote('-p')} `) &&
     command.includes('opencode-landstrip-')
   );
@@ -780,7 +704,10 @@ function extractOriginalCommand(wrappedCommand: string): string | null {
   const flagIdx = pIdx + 3;
   const flag = args[flagIdx];
   if (flag !== '-lc' && flag !== '-c') return null;
-  return args.slice(flagIdx + 1).join(' ');
+  // The query-response form appends `|| <plain invocation>`; stop at that
+  // separator so the fallback branch is not folded into the recovered command.
+  const end = args.indexOf('||', flagIdx + 1);
+  return (end === -1 ? args.slice(flagIdx + 1) : args.slice(flagIdx + 1, end)).join(' ');
 }
 
 function getToolPath(args: Record<string, unknown>): string | undefined {
@@ -1152,6 +1079,7 @@ const plugin: Plugin = async ({ client, directory }: PluginInput, options?: Plug
       policy.path,
       configuredShell ?? process.env.SHELL ?? '/bin/sh',
       originalCommand,
+      socketQueryPort(directory),
     );
 
     activeBash.set(callID, {
@@ -1317,9 +1245,13 @@ const plugin: Plugin = async ({ client, directory }: PluginInput, options?: Plug
       }
 
       const outputText = output?.output ?? '';
-      const errors = parseLandstripErrors(outputText);
+      // Query traps were already resolved interactively over the socket by the
+      // TUI plugin; only terminal (info) traps belong in the after-the-fact toast.
+      const errors = parseLandstripTraps(outputText).filter(
+        (trap: LandstripTrap) => !(trap.kind === 'filesystem' && trap.state === 'query'),
+      );
       if (errors.length > 0) {
-        const message = formatLandstripErrors(errors);
+        const message = formatLandstripTraps(errors);
         await client.tui
           ?.showToast?.({
             body: { title: 'opencode-landstrip', message, variant: 'error' },

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "opencode-landstrip",
-  "version": "0.14.2",
+  "version": "0.15.1",
   "description": "Landlock-based sandboxing for opencode with landstrip",
   "keywords": [
     "landlock",
@@ -49,7 +49,7 @@
     "ci:test": "npm test"
   },
   "dependencies": {
-    "@landstrip/landstrip": "^0.14.5"
+    "@landstrip/landstrip": "^0.15.8"
   },
   "devDependencies": {
     "@opencode-ai/plugin": "^1.17.7",

package/shared.ts

@@ -3,8 +3,9 @@
 
 import { binaryPath } from '@landstrip/landstrip';
 
-import { existsSync, mkdirSync, readFileSync, realpathSync, writeFileSync } from 'node:fs';
-import { homedir } from 'node:os';
+import { createHash } from 'node:crypto';
+import { existsSync, mkdirSync, readFileSync, realpathSync, rmSync, writeFileSync } from 'node:fs';
+import { homedir, tmpdir } from 'node:os';
 import { dirname, join } from 'node:path';
 
 export interface SandboxFilesystemConfig {
@@ -316,3 +317,187 @@ export function updateForPermission(
 
   return null;
 }
+
+// Landstrip emits one JSON trap per line on its trap fd/file. The `state` field
+// (landstrip >= 0.15.4) distinguishes a terminal `info` trap from a `query`
+// trap that holds a syscall pending until the host answers with `queryId`. It
+// is absent on the static-profile platforms (macOS/Windows), so both fields are
+// optional. Parsing lives here so the server hook and the TUI socket handler
+// decode identically.
+export type LandstripTrapState = 'query' | 'info';
+
+export type LandstripTrap =
+  | {
+      kind: 'filesystem';
+      operation: 'read' | 'write';
+      path: string;
+      mechanism: string;
+      state?: LandstripTrapState;
+      queryId?: number;
+    }
+  | { kind: 'network'; operation: string; target: string; mechanism: string }
+  | { kind: 'launch'; program: string; message: string }
+  | { kind: 'usage'; message: string }
+  | { kind: 'internal'; detail: Record<string, string> };
+
+const LANDSTRIP_OPERATIONS = new Set<'read' | 'write'>(['read', 'write']);
+
+function isLandstripOperation(value: unknown): value is 'read' | 'write' {
+  return typeof value === 'string' && LANDSTRIP_OPERATIONS.has(value as 'read' | 'write');
+}
+
+function decodeTrapState(value: unknown): LandstripTrapState | undefined {
+  return value === 'query' || value === 'info' ? value : undefined;
+}
+
+export function decodeLandstripTrap(value: unknown): LandstripTrap | null {
+  if (!isRecord(value)) return null;
+  const mechanism = typeof value.mechanism === 'string' ? value.mechanism : '';
+
+  switch (value.kind) {
+    case 'filesystem': {
+      const { operation, path } = value;
+      if (!isLandstripOperation(operation) || typeof path !== 'string') return null;
+      const state = decodeTrapState(value.state);
+      const queryId = typeof value.query_id === 'number' ? value.query_id : undefined;
+      return { kind: 'filesystem', operation, path, mechanism, state, queryId };
+    }
+    case 'network': {
+      const { operation, target } = value;
+      if (typeof operation !== 'string' || typeof target !== 'string') return null;
+      return { kind: 'network', operation, target, mechanism };
+    }
+    case 'launch': {
+      const { program, message } = value;
+      if (typeof program !== 'string') return null;
+      return { kind: 'launch', program, message: typeof message === 'string' ? message : '' };
+    }
+    case 'usage': {
+      const { message } = value;
+      if (typeof message !== 'string') return null;
+      return { kind: 'usage', message };
+    }
+    case 'internal': {
+      const detail: Record<string, string> = {};
+      const payload = value.detail;
+      if (isRecord(payload)) {
+        for (const [key, val] of Object.entries(payload)) {
+          detail[key] = typeof val === 'string' ? val : JSON.stringify(val);
+        }
+      }
+      return { kind: 'internal', detail };
+    }
+    default:
+      return null;
+  }
+}
+
+export function parseLandstripTraps(output: string): LandstripTrap[] {
+  const traps: LandstripTrap[] = [];
+
+  for (const line of output.split('\n')) {
+    const trimmed = line.trim();
+    if (trimmed.length === 0 || trimmed[0] !== '{') continue;
+
+    let parsed: unknown;
+    try {
+      parsed = JSON.parse(trimmed);
+    } catch {
+      continue;
+    }
+
+    const trap = decodeLandstripTrap(parsed);
+    if (trap) traps.push(trap);
+  }
+
+  return traps;
+}
+
+export function formatLandstripTrap(trap: LandstripTrap): string {
+  switch (trap.kind) {
+    case 'filesystem':
+      return `landstrip: filesystem ${trap.operation} denied (${trap.path})${
+        trap.mechanism ? ` [${trap.mechanism}]` : ''
+      }`;
+    case 'network':
+      return `landstrip: network ${trap.operation} denied (${trap.target})${
+        trap.mechanism ? ` [${trap.mechanism}]` : ''
+      }`;
+    case 'launch':
+      return `landstrip: launch failed (${trap.program})${trap.message ? `: ${trap.message}` : ''}`;
+    case 'usage':
+      return `landstrip: usage error: ${trap.message}`;
+    case 'internal': {
+      const detail = Object.entries(trap.detail)
+        .map(([key, val]) => `${key}: ${val}`)
+        .join(', ');
+      return `landstrip: internal error${detail ? ` (${detail})` : ''}`;
+    }
+  }
+}
+
+export function formatLandstripTraps(traps: LandstripTrap[]): string {
+  return traps.map(formatLandstripTrap).join('\n');
+}
+
+// The TUI plugin runs the query-response socket server and publishes its port
+// to a per-directory discovery file; the server plugin reads it to inject the
+// fd-3 redirect. Namespacing by a hash of the realpath keeps concurrent
+// opencode instances in different projects from colliding.
+function discoveryDir(): string {
+  const base = process.env.XDG_RUNTIME_DIR || tmpdir();
+  return join(base, 'opencode-landstrip');
+}
+
+export function discoveryFilePath(baseDirectory: string): string {
+  let key = baseDirectory;
+  try {
+    key = realpathSync.native(baseDirectory);
+  } catch {
+    // Directory not resolvable — hash the raw path instead.
+  }
+  const hash = createHash('sha256').update(key).digest('hex').slice(0, 16);
+  return join(discoveryDir(), `port-${hash}.json`);
+}
+
+export function writeDiscoveryPort(baseDirectory: string, port: number): void {
+  const dir = discoveryDir();
+  mkdirSync(dir, { recursive: true, mode: 0o700 });
+  writeFileSync(
+    discoveryFilePath(baseDirectory),
+    JSON.stringify({ port, pid: process.pid, ts: Date.now() }) + '\n',
+  );
+}
+
+export function removeDiscoveryFile(baseDirectory: string): void {
+  rmSync(discoveryFilePath(baseDirectory), { force: true });
+}
+
+// Returns the live query-response port, or null when no fresh server is
+// listening. A recorded writer pid that no longer exists marks the file stale.
+export function readDiscoveryPort(baseDirectory: string): number | null {
+  const path = discoveryFilePath(baseDirectory);
+  if (!existsSync(path)) return null;
+
+  try {
+    const data: unknown = JSON.parse(readFileSync(path, 'utf-8'));
+    if (!isRecord(data)) return null;
+
+    const port = typeof data.port === 'number' ? data.port : NaN;
+    if (!Number.isInteger(port) || port <= 0 || port > 65535) return null;
+
+    if (typeof data.pid === 'number') {
+      try {
+        process.kill(data.pid, 0);
+      } catch (error) {
+        // ESRCH: the writer is gone, so the file is stale. EPERM: alive but
+        // owned by another user — still a live listener, so accept it.
+        if ((error as NodeJS.ErrnoException).code === 'ESRCH') return null;
+      }
+    }
+
+    return port;
+  } catch {
+    return null;
+  }
+}

package/tui.ts

@@ -4,6 +4,7 @@
 import type { TuiPlugin, TuiSlotContext, TuiSlotPlugin } from '@opencode-ai/plugin/tui';
 
 import { existsSync } from 'node:fs';
+import { type AddressInfo, createServer, type Socket as NetSocket } from 'node:net';
 
 import {
   type SandboxConfigOverrides,
@@ -11,10 +12,13 @@ import {
   landstripBinaryPath,
   loadConfig,
   normalizeOptions,
+  parseLandstripTraps,
   permissionLabel,
   permissionResource,
+  removeDiscoveryFile,
   updateForPermission,
   writeConfigFile,
+  writeDiscoveryPort,
 } from './shared.js';
 
 // The shape shared by the `permission.asked` event payload and the entries
@@ -31,6 +35,27 @@ interface PendingPermission {
 
 type PermissionChoice = 'once' | 'session' | 'project' | 'global' | 'reject';
 
+type WriteChoice = 'once' | 'session' | 'project' | 'global' | 'deny';
+
+// A landstrip write query held pending over the fd-3 socket. It shares the
+// dialog stack with permission prompts so the two never overlap, hence the
+// common `id`/`kind` shape.
+interface WriteQueryEntry {
+  kind: 'write-query';
+  id: string;
+  socket: NetSocket;
+  queryId: number;
+  path: string;
+}
+
+interface PermissionEntry {
+  kind: 'permission';
+  id: string;
+  permission: PendingPermission;
+}
+
+type QueueEntry = PermissionEntry | WriteQueryEntry;
+
 function list(values: string[]): string {
   return values.join(', ') || '(none)';
 }
@@ -84,26 +109,44 @@ const tui: TuiPlugin = async (api, options, meta) => {
   // Permission requests can arrive twice (the live event and a reconnect replay
   // of `api.state`), so `resolved` tracks ids we have already answered and
   // `activeId` guards against stacking a second sandbox dialog on the first.
+  // Write queries share the same queue so a held-write prompt never stacks on a
+  // permission prompt.
   const resolved = new Set<string>();
-  const queue: PendingPermission[] = [];
+  const queue: QueueEntry[] = [];
   let activeId: string | undefined;
 
+  // Paths the user approved "for session": later queries for the same path are
+  // auto-allowed without a dialog. This lives only in the TUI process — the
+  // server regenerates the policy from on-disk config each run — so it affects
+  // only live socket decisions, not the static policy.
+  const sessionAllowedWritePaths = new Set<string>();
+
+  // Write queries still awaiting a response, so cleanup can release held
+  // syscalls instead of letting the child hang.
+  const liveQueries = new Set<WriteQueryEntry>();
+
   function pump(): void {
     if (activeId !== undefined) return;
     let next = queue.shift();
     while (next && resolved.has(next.id)) next = queue.shift();
     if (!next) return;
-    showPermission(next);
+    if (next.kind === 'permission') showPermission(next.permission);
+    else showWriteQuery(next);
   }
 
-  function enqueue(permission: PendingPermission): void {
-    if (!permission.id || resolved.has(permission.id)) return;
-    if (activeId === permission.id) return;
-    if (queue.some((item) => item.id === permission.id)) return;
-    queue.push(permission);
+  function enqueueEntry(entry: QueueEntry): void {
+    if (!entry.id || resolved.has(entry.id)) return;
+    if (activeId === entry.id) return;
+    if (queue.some((item) => item.id === entry.id)) return;
+    queue.push(entry);
     pump();
   }
 
+  function enqueue(permission: PendingPermission): void {
+    if (!permission.id) return;
+    enqueueEntry({ kind: 'permission', id: permission.id, permission });
+  }
+
   // Safety net for missed/late events and reconnects: fold whatever the host
   // still considers pending for this session back into the queue.
   function reconcile(sessionID: string): void {
@@ -224,6 +267,107 @@ const tui: TuiPlugin = async (api, options, meta) => {
     );
   }
 
+  function respondWriteQuery(socket: NetSocket, queryId: number, action: 'allow' | 'deny'): void {
+    if (!socket.destroyed) socket.write(JSON.stringify({ query_id: queryId, action }) + '\n');
+  }
+
+  function resolveWriteQuery(entry: WriteQueryEntry, choice: WriteChoice): void {
+    if (resolved.has(entry.id)) return;
+    const action = choice === 'deny' ? 'deny' : 'allow';
+
+    try {
+      if (action === 'allow') {
+        if (choice === 'session') {
+          sessionAllowedWritePaths.add(entry.path);
+        } else if (choice === 'project' || choice === 'global') {
+          const directory = api.state.path.directory || process.cwd();
+          const { globalPath, projectPath } = getConfigPaths(directory);
+          const update = updateForPermission({
+            permission: 'write',
+            metadata: { filepath: entry.path },
+          });
+          if (update) writeConfigFile(choice === 'project' ? projectPath : globalPath, update);
+        }
+      }
+
+      respondWriteQuery(entry.socket, entry.queryId, action);
+      api.ui.toast({
+        title: 'Sandbox',
+        message: action === 'deny' ? `Write denied: ${entry.path}` : `Write allowed (${choice})`,
+        variant: action === 'deny' ? 'warning' : 'success',
+      });
+    } catch {
+      // Persisting failed — still release the held syscall by denying it.
+      respondWriteQuery(entry.socket, entry.queryId, 'deny');
+    } finally {
+      liveQueries.delete(entry);
+      finishActive(entry.id);
+    }
+  }
+
+  function showWriteQuery(entry: WriteQueryEntry): void {
+    activeId = entry.id;
+
+    void api.attention.notify({
+      title: 'Sandbox write blocked',
+      message: entry.path,
+      sound: { name: 'permission' },
+      notification: true,
+    });
+
+    // A selection pops the dialog (firing `onClose`); track it so the esc-path
+    // deny does not override the user's choice. A held syscall must always be
+    // answered, so esc/dismiss denies rather than leaving it unresolved.
+    let selectionMade = false;
+
+    api.ui.dialog.replace(
+      () =>
+        api.ui.DialogSelect<WriteChoice>({
+          title: 'Sandbox Write Blocked',
+          placeholder: `Write blocked: ${entry.path}`,
+          options: [
+            {
+              title: 'Allow once',
+              value: 'once',
+              category: 'This write',
+              description: 'Permit this write and continue',
+            },
+            {
+              title: 'Allow for session',
+              value: 'session',
+              category: 'This write',
+              description: 'Permit writes to this path for the rest of this session',
+            },
+            {
+              title: 'Allow for project',
+              value: 'project',
+              category: 'Persist to sandbox.json',
+              description: 'Add to .opencode/sandbox.json allowWrite and permit',
+            },
+            {
+              title: 'Allow globally',
+              value: 'global',
+              category: 'Persist to sandbox.json',
+              description: 'Add to ~/.config/opencode/sandbox.json allowWrite and permit',
+            },
+            {
+              title: 'Deny',
+              value: 'deny',
+              category: 'Deny',
+              description: 'Block this write',
+            },
+          ],
+          onSelect: (option) => {
+            selectionMade = true;
+            resolveWriteQuery(entry, option.value);
+          },
+        }),
+      () => {
+        if (!selectionMade) resolveWriteQuery(entry, 'deny');
+      },
+    );
+  }
+
   const unsubscribeAsked = api.event.on('permission.asked', (event) => {
     const pending = event.properties as PendingPermission;
     enqueue(pending);
@@ -234,6 +378,98 @@ const tui: TuiPlugin = async (api, options, meta) => {
     finishActive(event.properties.requestID);
   });
 
+  // Query-response socket server (Linux-only — landstrip's socket protocol lives
+  // in the seccomp broker). The server plugin connects each sandboxed run's
+  // fd 3 here via a /dev/tcp redirect and we answer held writes interactively.
+  const sockets = new Set<NetSocket>();
+  let socketServer: ReturnType<typeof createServer> | undefined;
+
+  if (process.platform === 'linux') {
+    const baseDirectory = api.state.path.directory || process.cwd();
+    let socketSeq = 0;
+
+    socketServer = createServer((socket) => {
+      sockets.add(socket);
+      socket.setEncoding('utf8');
+      const socketId = ++socketSeq;
+      const seen = new Set<number>();
+      let buffer = '';
+
+      socket.on('data', (chunk: string | Buffer) => {
+        buffer += chunk.toString();
+        if (buffer.length > 1024 * 1024) {
+          socket.destroy();
+          return;
+        }
+
+        let newline: number;
+        while ((newline = buffer.indexOf('\n')) !== -1) {
+          const line = buffer.slice(0, newline);
+          buffer = buffer.slice(newline + 1);
+
+          for (const trap of parseLandstripTraps(line)) {
+            if (
+              trap.kind !== 'filesystem' ||
+              trap.state !== 'query' ||
+              trap.operation !== 'write'
+            ) {
+              continue;
+            }
+            if (typeof trap.queryId !== 'number' || seen.has(trap.queryId)) continue;
+            seen.add(trap.queryId);
+
+            if (sessionAllowedWritePaths.has(trap.path)) {
+              respondWriteQuery(socket, trap.queryId, 'allow');
+              continue;
+            }
+
+            const entry: WriteQueryEntry = {
+              kind: 'write-query',
+              id: `landstrip-write:${socketId}:${trap.queryId}`,
+              socket,
+              queryId: trap.queryId,
+              path: trap.path,
+            };
+            liveQueries.add(entry);
+            enqueueEntry(entry);
+          }
+        }
+      });
+
+      const cleanup = () => {
+        sockets.delete(socket);
+        // The child is gone; drop our holds for this socket so the queue moves on.
+        // Deleting the current entry mid-iteration is well-defined for a Set.
+        for (const entry of liveQueries) {
+          if (entry.socket !== socket) continue;
+          liveQueries.delete(entry);
+          finishActive(entry.id);
+        }
+      };
+      socket.on('error', cleanup);
+      socket.on('close', cleanup);
+    });
+
+    socketServer.on('error', () => {
+      try {
+        removeDiscoveryFile(baseDirectory);
+      } catch {
+        // best effort
+      }
+    });
+
+    socketServer.listen(0, '127.0.0.1', () => {
+      const address = socketServer?.address() as AddressInfo | null;
+      if (address && typeof address === 'object') {
+        try {
+          writeDiscoveryPort(baseDirectory, address.port);
+        } catch {
+          // best effort — falls back to the server's reset model
+        }
+      }
+    });
+  }
+
   const showSandbox = () => {
     const directory = api.state.path.directory || process.cwd();
     const message = sandboxSummary(directory, optionOverrides);
@@ -335,6 +571,22 @@ const tui: TuiPlugin = async (api, options, meta) => {
   api.lifecycle.onDispose(() => {
     unsubscribeAsked();
     unsubscribeReplied();
+
+    // Deny any still-held writes so the sandboxed children don't hang, then
+    // tear down the socket server and drop the discovery file.
+    for (const entry of liveQueries) {
+      respondWriteQuery(entry.socket, entry.queryId, 'deny');
+      liveQueries.delete(entry);
+    }
+    for (const socket of sockets) socket.destroy();
+    if (socketServer) {
+      socketServer.close();
+      try {
+        removeDiscoveryFile(api.state.path.directory || process.cwd());
+      } catch {
+        // best effort
+      }
+    }
   });
 };