opencode-landstrip 0.15.0 → 0.15.2

package/index.ts

@@ -11,14 +11,18 @@ import { basename, dirname, isAbsolute, join, resolve } from 'node:path';
 import { URL } from 'node:url';
 
 import {
+  type LandstripTrap,
   type SandboxConfig,
   type SandboxFilesystemConfig,
   extractDomainsFromCommand,
+  formatLandstripTraps,
   getConfigPaths,
   isRecord,
   landstripBinaryPath,
   loadConfig,
   normalizeOptions,
+  parseLandstripTraps,
+  readDiscoveryPort,
 } from './shared.js';
 
 interface LandstripPolicy {
@@ -32,13 +36,6 @@ interface LandstripPolicy {
   filesystem: SandboxFilesystemConfig;
 }
 
-type LandstripTrap =
-  | { kind: 'filesystem'; operation: 'read' | 'write'; path: string; mechanism: string }
-  | { kind: 'network'; operation: string; target: string; mechanism: string }
-  | { kind: 'launch'; program: string; message: string }
-  | { kind: 'usage'; message: string }
-  | { kind: 'internal'; detail: Record<string, string> };
-
 interface BashSandboxState {
   originalCommand: string;
   wrappedCommand: string;
@@ -58,15 +55,10 @@ interface SandboxPermissionDecision {
 
 type ToastVariant = 'info' | 'success' | 'warning' | 'error';
 
-const LANDSTRIP_VERSION = [0, 15, 1] as const;
+const LANDSTRIP_VERSION = [0, 15, 9] as const;
 const REQUIRED_LANDSTRIP_VERSION = LANDSTRIP_VERSION.join('.');
-const LANDSTRIP_OPERATIONS = new Set<'read' | 'write'>(['read', 'write']);
 const SUPPORTED_PLATFORMS = new Set<NodeJS.Platform>(['linux', 'darwin', 'win32']);
 
-function isLandstripOperation(value: unknown): value is 'read' | 'write' {
-  return typeof value === 'string' && LANDSTRIP_OPERATIONS.has(value as 'read' | 'write');
-}
-
 function expandPath(filePath: string, baseDirectory: string): string {
   const expanded = filePath.replace(/^~(?=$|[/])/, homedir());
   return resolve(isAbsolute(expanded) ? expanded : join(baseDirectory, expanded));
@@ -110,11 +102,11 @@ function globToRegExp(globPattern: string): RegExp {
   let regex = '';
 
   for (let i = 0; i < globPattern.length; i++) {
-    const char = globPattern[i];
+    const char = globPattern.charAt(i);
     if (char === '*') {
-      if (globPattern[i + 1] === '*') {
+      if (globPattern.charAt(i + 1) === '*') {
         i++;
-        if (globPattern[i + 1] === '/') {
+        if (globPattern.charAt(i + 1) === '/') {
           i++;
           regex += '(?:.*/)?';
         } else {
@@ -230,23 +222,23 @@ function extractBlockedPath(
   let match = output.match(
     /(?:\/bin\/bash|bash|sh): (?:line \d+: )?([^:\n]+): (?:Operation not permitted|Permission denied)/,
   );
-  if (match) return normalizeBlockedPath(match[1], baseDirectory);
+  if (match?.[1]) return normalizeBlockedPath(match[1], baseDirectory);
 
   // ls/cat/cp: cannot open/access/stat '/path': Permission denied
   match = output.match(
     /^[a-zA-Z0-9_-]+: cannot (?:open|access|stat|create)(?: directory)? '?([^'\n]+?)'?(?: for (?:reading|writing))?: Permission denied$/m,
   );
-  if (match) return normalizeBlockedPath(match[1], baseDirectory);
+  if (match?.[1]) return normalizeBlockedPath(match[1], baseDirectory);
 
   // Generic: cmd: /absolute/path: Permission denied or Operation not permitted
   match = output.match(
     /^[a-zA-Z0-9_-]+: (\/[^\n:]+): (?:Operation not permitted|Permission denied)$/m,
   );
-  if (match) return normalizeBlockedPath(match[1], baseDirectory);
+  if (match?.[1]) return normalizeBlockedPath(match[1], baseDirectory);
 
   // Landstrip structured trap format carrying a denied path
-  const landstripErrors = parseLandstripErrors(output);
-  for (const trap of landstripErrors) {
+  const landstripTraps = parseLandstripTraps(output);
+  for (const trap of landstripTraps) {
     if (trap.kind === 'filesystem') return normalizeBlockedPath(trap.path, baseDirectory);
     if (trap.kind === 'internal' && trap.detail.file) {
       return normalizeBlockedPath(trap.detail.file, baseDirectory);
@@ -255,7 +247,7 @@ function extractBlockedPath(
 
   // If landstrip reported a trap but without a path, try to
   // extract the blocked path from the command itself
-  if (landstripErrors.length > 0 && command) {
+  if (landstripTraps.length > 0 && command) {
     for (const candidate of extractCandidatePaths(command)) {
       const resolved = canonicalizePath(candidate, baseDirectory);
       return resolved;
@@ -398,105 +390,19 @@ function hasMinimumVersion(version: string, minimum: readonly [number, number, n
   if (!parsed) return false;
 
   for (let i = 0; i < minimum.length; i++) {
-    if (parsed[i] > minimum[i]) return true;
-    if (parsed[i] < minimum[i]) return false;
+    const parsedPart = parsed[i];
+    const minimumPart = minimum[i];
+    if (parsedPart === undefined || minimumPart === undefined) return false;
+    if (parsedPart > minimumPart) return true;
+    if (parsedPart < minimumPart) return false;
   }
 
   return true;
 }
 
-function decodeLandstripTrap(value: unknown): LandstripTrap | null {
-  if (typeof value !== 'object' || value === null || Array.isArray(value)) return null;
-  const record = value as Record<string, unknown>;
-  const mechanism = typeof record.mechanism === 'string' ? record.mechanism : '';
-
-  switch (record.kind) {
-    case 'filesystem': {
-      const { operation, path } = record;
-      if (!isLandstripOperation(operation) || typeof path !== 'string') return null;
-      return { kind: 'filesystem', operation, path, mechanism };
-    }
-    case 'network': {
-      const { operation, target } = record;
-      if (typeof operation !== 'string' || typeof target !== 'string') return null;
-      return { kind: 'network', operation, target, mechanism };
-    }
-    case 'launch': {
-      const { program, message } = record;
-      if (typeof program !== 'string') return null;
-      return { kind: 'launch', program, message: typeof message === 'string' ? message : '' };
-    }
-    case 'usage': {
-      const { message } = record;
-      if (typeof message !== 'string') return null;
-      return { kind: 'usage', message };
-    }
-    case 'internal': {
-      const detail: Record<string, string> = {};
-      const payload = record.detail;
-      if (typeof payload === 'object' && payload !== null && !Array.isArray(payload)) {
-        for (const [key, val] of Object.entries(payload as Record<string, unknown>)) {
-          detail[key] = typeof val === 'string' ? val : JSON.stringify(val);
-        }
-      }
-      return { kind: 'internal', detail };
-    }
-    default:
-      return null;
-  }
-}
-
-function parseLandstripErrors(output: string): LandstripTrap[] {
-  const traps: LandstripTrap[] = [];
-
-  for (const line of output.split('\n')) {
-    const trimmed = line.trim();
-    if (trimmed.length === 0 || trimmed[0] !== '{') continue;
-
-    let parsed: unknown;
-    try {
-      parsed = JSON.parse(trimmed);
-    } catch {
-      continue;
-    }
-
-    const trap = decodeLandstripTrap(parsed);
-    if (trap) traps.push(trap);
-  }
-
-  return traps;
-}
-
-function formatLandstripTrap(trap: LandstripTrap): string {
-  switch (trap.kind) {
-    case 'filesystem':
-      return `landstrip: filesystem ${trap.operation} denied (${trap.path})${
-        trap.mechanism ? ` [${trap.mechanism}]` : ''
-      }`;
-    case 'network':
-      return `landstrip: network ${trap.operation} denied (${trap.target})${
-        trap.mechanism ? ` [${trap.mechanism}]` : ''
-      }`;
-    case 'launch':
-      return `landstrip: launch failed (${trap.program})${trap.message ? `: ${trap.message}` : ''}`;
-    case 'usage':
-      return `landstrip: usage error: ${trap.message}`;
-    case 'internal': {
-      const detail = Object.entries(trap.detail)
-        .map(([key, val]) => `${key}: ${val}`)
-        .join(', ');
-      return `landstrip: internal error${detail ? ` (${detail})` : ''}`;
-    }
-  }
-}
-
-function formatLandstripErrors(traps: LandstripTrap[]): string {
-  return traps.map(formatLandstripTrap).join('\n');
-}
-
 function splitHostPort(target: string, defaultPort: number): { host: string; port: number } | null {
   const bracketMatch = target.match(/^\[([^\]]+)\](?::(\d+))?$/);
-  if (bracketMatch) {
+  if (bracketMatch?.[1]) {
     return {
       host: bracketMatch[1],
       port: bracketMatch[2] ? Number(bracketMatch[2]) : defaultPort,
@@ -594,7 +500,13 @@ function startProxy(config: SandboxConfig): Promise<{ port: number; stop: () =>
 
   async function handleHttp(client: Socket, headerText: string, rest: Buffer): Promise<void> {
     const lines = headerText.split(/\r?\n/);
-    const [method, rawTarget, version] = lines[0].split(' ');
+    const requestLine = lines[0];
+    if (!requestLine) {
+      denyProxyRequest(client, '400 Bad Request');
+      return;
+    }
+
+    const [method, rawTarget, version] = requestLine.split(' ');
 
     if (!method || !rawTarget || !version) {
       denyProxyRequest(client, '400 Bad Request');
@@ -664,10 +576,10 @@ function startProxy(config: SandboxConfig): Promise<{ port: number; stop: () =>
       const header = buffered.subarray(0, headerEnd).toString('utf-8');
       const rest = buffered.subarray(headerEnd + 4);
       const firstLine = header.split(/\r?\n/, 1)[0];
-      const [method, target] = firstLine.split(' ');
+      const [method, target] = (firstLine ?? '').split(' ');
 
       const task =
-        method?.toUpperCase() === 'CONNECT'
+        method?.toUpperCase() === 'CONNECT' && target
           ? handleConnect(client, target, rest)
           : handleHttp(client, header, rest);
       task.catch(() => denyProxyRequest(client, '502 Bad Gateway'));
@@ -727,15 +639,37 @@ function shellArgs(shell: string, command: string): string[] {
   return [shell, '-lc', command];
 }
 
-function buildWrappedCommand(policyPath: string, shell: string, command: string): string {
-  const args = ['-p', policyPath, ...shellArgs(shell, command)];
+// The query-response port is published by the TUI plugin and is Linux-only (the
+// socket protocol exists only in landstrip's seccomp broker).
+function socketQueryPort(baseDirectory: string): number | null {
+  if (process.platform !== 'linux') return null;
+  return readDiscoveryPort(baseDirectory);
+}
 
-  return [landstripBinaryPath(), ...args].map(shellQuote).join(' ');
+function buildWrappedCommand(
+  policyPath: string,
+  shell: string,
+  command: string,
+  trapPort: number | null,
+): string {
+  const baseArgs = ['-p', policyPath, ...shellArgs(shell, command)];
+  const plain = [landstripBinaryPath(), ...baseArgs].map(shellQuote).join(' ');
+  if (trapPort === null) return plain;
+
+  // Connect fd 3 to the TUI's query-response socket BEFORE landstrip applies the
+  // sandbox, so a denied write can be approved live instead of forcing a re-run.
+  // The `&&`/`||` guard falls back to the plain (no --trap-fd) invocation when the
+  // redirect fails — a dead port, a non-bash outer shell without /dev/tcp, or an
+  // outer `set -e` — so a failed connect never hands the broker a dead fd 3.
+  const trapped = [landstripBinaryPath(), '--trap-fd', '3', ...baseArgs].map(shellQuote).join(' ');
+  return `{ exec 3<>/dev/tcp/127.0.0.1/${trapPort} ; } 2>/dev/null && ${trapped} || ${plain}`;
 }
 
 function isGeneratedWrappedCommand(command: string): boolean {
   return (
-    command.startsWith(`${shellQuote(landstripBinaryPath())} `) &&
+    // `.includes` rather than `.startsWith`: the query-response form prefixes a
+    // `{ exec 3<>/dev/tcp/...; } && ` redirect before the landstrip invocation.
+    command.includes(`${shellQuote(landstripBinaryPath())} `) &&
     command.includes(` ${shellQuote('-p')} `) &&
     command.includes('opencode-landstrip-')
   );
@@ -779,7 +713,10 @@ function extractOriginalCommand(wrappedCommand: string): string | null {
   const flagIdx = pIdx + 3;
   const flag = args[flagIdx];
   if (flag !== '-lc' && flag !== '-c') return null;
-  return args.slice(flagIdx + 1).join(' ');
+  // The query-response form appends `|| <plain invocation>`; stop at that
+  // separator so the fallback branch is not folded into the recovered command.
+  const end = args.indexOf('||', flagIdx + 1);
+  return (end === -1 ? args.slice(flagIdx + 1) : args.slice(flagIdx + 1, end)).join(' ');
 }
 
 function getToolPath(args: Record<string, unknown>): string | undefined {
@@ -796,13 +733,13 @@ function extractPatchPaths(patchText: string): string[] {
 
   for (const line of patchText.split(/\r?\n/)) {
     const fileMatch = line.match(/^\*\*\* (?:Add|Update|Delete) File: (.+)$/);
-    if (fileMatch) {
+    if (fileMatch?.[1]) {
       paths.push(fileMatch[1].trim());
       continue;
     }
 
     const moveMatch = line.match(/^\*\*\* Move to: (.+)$/);
-    if (moveMatch) paths.push(moveMatch[1].trim());
+    if (moveMatch?.[1]) paths.push(moveMatch[1].trim());
   }
 
   return paths;
@@ -1097,7 +1034,7 @@ const plugin: Plugin = async ({ client, directory }: PluginInput, options?: Plug
 
     if (isGeneratedWrappedCommand(args.command as string)) {
       const policyMatch = (args.command as string).match(/\s'-p'\s+'([^']+)'/);
-      if (policyMatch && existsSync(policyMatch[1])) {
+      if (policyMatch?.[1] && existsSync(policyMatch[1])) {
         if (typeof args.description === 'string')
           args.description = landstripDescription(args.description);
         return;
@@ -1151,6 +1088,7 @@ const plugin: Plugin = async ({ client, directory }: PluginInput, options?: Plug
       policy.path,
       configuredShell ?? process.env.SHELL ?? '/bin/sh',
       originalCommand,
+      socketQueryPort(directory),
     );
 
     activeBash.set(callID, {
@@ -1316,9 +1254,13 @@ const plugin: Plugin = async ({ client, directory }: PluginInput, options?: Plug
       }
 
       const outputText = output?.output ?? '';
-      const errors = parseLandstripErrors(outputText);
+      // Query traps were already resolved interactively over the socket by the
+      // TUI plugin; only terminal (info) traps belong in the after-the-fact toast.
+      const errors = parseLandstripTraps(outputText).filter(
+        (trap: LandstripTrap) => !(trap.kind === 'filesystem' && trap.state === 'query'),
+      );
       if (errors.length > 0) {
-        const message = formatLandstripErrors(errors);
+        const message = formatLandstripTraps(errors);
         await client.tui
           ?.showToast?.({
             body: { title: 'opencode-landstrip', message, variant: 'error' },

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "opencode-landstrip",
-  "version": "0.15.0",
+  "version": "0.15.2",
   "description": "Landlock-based sandboxing for opencode with landstrip",
   "keywords": [
     "landlock",
@@ -43,13 +43,13 @@
     "check": "tsc --noEmit",
     "test": "node --test test/*.test.mjs",
     "all": "npm run fmt && npm run lint && npm run check && npm test",
-    "ci:fmt": "oxfmt --check index.ts tui.ts package.json tsconfig.json sandbox.json .oxfmtrc.json README.md test/*.test.mjs",
+    "ci:fmt": "oxfmt --check index.ts tui.ts shared.ts package.json tsconfig.json sandbox.json .oxfmtrc.json README.md test/*.test.mjs",
     "ci:lint": "npm run lint",
     "ci:check": "npm run check",
     "ci:test": "npm test"
   },
   "dependencies": {
-    "@landstrip/landstrip": "^0.15.1"
+    "@landstrip/landstrip": "^0.15.9"
   },
   "devDependencies": {
     "@opencode-ai/plugin": "^1.17.7",

package/shared.ts

@@ -3,8 +3,9 @@
 
 import { binaryPath } from '@landstrip/landstrip';
 
-import { existsSync, mkdirSync, readFileSync, realpathSync, writeFileSync } from 'node:fs';
-import { homedir } from 'node:os';
+import { createHash } from 'node:crypto';
+import { existsSync, mkdirSync, readFileSync, realpathSync, rmSync, writeFileSync } from 'node:fs';
+import { homedir, tmpdir } from 'node:os';
 import { dirname, join } from 'node:path';
 
 export interface SandboxFilesystemConfig {
@@ -237,7 +238,7 @@ export function extractDomainsFromCommand(command: string): string[] {
   let match: RegExpExecArray | null;
 
   while ((match = urlRegex.exec(command)) !== null) {
-    domains.add(match[1]);
+    if (match[1]) domains.add(match[1]);
   }
 
   return [...domains];
@@ -316,3 +317,189 @@ export function updateForPermission(
 
   return null;
 }
+
+// Landstrip emits one JSON trap per line on its trap fd/file. The `state` field
+// (landstrip >= 0.15.4) distinguishes a terminal `info` trap from a `query`
+// trap that holds a syscall pending until the host answers with `queryId`. It
+// is absent on the static-profile platforms (macOS/Windows), so both fields are
+// optional. Parsing lives here so the server hook and the TUI socket handler
+// decode identically.
+export type LandstripTrapState = 'query' | 'info';
+
+export type LandstripTrap =
+  | {
+      kind: 'filesystem';
+      operation: 'read' | 'write';
+      path: string;
+      mechanism: string;
+      state?: LandstripTrapState;
+      queryId?: number;
+    }
+  | { kind: 'network'; operation: string; target: string; mechanism: string }
+  | { kind: 'launch'; program: string; message: string }
+  | { kind: 'usage'; message: string }
+  | { kind: 'internal'; detail: Record<string, string> };
+
+const LANDSTRIP_OPERATIONS = new Set<'read' | 'write'>(['read', 'write']);
+
+function isLandstripOperation(value: unknown): value is 'read' | 'write' {
+  return typeof value === 'string' && LANDSTRIP_OPERATIONS.has(value as 'read' | 'write');
+}
+
+function decodeTrapState(value: unknown): LandstripTrapState | undefined {
+  return value === 'query' || value === 'info' ? value : undefined;
+}
+
+export function decodeLandstripTrap(value: unknown): LandstripTrap | null {
+  if (!isRecord(value)) return null;
+  const mechanism = typeof value.mechanism === 'string' ? value.mechanism : '';
+
+  switch (value.kind) {
+    case 'filesystem': {
+      const { operation, path } = value;
+      if (!isLandstripOperation(operation) || typeof path !== 'string') return null;
+      const trap: LandstripTrap = { kind: 'filesystem', operation, path, mechanism };
+      const state = decodeTrapState(value.state);
+      if (state) trap.state = state;
+      if (typeof value.query_id === 'number') trap.queryId = value.query_id;
+      return trap;
+    }
+    case 'network': {
+      const { operation, target } = value;
+      if (typeof operation !== 'string' || typeof target !== 'string') return null;
+      return { kind: 'network', operation, target, mechanism };
+    }
+    case 'launch': {
+      const { program, message } = value;
+      if (typeof program !== 'string') return null;
+      return { kind: 'launch', program, message: typeof message === 'string' ? message : '' };
+    }
+    case 'usage': {
+      const { message } = value;
+      if (typeof message !== 'string') return null;
+      return { kind: 'usage', message };
+    }
+    case 'internal': {
+      const detail: Record<string, string> = {};
+      const payload = value.detail;
+      if (isRecord(payload)) {
+        for (const [key, val] of Object.entries(payload)) {
+          detail[key] = typeof val === 'string' ? val : JSON.stringify(val);
+        }
+      }
+      return { kind: 'internal', detail };
+    }
+    default:
+      return null;
+  }
+}
+
+export function parseLandstripTraps(output: string): LandstripTrap[] {
+  const traps: LandstripTrap[] = [];
+
+  for (const line of output.split('\n')) {
+    const trimmed = line.trim();
+    if (trimmed.length === 0 || trimmed[0] !== '{') continue;
+
+    let parsed: unknown;
+    try {
+      parsed = JSON.parse(trimmed);
+    } catch {
+      continue;
+    }
+
+    const trap = decodeLandstripTrap(parsed);
+    if (trap) traps.push(trap);
+  }
+
+  return traps;
+}
+
+export function formatLandstripTrap(trap: LandstripTrap): string {
+  switch (trap.kind) {
+    case 'filesystem':
+      return `landstrip: filesystem ${trap.operation} denied (${trap.path})${
+        trap.mechanism ? ` [${trap.mechanism}]` : ''
+      }`;
+    case 'network':
+      return `landstrip: network ${trap.operation} denied (${trap.target})${
+        trap.mechanism ? ` [${trap.mechanism}]` : ''
+      }`;
+    case 'launch':
+      return `landstrip: launch failed (${trap.program})${trap.message ? `: ${trap.message}` : ''}`;
+    case 'usage':
+      return `landstrip: usage error: ${trap.message}`;
+    case 'internal': {
+      const detail = Object.entries(trap.detail)
+        .map(([key, val]) => `${key}: ${val}`)
+        .join(', ');
+      return `landstrip: internal error${detail ? ` (${detail})` : ''}`;
+    }
+  }
+}
+
+export function formatLandstripTraps(traps: LandstripTrap[]): string {
+  return traps.map(formatLandstripTrap).join('\n');
+}
+
+// The TUI plugin runs the query-response socket server and publishes its port
+// to a per-directory discovery file; the server plugin reads it to inject the
+// fd-3 redirect. Namespacing by a hash of the realpath keeps concurrent
+// opencode instances in different projects from colliding.
+function discoveryDir(): string {
+  const base = process.env.XDG_RUNTIME_DIR || tmpdir();
+  return join(base, 'opencode-landstrip');
+}
+
+export function discoveryFilePath(baseDirectory: string): string {
+  let key = baseDirectory;
+  try {
+    key = realpathSync.native(baseDirectory);
+  } catch {
+    // Directory not resolvable — hash the raw path instead.
+  }
+  const hash = createHash('sha256').update(key).digest('hex').slice(0, 16);
+  return join(discoveryDir(), `port-${hash}.json`);
+}
+
+export function writeDiscoveryPort(baseDirectory: string, port: number): void {
+  const dir = discoveryDir();
+  mkdirSync(dir, { recursive: true, mode: 0o700 });
+  writeFileSync(
+    discoveryFilePath(baseDirectory),
+    JSON.stringify({ port, pid: process.pid, ts: Date.now() }) + '\n',
+  );
+}
+
+export function removeDiscoveryFile(baseDirectory: string): void {
+  rmSync(discoveryFilePath(baseDirectory), { force: true });
+}
+
+// Returns the live query-response port, or null when no fresh server is
+// listening. A recorded writer pid that no longer exists marks the file stale.
+export function readDiscoveryPort(baseDirectory: string): number | null {
+  const path = discoveryFilePath(baseDirectory);
+  if (!existsSync(path)) return null;
+
+  try {
+    const data: unknown = JSON.parse(readFileSync(path, 'utf-8'));
+    if (!isRecord(data)) return null;
+
+    const port = typeof data.port === 'number' ? data.port : NaN;
+    if (!Number.isInteger(port) || port <= 0 || port > 65535) return null;
+
+    if (typeof data.pid === 'number') {
+      try {
+        process.kill(data.pid, 0);
+      } catch (error) {
+        // ESRCH: the writer is gone, so the file is stale. EPERM: alive but
+        // owned by another user — still a live listener, so accept it.
+        if ((error as NodeJS.ErrnoException).code === 'ESRCH') return null;
+      }
+    }
+
+    return port;
+  } catch {
+    return null;
+  }
+}

package/tui.ts

@@ -4,6 +4,7 @@
 import type { TuiPlugin, TuiSlotContext, TuiSlotPlugin } from '@opencode-ai/plugin/tui';
 
 import { existsSync } from 'node:fs';
+import { type AddressInfo, createServer, type Socket as NetSocket } from 'node:net';
 
 import {
   type SandboxConfigOverrides,
@@ -11,10 +12,13 @@ import {
   landstripBinaryPath,
   loadConfig,
   normalizeOptions,
+  parseLandstripTraps,
   permissionLabel,
   permissionResource,
+  removeDiscoveryFile,
   updateForPermission,
   writeConfigFile,
+  writeDiscoveryPort,
 } from './shared.js';
 
 // The shape shared by the `permission.asked` event payload and the entries
@@ -31,6 +35,28 @@ interface PendingPermission {
 
 type PermissionChoice = 'once' | 'session' | 'project' | 'global' | 'reject';
 
+type QueryChoice = 'once' | 'session' | 'project' | 'global' | 'deny';
+
+// A landstrip filesystem query (read or write) held pending over the fd-3
+// socket. It shares the dialog stack with permission prompts so the two never
+// overlap, hence the common `id`/`kind` shape.
+interface FsQueryEntry {
+  kind: 'fs-query';
+  id: string;
+  socket: NetSocket;
+  queryId: number;
+  operation: 'read' | 'write';
+  path: string;
+}
+
+interface PermissionEntry {
+  kind: 'permission';
+  id: string;
+  permission: PendingPermission;
+}
+
+type QueueEntry = PermissionEntry | FsQueryEntry;
+
 function list(values: string[]): string {
   return values.join(', ') || '(none)';
 }
@@ -84,26 +110,45 @@ const tui: TuiPlugin = async (api, options, meta) => {
   // Permission requests can arrive twice (the live event and a reconnect replay
   // of `api.state`), so `resolved` tracks ids we have already answered and
   // `activeId` guards against stacking a second sandbox dialog on the first.
+  // Write queries share the same queue so a held-write prompt never stacks on a
+  // permission prompt.
   const resolved = new Set<string>();
-  const queue: PendingPermission[] = [];
+  const queue: QueueEntry[] = [];
   let activeId: string | undefined;
 
+  // Paths the user approved "for session": later queries for the same path are
+  // auto-allowed without a dialog. This lives only in the TUI process — the
+  // server regenerates the policy from on-disk config each run — so it affects
+  // only live socket decisions, not the static policy.
+  const sessionAllowedWritePaths = new Set<string>();
+  const sessionAllowedReadPaths = new Set<string>();
+
+  // Filesystem queries still awaiting a response, so cleanup can release held
+  // syscalls instead of letting the child hang.
+  const liveQueries = new Set<FsQueryEntry>();
+
   function pump(): void {
     if (activeId !== undefined) return;
     let next = queue.shift();
     while (next && resolved.has(next.id)) next = queue.shift();
     if (!next) return;
-    showPermission(next);
+    if (next.kind === 'permission') showPermission(next.permission);
+    else showFsQuery(next);
   }
 
-  function enqueue(permission: PendingPermission): void {
-    if (!permission.id || resolved.has(permission.id)) return;
-    if (activeId === permission.id) return;
-    if (queue.some((item) => item.id === permission.id)) return;
-    queue.push(permission);
+  function enqueueEntry(entry: QueueEntry): void {
+    if (!entry.id || resolved.has(entry.id)) return;
+    if (activeId === entry.id) return;
+    if (queue.some((item) => item.id === entry.id)) return;
+    queue.push(entry);
     pump();
   }
 
+  function enqueue(permission: PendingPermission): void {
+    if (!permission.id) return;
+    enqueueEntry({ kind: 'permission', id: permission.id, permission });
+  }
+
   // Safety net for missed/late events and reconnects: fold whatever the host
   // still considers pending for this session back into the queue.
   function reconcile(sessionID: string): void {
@@ -224,6 +269,114 @@ const tui: TuiPlugin = async (api, options, meta) => {
     );
   }
 
+  function respondFsQuery(socket: NetSocket, queryId: number, action: 'allow' | 'deny'): void {
+    if (!socket.destroyed) socket.write(JSON.stringify({ query_id: queryId, action }) + '\n');
+  }
+
+  function resolveFsQuery(entry: FsQueryEntry, choice: QueryChoice): void {
+    if (resolved.has(entry.id)) return;
+    const action = choice === 'deny' ? 'deny' : 'allow';
+    const verb = entry.operation === 'read' ? 'Read' : 'Write';
+
+    try {
+      if (action === 'allow') {
+        if (choice === 'session') {
+          const sessionPaths =
+            entry.operation === 'read' ? sessionAllowedReadPaths : sessionAllowedWritePaths;
+          sessionPaths.add(entry.path);
+        } else if (choice === 'project' || choice === 'global') {
+          const directory = api.state.path.directory || process.cwd();
+          const { globalPath, projectPath } = getConfigPaths(directory);
+          const update = updateForPermission({
+            permission: entry.operation,
+            metadata: { filepath: entry.path },
+          });
+          if (update) writeConfigFile(choice === 'project' ? projectPath : globalPath, update);
+        }
+      }
+
+      respondFsQuery(entry.socket, entry.queryId, action);
+      api.ui.toast({
+        title: 'Sandbox',
+        message:
+          action === 'deny' ? `${verb} denied: ${entry.path}` : `${verb} allowed (${choice})`,
+        variant: action === 'deny' ? 'warning' : 'success',
+      });
+    } catch {
+      // Persisting failed — still release the held syscall by denying it.
+      respondFsQuery(entry.socket, entry.queryId, 'deny');
+    } finally {
+      liveQueries.delete(entry);
+      finishActive(entry.id);
+    }
+  }
+
+  function showFsQuery(entry: FsQueryEntry): void {
+    activeId = entry.id;
+    const verb = entry.operation === 'read' ? 'Read' : 'Write';
+    const noun = entry.operation;
+    const listName = entry.operation === 'read' ? 'allowRead' : 'allowWrite';
+
+    void api.attention.notify({
+      title: `Sandbox ${noun} blocked`,
+      message: entry.path,
+      sound: { name: 'permission' },
+      notification: true,
+    });
+
+    // A selection pops the dialog (firing `onClose`); track it so the esc-path
+    // deny does not override the user's choice. A held syscall must always be
+    // answered, so esc/dismiss denies rather than leaving it unresolved.
+    let selectionMade = false;
+
+    api.ui.dialog.replace(
+      () =>
+        api.ui.DialogSelect<QueryChoice>({
+          title: `Sandbox ${verb} Blocked`,
+          placeholder: `${verb} blocked: ${entry.path}`,
+          options: [
+            {
+              title: 'Allow once',
+              value: 'once',
+              category: `This ${noun}`,
+              description: `Permit this ${noun} and continue`,
+            },
+            {
+              title: 'Allow for session',
+              value: 'session',
+              category: `This ${noun}`,
+              description: `Permit ${noun}s to this path for the rest of this session`,
+            },
+            {
+              title: 'Allow for project',
+              value: 'project',
+              category: 'Persist to sandbox.json',
+              description: `Add to .opencode/sandbox.json ${listName} and permit`,
+            },
+            {
+              title: 'Allow globally',
+              value: 'global',
+              category: 'Persist to sandbox.json',
+              description: `Add to ~/.config/opencode/sandbox.json ${listName} and permit`,
+            },
+            {
+              title: 'Deny',
+              value: 'deny',
+              category: 'Deny',
+              description: `Block this ${noun}`,
+            },
+          ],
+          onSelect: (option) => {
+            selectionMade = true;
+            resolveFsQuery(entry, option.value);
+          },
+        }),
+      () => {
+        if (!selectionMade) resolveFsQuery(entry, 'deny');
+      },
+    );
+  }
+
   const unsubscribeAsked = api.event.on('permission.asked', (event) => {
     const pending = event.properties as PendingPermission;
     enqueue(pending);
@@ -234,6 +387,95 @@ const tui: TuiPlugin = async (api, options, meta) => {
     finishActive(event.properties.requestID);
   });
 
+  // Query-response socket server (Linux-only — landstrip's socket protocol lives
+  // in the seccomp broker). The server plugin connects each sandboxed run's
+  // fd 3 here via a /dev/tcp redirect and we answer held writes interactively.
+  const sockets = new Set<NetSocket>();
+  let socketServer: ReturnType<typeof createServer> | undefined;
+
+  if (process.platform === 'linux') {
+    const baseDirectory = api.state.path.directory || process.cwd();
+    let socketSeq = 0;
+
+    socketServer = createServer((socket) => {
+      sockets.add(socket);
+      socket.setEncoding('utf8');
+      const socketId = ++socketSeq;
+      const seen = new Set<number>();
+      let buffer = '';
+
+      socket.on('data', (chunk: string | Buffer) => {
+        buffer += chunk.toString();
+        if (buffer.length > 1024 * 1024) {
+          socket.destroy();
+          return;
+        }
+
+        let newline: number;
+        while ((newline = buffer.indexOf('\n')) !== -1) {
+          const line = buffer.slice(0, newline);
+          buffer = buffer.slice(newline + 1);
+
+          for (const trap of parseLandstripTraps(line)) {
+            if (trap.kind !== 'filesystem' || trap.state !== 'query') continue;
+            if (typeof trap.queryId !== 'number' || seen.has(trap.queryId)) continue;
+            seen.add(trap.queryId);
+
+            const sessionPaths =
+              trap.operation === 'read' ? sessionAllowedReadPaths : sessionAllowedWritePaths;
+            if (sessionPaths.has(trap.path)) {
+              respondFsQuery(socket, trap.queryId, 'allow');
+              continue;
+            }
+
+            const entry: FsQueryEntry = {
+              kind: 'fs-query',
+              id: `landstrip-${trap.operation}:${socketId}:${trap.queryId}`,
+              socket,
+              queryId: trap.queryId,
+              operation: trap.operation,
+              path: trap.path,
+            };
+            liveQueries.add(entry);
+            enqueueEntry(entry);
+          }
+        }
+      });
+
+      const cleanup = () => {
+        sockets.delete(socket);
+        // The child is gone; drop our holds for this socket so the queue moves on.
+        // Deleting the current entry mid-iteration is well-defined for a Set.
+        for (const entry of liveQueries) {
+          if (entry.socket !== socket) continue;
+          liveQueries.delete(entry);
+          finishActive(entry.id);
+        }
+      };
+      socket.on('error', cleanup);
+      socket.on('close', cleanup);
+    });
+
+    socketServer.on('error', () => {
+      try {
+        removeDiscoveryFile(baseDirectory);
+      } catch {
+        // best effort
+      }
+    });
+
+    socketServer.listen(0, '127.0.0.1', () => {
+      const address = socketServer?.address() as AddressInfo | null;
+      if (address && typeof address === 'object') {
+        try {
+          writeDiscoveryPort(baseDirectory, address.port);
+        } catch {
+          // best effort — falls back to the server's reset model
+        }
+      }
+    });
+  }
+
   const showSandbox = () => {
     const directory = api.state.path.directory || process.cwd();
     const message = sandboxSummary(directory, optionOverrides);
@@ -335,6 +577,22 @@ const tui: TuiPlugin = async (api, options, meta) => {
   api.lifecycle.onDispose(() => {
     unsubscribeAsked();
     unsubscribeReplied();
+
+    // Deny any still-held queries so the sandboxed children don't hang, then
+    // tear down the socket server and drop the discovery file.
+    for (const entry of liveQueries) {
+      respondFsQuery(entry.socket, entry.queryId, 'deny');
+      liveQueries.delete(entry);
+    }
+    for (const socket of sockets) socket.destroy();
+    if (socketServer) {
+      socketServer.close();
+      try {
+        removeDiscoveryFile(api.state.path.directory || process.cwd());
+      } catch {
+        // best effort
+      }
+    }
   });
 };