opencode-landstrip 0.15.15 → 0.15.17

package/index.ts

@@ -22,6 +22,8 @@ import {
   loadConfig,
   normalizeOptions,
   parseLandstripTraps,
+  permissionPatterns,
+  permissionType,
   readDiscoveryPort,
 } from './shared.js';
 
@@ -55,7 +57,7 @@ interface SandboxPermissionDecision {
 
 type ToastVariant = 'info' | 'success' | 'warning' | 'error';
 
-const LANDSTRIP_VERSION = [0, 15, 9] as const;
+const LANDSTRIP_VERSION = [0, 15, 14] as const;
 const REQUIRED_LANDSTRIP_VERSION = LANDSTRIP_VERSION.join('.');
 const SUPPORTED_PLATFORMS = new Set<NodeJS.Platform>(['linux', 'darwin', 'win32']);
 
@@ -125,21 +127,37 @@ function globToRegExp(globPattern: string): RegExp {
   return new RegExp(`^${regex}$`);
 }
 
-function matchesPattern(filePath: string, patterns: string[], baseDirectory: string): boolean {
-  const abs = canonicalizePath(filePath, baseDirectory);
+// Component count of an absolute path; "/" is 0. Used to rank how specific a
+// matching pattern is so the most specific allow/deny rule wins.
+function pathDepth(absolutePath: string): number {
+  return absolutePath.split('/').filter((segment) => segment.length > 0).length;
+}
 
-  return patterns.some((pattern) => {
-    const absPattern = pattern.includes('*')
-      ? expandPath(pattern, baseDirectory)
-      : canonicalizePath(pattern, baseDirectory);
+// The depth of the most specific pattern that matches `filePath`, or -1 when
+// none match. A glob is anchored to the whole path, so it ranks at the path's
+// own depth; a literal pattern ranks at the depth of the prefix it covers.
+function matchDepth(filePath: string, patterns: string[], baseDirectory: string): number {
+  const abs = canonicalizePath(filePath, baseDirectory);
+  let depth = -1;
 
+  for (const pattern of patterns) {
     if (pattern.includes('*')) {
-      return globToRegExp(absPattern).test(abs);
+      const absPattern = expandPath(pattern, baseDirectory);
+      if (globToRegExp(absPattern).test(abs)) depth = Math.max(depth, pathDepth(abs));
+    } else {
+      const absPattern = canonicalizePath(pattern, baseDirectory);
+      const sep = absPattern.endsWith('/') ? '' : '/';
+      if (abs === absPattern || abs.startsWith(absPattern + sep)) {
+        depth = Math.max(depth, pathDepth(absPattern));
+      }
     }
+  }
 
-    const sep = absPattern.endsWith('/') ? '' : '/';
-    return abs === absPattern || abs.startsWith(absPattern + sep);
-  });
+  return depth;
+}
+
+function matchesPattern(filePath: string, patterns: string[], baseDirectory: string): boolean {
+  return matchDepth(filePath, patterns, baseDirectory) >= 0;
 }
 
 function resolveFilesystemPatterns(patterns: string[], baseDirectory: string): string[] {
@@ -162,10 +180,6 @@ function resolveFilesystemConfig(
   };
 }
 
-function shouldPromptForRead(path: string, allowRead: string[], baseDirectory: string): boolean {
-  return allowRead.length === 0 || !matchesPattern(path, allowRead, baseDirectory);
-}
-
 function shouldPromptForWrite(path: string, allowWrite: string[], baseDirectory: string): boolean {
   return allowWrite.length === 0 || !matchesPattern(path, allowWrite, baseDirectory);
 }
@@ -265,27 +279,6 @@ function extractBlockedWritePath(
   return extractBlockedPath(output, baseDirectory, command);
 }
 
-function isBlockedByDenyRead(path: string, config: SandboxConfig, baseDirectory: string): boolean {
-  return matchesPattern(path, config.filesystem.denyRead, baseDirectory);
-}
-
-function firstBlockedDomain(
-  command: string,
-  config: SandboxConfig,
-): { domain: string; reason: 'allowedDomains' | 'deniedDomains' } | null {
-  for (const domain of extractDomainsFromCommand(command)) {
-    if (domainMatchesAny(domain, config.network.deniedDomains)) {
-      return { domain, reason: 'deniedDomains' };
-    }
-
-    if (!domainMatchesAny(domain, config.network.allowedDomains)) {
-      return { domain, reason: 'allowedDomains' };
-    }
-  }
-
-  return null;
-}
-
 function evaluateReadPermission(
   path: string,
   config: SandboxConfig,
@@ -293,8 +286,13 @@ function evaluateReadPermission(
   effectiveAllowRead: string[],
 ): SandboxPermissionDecision {
   const filePath = canonicalizePath(path, baseDirectory);
+  const allowDepth = matchDepth(filePath, effectiveAllowRead, baseDirectory);
+  const denyDepth = matchDepth(filePath, config.filesystem.denyRead, baseDirectory);
 
-  if (isBlockedByDenyRead(filePath, config, baseDirectory)) {
+  // The most specific rule wins, matching landstrip's read policy so the bash
+  // and read tools agree: a denyRead overrides allowRead only when it is more
+  // specific, while a tie or a more specific allowRead carves the path back in.
+  if (denyDepth > allowDepth) {
     return {
       status: 'deny',
       kind: 'read',
@@ -303,7 +301,7 @@ function evaluateReadPermission(
     };
   }
 
-  if (!shouldPromptForRead(filePath, effectiveAllowRead, baseDirectory)) {
+  if (allowDepth >= 0) {
     return { status: 'allow', kind: 'read', resource: filePath, message: '' };
   }
 
@@ -754,27 +752,12 @@ const plugin: Plugin = async ({ client, directory }: PluginInput, options?: Plug
   const optionOverrides = normalizeOptions(options);
   const activeBash = new Map<string, BashSandboxState>();
   const notified = new Set<string>();
-  const sessionAllowedReadPaths: string[] = [];
-  const sessionAllowedWritePaths: string[] = [];
-  const sessionAllowedDomains: string[] = [];
   const callAllowances = new Set<string>();
   let enabledNotified = false;
   let sandboxDisabled = false;
   let configuredShell: string | undefined;
   let landstripCheck: { ok: true; version: string } | { ok: false; reason: string } | undefined;
 
-  function getEffectiveAllowRead(config: SandboxConfig): string[] {
-    return [...config.filesystem.allowRead, ...sessionAllowedReadPaths];
-  }
-
-  function getEffectiveAllowWrite(config: SandboxConfig): string[] {
-    return [...config.filesystem.allowWrite, ...sessionAllowedWritePaths];
-  }
-
-  function getEffectiveAllowedDomains(config: SandboxConfig): string[] {
-    return [...config.network.allowedDomains, ...sessionAllowedDomains];
-  }
-
   function allowanceKey(callID: string, kind: SandboxPermissionKind, resource: string): string {
     return `${callID}:${kind}:${resource}`;
   }
@@ -791,8 +774,7 @@ const plugin: Plugin = async ({ client, directory }: PluginInput, options?: Plug
     return callAllowances.has(allowanceKey(callID, decision.kind, decision.resource));
   }
 
-  function enforcePermission(callID: string, decision: SandboxPermissionDecision): void {
-    if (decision.status === 'allow' || hasCallAllowance(callID, decision)) return;
+  function reportBlocked(decision: SandboxPermissionDecision): never {
     client.tui
       ?.showToast?.({
         body: {
@@ -805,6 +787,11 @@ const plugin: Plugin = async ({ client, directory }: PluginInput, options?: Plug
     throw errorWithConfigPaths(directory, decision.message);
   }
 
+  function enforcePermission(callID: string, decision: SandboxPermissionDecision): void {
+    if (decision.status === 'allow' || hasCallAllowance(callID, decision)) return;
+    reportBlocked(decision);
+  }
+
   function pushCommandText(
     input: { sessionID: string },
     output: { parts: unknown[] },
@@ -822,11 +809,11 @@ const plugin: Plugin = async ({ client, directory }: PluginInput, options?: Plug
   function sandboxSummary(config: SandboxConfig): string {
     const { globalPath, projectPath } = getConfigPaths(directory);
     const networkMode = config.network.allowNetwork ? 'unrestricted' : 'proxied';
-    const allowed = getEffectiveAllowedDomains(config).join(', ') || '(none)';
+    const allowed = config.network.allowedDomains.join(', ') || '(none)';
     const denied = config.network.deniedDomains.join(', ') || '(none)';
     const denyRead = config.filesystem.denyRead.join(', ') || '(none)';
-    const allowRead = getEffectiveAllowRead(config).join(', ') || '(none)';
-    const allowWrite = getEffectiveAllowWrite(config).join(', ') || '(none)';
+    const allowRead = config.filesystem.allowRead.join(', ') || '(none)';
+    const allowWrite = config.filesystem.allowWrite.join(', ') || '(none)';
     const denyWrite = config.filesystem.denyWrite.join(', ') || '(none)';
 
     return [
@@ -1050,7 +1037,7 @@ const plugin: Plugin = async ({ client, directory }: PluginInput, options?: Plug
     const callAllowedDomains: string[] = [];
     const effectiveConfig = {
       ...config,
-      network: { ...config.network, allowedDomains: getEffectiveAllowedDomains(config) },
+      network: { ...config.network },
     };
 
     if (!allowNetwork) {
@@ -1114,14 +1101,7 @@ const plugin: Plugin = async ({ client, directory }: PluginInput, options?: Plug
       if (!config) return;
 
       const request = input as Record<string, unknown>;
-      const permission =
-        typeof request.type === 'string'
-          ? request.type
-          : typeof request.permission === 'string'
-            ? request.permission
-            : typeof request.action === 'string'
-              ? request.action
-              : '';
+      const permission = permissionType(request);
       const metadata = isRecord(request.metadata) ? request.metadata : {};
       const tool = isRecord(request.tool) ? request.tool : undefined;
       const callID =
@@ -1130,17 +1110,11 @@ const plugin: Plugin = async ({ client, directory }: PluginInput, options?: Plug
           : typeof tool?.callID === 'string'
             ? tool.callID
             : undefined;
-      const patterns = Array.isArray(request.patterns)
-        ? request.patterns.filter((item): item is string => typeof item === 'string')
-        : typeof request.pattern === 'string'
-          ? [request.pattern]
-          : Array.isArray(request.resources)
-            ? request.resources.filter((item): item is string => typeof item === 'string')
-            : [];
+      const patterns = permissionPatterns(request);
 
       const decisions: SandboxPermissionDecision[] = [];
-      const effectiveAllowRead = getEffectiveAllowRead(config);
-      const effectiveAllowWrite = getEffectiveAllowWrite(config);
+      const effectiveAllowRead = config.filesystem.allowRead;
+      const effectiveAllowWrite = config.filesystem.allowWrite;
 
       if (permission === 'read') {
         for (const pattern of patterns) {
@@ -1189,8 +1163,8 @@ const plugin: Plugin = async ({ client, directory }: PluginInput, options?: Plug
       const config = await activeConfig();
       if (!config) return;
 
-      const effectiveAllowRead = getEffectiveAllowRead(config);
-      const effectiveAllowWrite = getEffectiveAllowWrite(config);
+      const effectiveAllowRead = config.filesystem.allowRead;
+      const effectiveAllowWrite = config.filesystem.allowWrite;
 
       if (input.tool === 'bash') {
         await prepareBash(input.callID, output.args, config);
@@ -1373,23 +1347,12 @@ const plugin: Plugin = async ({ client, directory }: PluginInput, options?: Plug
         const config = await activeConfig();
         if (!config) return;
 
-        const effectiveAllowRead = getEffectiveAllowRead(config);
-        const effectiveAllowWrite = getEffectiveAllowWrite(config);
+        const effectiveAllowRead = config.filesystem.allowRead;
+        const effectiveAllowWrite = config.filesystem.allowWrite;
 
         for (const path of extractCandidatePaths(shellCommand)) {
           const readDecision = evaluateReadPermission(path, config, directory, effectiveAllowRead);
-          if (readDecision.status === 'deny') {
-            client.tui
-              ?.showToast?.({
-                body: {
-                  title: 'Sandbox blocked',
-                  message: readDecision.message.slice(0, 120),
-                  variant: 'error',
-                },
-              })
-              ?.catch?.(() => undefined);
-            throw errorWithConfigPaths(directory, readDecision.message);
-          }
+          if (readDecision.status === 'deny') reportBlocked(readDecision);
 
           const writeDecision = evaluateWritePermission(
             path,
@@ -1397,44 +1360,13 @@ const plugin: Plugin = async ({ client, directory }: PluginInput, options?: Plug
             directory,
             effectiveAllowWrite,
           );
-          if (writeDecision.status === 'deny') {
-            client.tui
-              ?.showToast?.({
-                body: {
-                  title: 'Sandbox blocked',
-                  message: writeDecision.message.slice(0, 120),
-                  variant: 'error',
-                },
-              })
-              ?.catch?.(() => undefined);
-            throw errorWithConfigPaths(directory, writeDecision.message);
-          }
+          if (writeDecision.status === 'deny') reportBlocked(writeDecision);
         }
 
         if (!config.network.allowNetwork) {
-          const effectiveConfig = {
-            ...config,
-            network: { ...config.network, allowedDomains: getEffectiveAllowedDomains(config) },
-          };
-          const blockedDomain = firstBlockedDomain(shellCommand, effectiveConfig);
-          if (blockedDomain) {
-            const reason =
-              blockedDomain.reason === 'deniedDomains'
-                ? 'is blocked by network.deniedDomains'
-                : 'is not in network.allowedDomains';
-            client.tui
-              ?.showToast?.({
-                body: {
-                  title: 'Sandbox blocked',
-                  message: `Network access denied for "${blockedDomain.domain}"`,
-                  variant: 'error',
-                },
-              })
-              ?.catch?.(() => undefined);
-            throw errorWithConfigPaths(
-              directory,
-              `Sandbox: network access denied for "${blockedDomain.domain}" (${reason}).`,
-            );
+          for (const domain of extractDomainsFromCommand(shellCommand)) {
+            const decision = evaluateDomainPermission(domain, config);
+            if (decision.status !== 'allow') reportBlocked(decision);
           }
         }
       }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "opencode-landstrip",
-  "version": "0.15.15",
+  "version": "0.15.17",
   "description": "Landlock-based sandboxing for opencode with landstrip",
   "keywords": [
     "landlock",
@@ -49,7 +49,7 @@
     "ci:test": "npm test"
   },
   "dependencies": {
-    "@landstrip/landstrip": "^0.15.9"
+    "@landstrip/landstrip": "^0.15.14"
   },
   "devDependencies": {
     "@opencode-ai/plugin": "^1.17.7",

package/shared.ts

@@ -267,6 +267,28 @@ export function permissionPattern(permission: Record<string, unknown>): string |
   return undefined;
 }
 
+/**
+ * Every string pattern a permission carries, in declaration order, read from
+ * `patterns`, `pattern`, or `resources`. The plural complement to
+ * {@link permissionPattern} for callers that must inspect all patterns.
+ */
+export function permissionPatterns(permission: Record<string, unknown>): string[] {
+  const patterns = permission.patterns;
+  if (Array.isArray(patterns))
+    return patterns.filter((item): item is string => typeof item === 'string');
+
+  const pattern = permission.pattern;
+  if (typeof pattern === 'string') return [pattern];
+  if (Array.isArray(pattern))
+    return pattern.filter((item): item is string => typeof item === 'string');
+
+  const resources = permission.resources;
+  if (Array.isArray(resources))
+    return resources.filter((item): item is string => typeof item === 'string');
+
+  return [];
+}
+
 export function permissionLabel(permission: Record<string, unknown>): string {
   const type = permissionType(permission, 'permission');
   const title = typeof permission.title === 'string' ? permission.title : type;