opencode-landstrip 0.16.11 → 0.16.13

package/README.md

@@ -1,9 +1,31 @@
 # opencode-landstrip
 
-Landlock-based sandboxing for [opencode](https://opencode.ai/) using
-[`landstrip`](https://github.com/landstrip/landstrip).
+`opencode-landstrip` is a plugin for [OpenCode](https://opencode.ai/) providing
+a sandbox defined with a policy compatible with Anthropic's JSON format. It uses
+[`landstrip`](https://github.com/landstrip/landstrip) to implement the sandbox.
 
-## Install
+`opencode-landstrip` has a default policy [sandbox.json](./sandbox.json), and
+allows the define either or both global or project specific policies.
+
+## Installing the plugin
+
+### Automatic install
+
+Project specific install:
+
+```
+opencode plugin install opencode-landstrip
+```
+
+Global install:
+
+```
+opencode plugin install opencode-landstrip --global
+```
+
+### Manual install
+
+These changes are applied to OpenCode's configuration directories
 
 Add the plugin to `opencode.json`:
 
@@ -14,8 +36,7 @@ Add the plugin to `opencode.json`:
 }
 ```
 
-Add the TUI entrypoint to `tui.json` if you install or configure the plugin
-manually:
+Add TUI entry point to `tui.json`:
 
 ```json
 {
@@ -24,59 +45,31 @@ manually:
 }
 ```
 
-`opencode plugin install opencode-landstrip` configures both entrypoints.
-
-This installs `opencode-landstrip` and its `@landstrip/landstrip` dependency, which
-includes platform-specific native binaries for Linux, macOS, and Windows.
-
-Requires OpenCode `1.17.7` or newer.
-
-On unsupported platforms the plugin loads but leaves sandboxing disabled.
-
-## Configure
-
-Create `.opencode/sandbox.json` in a project or
-`~/.config/opencode/sandbox.json` globally. Project config takes precedence and
-array fields are merged with global/default values.
+The plugin can be later on disabled as follows:
 
-See [`sandbox.json`](./sandbox.json) for a starter config.
+```json
+{
+  "$schema": "https://opencode.ai/config.json",
+  "plugin": [["opencode-landstrip", { "enabled": false }]]
+}
+```
 
 ## Behavior
 
-The plugin wraps opencode's AI `bash` tool in `landstrip`, routes proxy-aware
-network traffic through an allowlist proxy, and blocks read/write tool access
-outside configured filesystem allowlists. The default policy is strict: network
-access is off unless domains are allowed, reads are limited to the project,
-`~/.gitconfig`, and `/dev/null`, and writes are limited to the project and
-`/dev/null`.
-
-Run `/sandbox` in the TUI to inspect the active sandbox configuration. A compact
-status badge in the prompt area shows whether the sandbox is active and whether
-network is proxied or open.
-
-When OpenCode asks for a sandboxed permission, the TUI plugin plays the host's
-permission sound and desktop notification, then opens a single dialog with
-choices to allow once, allow for the session, persist for the project, persist
-globally, or reject. The dialog shows the exact path or domain being approved.
+When OpenCode asks for a sandboxed permission, the plugin emits a host
+notification. After that the plugin opens a dialog with the choices to allow
+once, allow for the session, persist for the project, persist globally, or
+reject. The dialog shows the exact path or domain being approved.
+
 Project approvals are written to `.opencode/sandbox.json`; global approvals are
-written to `~/.config/opencode/sandbox.json`.
+written to `~/.config/opencode/sandbox.json`. When the global configuration is
+initially written it acquires the copy of the default sandbox configuration.
 
 OpenCode's current plugin API allows wrapping AI `bash` tool calls, but does not
 allow a plugin to replace manually typed shell-mode commands with a landstrip
 wrapper. Those commands can still receive the proxy environment from OpenCode,
 but they are not process-sandboxed by this plugin.
 
-## Disable
-
-Set `enabled` to `false` in `sandbox.json`, or pass plugin options:
-
-```json
-{
-  "$schema": "https://opencode.ai/config.json",
-  "plugin": [["opencode-landstrip", { "enabled": false }]]
-}
-```
-
 ## License
 
 `opencode-landstrip` is licensed under `MIT`. See [LICENSE](LICENSE) for more

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "opencode-landstrip",
-  "version": "0.16.11",
+  "version": "0.16.13",
   "description": "Landlock-based sandboxing for opencode with landstrip",
   "keywords": [
     "landlock",

package/sandbox.json

@@ -12,6 +12,13 @@
     "denyRead": ["/Users", "/home"],
     "allowRead": [".", "~/.gitconfig", "~/.config/git/config", "/dev/null"],
     "allowWrite": [".", "/dev/null"],
-    "denyWrite": ["**/.env", "**/.env.*", "**/*.pem", "**/*.key"]
+    "denyWrite": [
+      "**/.env",
+      "**/.env.*",
+      "**/*.pem",
+      "**/*.key",
+      ".opencode/sandbox.json",
+      "~/.config/opencode/sandbox.json"
+    ]
   }
 }

package/shared.ts

@@ -50,7 +50,14 @@ export const DEFAULT_CONFIG: SandboxConfig = {
     denyRead: ['/Users', '/home'],
     allowRead: ['.', '~/.gitconfig', '~/.config/git/config', '/dev/null'],
     allowWrite: ['.', '/dev/null'],
-    denyWrite: ['**/.env', '**/.env.*', '**/*.pem', '**/*.key'],
+    denyWrite: [
+      '**/.env',
+      '**/.env.*',
+      '**/*.pem',
+      '**/*.key',
+      '.opencode/sandbox.json',
+      '~/.config/opencode/sandbox.json',
+    ],
   },
 };
 

package/tui.ts

@@ -2,7 +2,10 @@
 // Copyright (C) Jarkko Sakkinen 2026
 
 import type { TuiPlugin, TuiSlotContext, TuiSlotPlugin } from '@opencode-ai/plugin/tui';
+import { realpathSync } from 'node:fs';
 import { type AddressInfo, createServer, type Socket as NetSocket } from 'node:net';
+import { homedir } from 'node:os';
+import { dirname } from 'node:path';
 
 import {
   getConfigPaths,
@@ -64,6 +67,54 @@ function permissionDetail(permission: PendingPermission): string {
   return resource && !label.includes(resource) ? `${label}: ${resource}` : label;
 }
 
+// Breadth-first filesystem approval: a held read/write under a directory tree
+// is approved for the broadest reasonable ancestor (e.g. `~/.cargo`, not each
+// subcrate file), so a single scan does not spawn one dialog per file. The
+// session set stores directory prefixes and is matched with separator-safe
+// prefix logic so a sibling file under an approved scope is auto-allowed.
+function pathUnderDirectory(filePath: string, dir: string): boolean {
+  if (filePath === dir) return true;
+  const sep = dir.endsWith('/') ? '' : '/';
+  return filePath.startsWith(dir + sep);
+}
+
+function sessionAllows(prefixes: Set<string>, filePath: string): boolean {
+  for (const prefix of prefixes) {
+    if (pathUnderDirectory(filePath, prefix)) return true;
+  }
+  return false;
+}
+
+// The broadest ancestor worth approving in one click: the immediate child of
+// `$HOME` (e.g. `~/.cargo`) for paths under the user's home, the project root
+// for paths under it, otherwise the containing directory. When the file sits
+// directly on a boundary (so the only ancestor is `$HOME` itself, which would
+// over-broaden), fall back to the exact file so nothing widens silently.
+function sessionScopeFor(filePath: string, baseDirectory: string): string {
+  const dir = dirname(filePath);
+  const home = homedir();
+  const boundaries = new Set<string>();
+  if (home) boundaries.add(home);
+  try {
+    const realHome = realpathSync.native(home);
+    if (realHome) boundaries.add(realHome);
+  } catch {
+    // $HOME not resolvable — fall back to the raw value only.
+  }
+
+  for (const boundary of boundaries) {
+    if (pathUnderDirectory(dir, boundary)) {
+      const rest = dir.slice(boundary.length).replace(/^\/+/, '');
+      const first = rest.split('/')[0];
+      if (!first) return filePath;
+      return boundary.endsWith('/') ? boundary + first : `${boundary}/${first}`;
+    }
+  }
+
+  if (pathUnderDirectory(dir, baseDirectory)) return baseDirectory;
+  return dir;
+}
+
 const tui: TuiPlugin = async (api, options, meta) => {
   const optionOverrides = normalizeOptions(options);
 
@@ -237,19 +288,23 @@ const tui: TuiPlugin = async (api, options, meta) => {
     if (resolved.has(entry.id)) return;
     const action = choice === 'deny' ? 'deny' : 'allow';
     const verb = entry.operation === 'read' ? 'Read' : 'Write';
+    const directory = api.state.path.directory || process.cwd();
+    const scope = sessionScopeFor(entry.path, directory);
+    const sessionPaths =
+      entry.operation === 'read' ? sessionAllowedReadPaths : sessionAllowedWritePaths;
 
     try {
       if (action === 'allow') {
-        if (choice === 'session') {
-          const sessionPaths =
-            entry.operation === 'read' ? sessionAllowedReadPaths : sessionAllowedWritePaths;
-          sessionPaths.add(entry.path);
-        } else if (choice === 'project' || choice === 'global') {
-          const directory = api.state.path.directory || process.cwd();
+        // Breadth-first: seed the session set with the broadest reasonable
+        // ancestor so the still-running command stops prompting for sibling
+        // files under the same tree. 'once' intentionally stays exact-path.
+        if (choice !== 'once') sessionPaths.add(scope);
+
+        if (choice === 'project' || choice === 'global') {
           const { globalPath, projectPath } = getConfigPaths(directory);
           const update = updateForPermission({
             permission: entry.operation,
-            metadata: { filepath: entry.path },
+            metadata: { filepath: scope },
           });
           if (update) writeConfigFile(choice === 'project' ? projectPath : globalPath, update);
         }
@@ -259,7 +314,9 @@ const tui: TuiPlugin = async (api, options, meta) => {
       api.ui.toast({
         title: 'Sandbox',
         message:
-          action === 'deny' ? `${verb} denied: ${entry.path}` : `${verb} allowed (${choice})`,
+          action === 'deny'
+            ? `${verb} denied: ${entry.path}`
+            : `${verb} allowed (${choice}) under ${scope}`,
         variant: action === 'deny' ? 'warning' : 'success',
       });
     } catch {
@@ -276,6 +333,8 @@ const tui: TuiPlugin = async (api, options, meta) => {
     const verb = entry.operation === 'read' ? 'Read' : 'Write';
     const noun = entry.operation;
     const listName = entry.operation === 'read' ? 'allowRead' : 'allowWrite';
+    const directory = api.state.path.directory || process.cwd();
+    const scope = sessionScopeFor(entry.path, directory);
 
     void api.attention.notify({
       title: `Sandbox ${noun} blocked`,
@@ -299,25 +358,25 @@ const tui: TuiPlugin = async (api, options, meta) => {
               title: 'Allow once',
               value: 'once',
               category: `This ${noun}`,
-              description: `Permit this ${noun} and continue`,
+              description: `Permit only this ${noun}`,
             },
             {
               title: 'Allow for session',
               value: 'session',
               category: `This ${noun}`,
-              description: `Permit ${noun}s to this path for the rest of this session`,
+              description: `Permit ${noun}s under ${scope} for this session`,
             },
             {
               title: 'Allow for project',
               value: 'project',
               category: 'Persist to sandbox.json',
-              description: `Add to .opencode/sandbox.json ${listName} and permit`,
+              description: `Add ${scope} to .opencode/sandbox.json ${listName}`,
             },
             {
               title: 'Allow globally',
               value: 'global',
               category: 'Persist to sandbox.json',
-              description: `Add to ~/.config/opencode/sandbox.json ${listName} and permit`,
+              description: `Add ${scope} to ~/.config/opencode/sandbox.json ${listName}`,
             },
             {
               title: 'Deny',
@@ -383,7 +442,7 @@ const tui: TuiPlugin = async (api, options, meta) => {
 
             const sessionPaths =
               trap.operation === 'read' ? sessionAllowedReadPaths : sessionAllowedWritePaths;
-            if (sessionPaths.has(trap.path)) {
+            if (sessionAllows(sessionPaths, trap.path)) {
               respondFsQuery(socket, trap.queryId, 'allow');
               continue;
             }