opencode-landstrip 0.16.13 → 0.16.15

package/index.ts

@@ -26,6 +26,7 @@ import {
   permissionType,
   readDiscoveryPort,
   sandboxSummary,
+  sessionScopeFor,
 } from './shared.js';
 
 interface LandstripPolicy {
@@ -768,6 +769,16 @@ const plugin: Plugin = async ({ client, directory }: PluginInput, options?: Plug
   const activeBash = new Map<string, BashSandboxState>();
   const notified = new Set<string>();
   const callAllowances = new Set<string>();
+  const sessionAllowedReadPaths = new Set<string>();
+  const sessionAllowedWritePaths = new Set<string>();
+
+  function getEffectiveAllowRead(config: SandboxConfig): string[] {
+    return [...config.filesystem.allowRead, ...sessionAllowedReadPaths];
+  }
+
+  function getEffectiveAllowWrite(config: SandboxConfig): string[] {
+    return [...config.filesystem.allowWrite, ...sessionAllowedWritePaths];
+  }
   let enabledNotified = false;
   let sandboxDisabled = false;
   let configuredShell: string | undefined;
@@ -1034,6 +1045,11 @@ const plugin: Plugin = async ({ client, directory }: PluginInput, options?: Plug
     const effectiveConfig = {
       ...config,
       network: { ...config.network },
+      filesystem: {
+        ...config.filesystem,
+        allowRead: getEffectiveAllowRead(config),
+        allowWrite: getEffectiveAllowWrite(config),
+      },
     };
 
     if (!allowNetwork) {
@@ -1108,8 +1124,8 @@ const plugin: Plugin = async ({ client, directory }: PluginInput, options?: Plug
       const patterns = permissionPatterns(request);
 
       const decisions: SandboxPermissionDecision[] = [];
-      const effectiveAllowRead = config.filesystem.allowRead;
-      const effectiveAllowWrite = config.filesystem.allowWrite;
+      const effectiveAllowRead = getEffectiveAllowRead(config);
+      const effectiveAllowWrite = getEffectiveAllowWrite(config);
 
       if (permission === 'read') {
         for (const pattern of patterns) {
@@ -1158,8 +1174,8 @@ const plugin: Plugin = async ({ client, directory }: PluginInput, options?: Plug
       const config = await activeConfig();
       if (!config) return;
 
-      const effectiveAllowRead = config.filesystem.allowRead;
-      const effectiveAllowWrite = config.filesystem.allowWrite;
+      const effectiveAllowRead = getEffectiveAllowRead(config);
+      const effectiveAllowWrite = getEffectiveAllowWrite(config);
 
       if (input.tool === 'bash') {
         await prepareBash(input.callID, output.args, config);
@@ -1250,9 +1266,19 @@ const plugin: Plugin = async ({ client, directory }: PluginInput, options?: Plug
 
       const blockedPath = extractBlockedPath(outputText, directory, state.originalCommand);
       if (blockedPath) {
+        let blockedOperation: 'read' | 'write' = 'read';
+        for (const trap of errors) {
+          if (trap.kind === 'filesystem') {
+            blockedOperation = trap.operation;
+            break;
+          }
+        }
+        const scope = sessionScopeFor(blockedPath, directory);
+        if (blockedOperation === 'read') sessionAllowedReadPaths.add(scope);
+        else sessionAllowedWritePaths.add(scope);
         await notifyOnce(
           `blocked:${blockedPath}`,
-          `Sandbox blocked access to "${blockedPath}". Approve the related OpenCode permission prompt and retry if needed.`,
+          `Sandbox blocked ${blockedOperation} to "${blockedPath}". Added "${scope}" to session allowlist; retry the command.`,
           'warning',
         );
       }
@@ -1346,8 +1372,8 @@ const plugin: Plugin = async ({ client, directory }: PluginInput, options?: Plug
         const config = await activeConfig();
         if (!config) return;
 
-        const effectiveAllowRead = config.filesystem.allowRead;
-        const effectiveAllowWrite = config.filesystem.allowWrite;
+        const effectiveAllowRead = getEffectiveAllowRead(config);
+        const effectiveAllowWrite = getEffectiveAllowWrite(config);
 
         for (const path of extractCandidatePaths(shellCommand)) {
           const readDecision = evaluateReadPermission(path, config, directory, effectiveAllowRead);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "opencode-landstrip",
-  "version": "0.16.13",
+  "version": "0.16.15",
   "description": "Landlock-based sandboxing for opencode with landstrip",
   "keywords": [
     "landlock",

package/shared.ts

@@ -6,6 +6,7 @@ import { binaryPath } from '@landstrip/landstrip';
 import { createHash } from 'node:crypto';
 import { existsSync, mkdirSync, readFileSync, realpathSync, rmSync, writeFileSync } from 'node:fs';
 import { homedir, tmpdir } from 'node:os';
+import { fileURLToPath } from 'node:url';
 import { dirname, join } from 'node:path';
 
 export interface SandboxFilesystemConfig {
@@ -36,30 +37,7 @@ export interface SandboxConfigOverrides {
   filesystem?: Partial<SandboxFilesystemConfig>;
 }
 
-export const DEFAULT_CONFIG: SandboxConfig = {
-  enabled: true,
-  network: {
-    allowNetwork: false,
-    allowLocalBinding: false,
-    allowAllUnixSockets: false,
-    allowUnixSockets: [],
-    allowedDomains: [],
-    deniedDomains: [],
-  },
-  filesystem: {
-    denyRead: ['/Users', '/home'],
-    allowRead: ['.', '~/.gitconfig', '~/.config/git/config', '/dev/null'],
-    allowWrite: ['.', '/dev/null'],
-    denyWrite: [
-      '**/.env',
-      '**/.env.*',
-      '**/*.pem',
-      '**/*.key',
-      '.opencode/sandbox.json',
-      '~/.config/opencode/sandbox.json',
-    ],
-  },
-};
+const packageDir = dirname(fileURLToPath(import.meta.url));
 
 const LANDSTRIP_PACKAGE_NAMES = new Set([
   '@landstrip/landstrip',
@@ -69,6 +47,52 @@ const LANDSTRIP_PACKAGE_NAMES = new Set([
   '@landstrip/landstrip-win32-x64',
 ]);
 
+// Breadth-first filesystem approval: a held read/write under a directory tree
+// is approved for the broadest reasonable ancestor (e.g. `~/.cargo`, not each
+// subcrate file), so a single approval covers sibling files under the same tree.
+export function pathUnderDirectory(filePath: string, dir: string): boolean {
+  if (filePath === dir) return true;
+  const sep = dir.endsWith('/') ? '' : '/';
+  return filePath.startsWith(dir + sep);
+}
+
+export function sessionAllows(prefixes: Set<string>, filePath: string): boolean {
+  for (const prefix of prefixes) {
+    if (pathUnderDirectory(filePath, prefix)) return true;
+  }
+  return false;
+}
+
+// The broadest ancestor worth approving in one click: the immediate child of
+// `$HOME` (e.g. `~/.cargo`) for paths under the user's home, the project root
+// for paths under it, otherwise the containing directory. When the file sits
+// directly on a boundary (so the only ancestor is `$HOME` itself, which would
+// over-broaden), fall back to the exact file so nothing widens silently.
+export function sessionScopeFor(filePath: string, baseDirectory: string): string {
+  const dir = dirname(filePath);
+  const home = homedir();
+  const boundaries = new Set<string>();
+  if (home) boundaries.add(home);
+  try {
+    const realHome = realpathSync.native(home);
+    if (realHome) boundaries.add(realHome);
+  } catch {
+    // $HOME not resolvable — fall back to the raw value only.
+  }
+
+  for (const boundary of boundaries) {
+    if (pathUnderDirectory(dir, boundary)) {
+      const rest = dir.slice(boundary.length).replace(/^\/+/, '');
+      const first = rest.split('/')[0];
+      if (!first) return filePath;
+      return boundary.endsWith('/') ? boundary + first : `${boundary}/${first}`;
+    }
+  }
+
+  if (pathUnderDirectory(dir, baseDirectory)) return baseDirectory;
+  return dir;
+}
+
 export function isRecord(value: unknown): value is Record<string, unknown> {
   return typeof value === 'object' && value !== null && !Array.isArray(value);
 }
@@ -195,13 +219,18 @@ export function loadConfig(
   optionOverrides: SandboxConfigOverrides,
 ): SandboxConfig {
   const { globalPath, projectPath } = getConfigPaths(baseDirectory);
-  return deepMerge(
-    deepMerge(
-      deepMerge(DEFAULT_CONFIG, readConfigFile(globalPath) ?? {}),
-      readConfigFile(projectPath) ?? {},
-    ),
-    optionOverrides,
-  );
+  const templatePath = join(packageDir, 'sandbox.json');
+
+  if (!existsSync(globalPath)) {
+    mkdirSync(dirname(globalPath), { recursive: true });
+    writeFileSync(globalPath, readFileSync(templatePath, 'utf-8'), 'utf-8');
+  }
+
+  const templateConfig: SandboxConfig = JSON.parse(readFileSync(templatePath, 'utf-8'));
+  const globalOverrides = readConfigFile(globalPath) ?? {};
+  const baseConfig = deepMerge(templateConfig, globalOverrides);
+
+  return deepMerge(deepMerge(baseConfig, readConfigFile(projectPath) ?? {}), optionOverrides);
 }
 
 export function writeConfigFile(configPath: string, update: SandboxConfigOverrides): void {
@@ -210,7 +239,10 @@ export function writeConfigFile(configPath: string, update: SandboxConfigOverrid
     throw new Error(`Config file ${configPath} is corrupted; refusing to overwrite`);
   }
 
-  const next = deepMerge(deepMerge(DEFAULT_CONFIG, current), update);
+  const templateConfig: SandboxConfig = JSON.parse(
+    readFileSync(join(packageDir, 'sandbox.json'), 'utf-8'),
+  );
+  const next = deepMerge(deepMerge(templateConfig, current), update);
 
   mkdirSync(dirname(configPath), { recursive: true });
   writeFileSync(configPath, JSON.stringify(next, null, 2) + '\n');

package/tui.ts

@@ -2,10 +2,7 @@
 // Copyright (C) Jarkko Sakkinen 2026
 
 import type { TuiPlugin, TuiSlotContext, TuiSlotPlugin } from '@opencode-ai/plugin/tui';
-import { realpathSync } from 'node:fs';
 import { type AddressInfo, createServer, type Socket as NetSocket } from 'node:net';
-import { homedir } from 'node:os';
-import { dirname } from 'node:path';
 
 import {
   getConfigPaths,
@@ -15,7 +12,9 @@ import {
   permissionLabel,
   permissionResource,
   removeDiscoveryFile,
+  sessionAllows,
   sandboxSummary,
+  sessionScopeFor,
   updateForPermission,
   writeConfigFile,
   writeDiscoveryPort,
@@ -67,54 +66,6 @@ function permissionDetail(permission: PendingPermission): string {
   return resource && !label.includes(resource) ? `${label}: ${resource}` : label;
 }
 
-// Breadth-first filesystem approval: a held read/write under a directory tree
-// is approved for the broadest reasonable ancestor (e.g. `~/.cargo`, not each
-// subcrate file), so a single scan does not spawn one dialog per file. The
-// session set stores directory prefixes and is matched with separator-safe
-// prefix logic so a sibling file under an approved scope is auto-allowed.
-function pathUnderDirectory(filePath: string, dir: string): boolean {
-  if (filePath === dir) return true;
-  const sep = dir.endsWith('/') ? '' : '/';
-  return filePath.startsWith(dir + sep);
-}
-
-function sessionAllows(prefixes: Set<string>, filePath: string): boolean {
-  for (const prefix of prefixes) {
-    if (pathUnderDirectory(filePath, prefix)) return true;
-  }
-  return false;
-}
-
-// The broadest ancestor worth approving in one click: the immediate child of
-// `$HOME` (e.g. `~/.cargo`) for paths under the user's home, the project root
-// for paths under it, otherwise the containing directory. When the file sits
-// directly on a boundary (so the only ancestor is `$HOME` itself, which would
-// over-broaden), fall back to the exact file so nothing widens silently.
-function sessionScopeFor(filePath: string, baseDirectory: string): string {
-  const dir = dirname(filePath);
-  const home = homedir();
-  const boundaries = new Set<string>();
-  if (home) boundaries.add(home);
-  try {
-    const realHome = realpathSync.native(home);
-    if (realHome) boundaries.add(realHome);
-  } catch {
-    // $HOME not resolvable — fall back to the raw value only.
-  }
-
-  for (const boundary of boundaries) {
-    if (pathUnderDirectory(dir, boundary)) {
-      const rest = dir.slice(boundary.length).replace(/^\/+/, '');
-      const first = rest.split('/')[0];
-      if (!first) return filePath;
-      return boundary.endsWith('/') ? boundary + first : `${boundary}/${first}`;
-    }
-  }
-
-  if (pathUnderDirectory(dir, baseDirectory)) return baseDirectory;
-  return dir;
-}
-
 const tui: TuiPlugin = async (api, options, meta) => {
   const optionOverrides = normalizeOptions(options);