opencode-landstrip 0.16.14 → 0.16.16

package/index.ts

@@ -24,8 +24,8 @@ import {
   parseLandstripTraps,
   permissionPatterns,
   permissionType,
-  readDiscoveryPort,
   sandboxSummary,
+  sessionScopeFor,
 } from './shared.js';
 
 interface LandstripPolicy {
@@ -45,6 +45,9 @@ interface BashSandboxState {
   policyDir: string;
   port: number | null;
   stop: (() => Promise<void>) | null;
+  trapServer: ReturnType<typeof createServer> | null;
+  trapServerPort: number | null;
+  trapLines: string[];
 }
 
 type SandboxPermissionKind = 'read' | 'write' | 'domain';
@@ -632,20 +635,83 @@ function shellArgs(shell: string, command: string): string[] {
   return [shell, '-lc', command];
 }
 
-// The query-response port is published by the TUI plugin and is Linux-only (the
-// socket protocol exists only in landstrip's seccomp broker).
-function socketQueryPort(baseDirectory: string): number | null {
-  if (process.platform !== 'linux') return null;
-  return readDiscoveryPort(baseDirectory);
-}
+// Start a local TCP server that landstrip connects its trap fd to. Traps are
+// handled in-process: query traps are answered immediately against the active
+// config, and info traps are collected for post-execution error reporting.
+function startTrapServer(
+  effectiveAllowRead: string[],
+  effectiveAllowWrite: string[],
+  denyRead: string[],
+  denyWrite: string[],
+  baseDirectory: string,
+  sessionAllowedReadPaths: Set<string>,
+  sessionAllowedWritePaths: Set<string>,
+): Promise<{ server: ReturnType<typeof createServer>; port: number; trapLines: string[] }> {
+  const trapLines: string[] = [];
+  const server = createServer((trapSocket) => {
+    let buffer = '';
+    trapSocket.on('data', (data: Buffer) => {
+      buffer += data.toString('utf8');
+      let nl = buffer.indexOf('\n');
+      while (nl !== -1) {
+        const line = buffer.slice(0, nl);
+        buffer = buffer.slice(nl + 1);
+        nl = buffer.indexOf('\n');
+        if (line.length === 0) continue;
+        let obj: Record<string, unknown> | null = null;
+        try {
+          const parsed: unknown = JSON.parse(line);
+          if (typeof parsed === 'object' && parsed !== null) {
+            obj = parsed as Record<string, unknown>;
+          }
+        } catch {
+          obj = null;
+        }
+        if (
+          obj &&
+          obj.state === 'query' &&
+          typeof obj.query_id === 'number' &&
+          (obj.operation === 'read' || obj.operation === 'write') &&
+          typeof obj.path === 'string'
+        ) {
+          const path = canonicalizePath(obj.path, baseDirectory);
+          const operation = obj.operation as 'read' | 'write';
+          // Per landstrip policy: a deny rule overrides allow only when more
+          // specific; a tie or more-specific allow carves the path back in.
+          const denyReadDepth = matchDepth(path, denyRead, baseDirectory);
+          const allowReadDepth = matchDepth(path, effectiveAllowRead, baseDirectory);
+          const denyWriteDepth = matchDepth(path, denyWrite, baseDirectory);
+          const allowWriteDepth = matchDepth(path, effectiveAllowWrite, baseDirectory);
+          const allowed =
+            operation === 'read'
+              ? !(denyReadDepth > allowReadDepth) && allowReadDepth >= 0
+              : !(denyWriteDepth > allowWriteDepth) && allowWriteDepth >= 0;
+          if (allowed) {
+            trapSocket.write(JSON.stringify({ query_id: obj.query_id, action: 'allow' }) + '\n');
+          } else {
+            // Auto-grant via session scope and allow so the command proceeds.
+            const scope = sessionScopeFor(path, baseDirectory);
+            if (operation === 'read') sessionAllowedReadPaths.add(scope);
+            else sessionAllowedWritePaths.add(scope);
+            trapSocket.write(JSON.stringify({ query_id: obj.query_id, action: 'allow' }) + '\n');
+            trapLines.push(line);
+          }
+        } else {
+          trapLines.push(line);
+        }
+      }
+    });
+    trapSocket.on('error', () => {});
+  });
 
-async function awaitQueryPort(baseDirectory: string): Promise<number | null> {
-  for (let attempt = 0; attempt < 5; attempt++) {
-    const port = socketQueryPort(baseDirectory);
-    if (port !== null) return port;
-    await new Promise((resolve) => setTimeout(resolve, 50));
-  }
-  return null;
+  return new Promise((resolve, reject) => {
+    server.on('error', reject);
+    server.listen(0, '127.0.0.1', () => {
+      server.removeListener('error', reject);
+      const address = server.address() as AddressInfo;
+      resolve({ server, port: address.port, trapLines });
+    });
+  });
 }
 
 function buildWrappedCommand(
@@ -768,6 +834,16 @@ const plugin: Plugin = async ({ client, directory }: PluginInput, options?: Plug
   const activeBash = new Map<string, BashSandboxState>();
   const notified = new Set<string>();
   const callAllowances = new Set<string>();
+  const sessionAllowedReadPaths = new Set<string>();
+  const sessionAllowedWritePaths = new Set<string>();
+
+  function getEffectiveAllowRead(config: SandboxConfig): string[] {
+    return [...config.filesystem.allowRead, ...sessionAllowedReadPaths];
+  }
+
+  function getEffectiveAllowWrite(config: SandboxConfig): string[] {
+    return [...config.filesystem.allowWrite, ...sessionAllowedWritePaths];
+  }
   let enabledNotified = false;
   let sandboxDisabled = false;
   let configuredShell: string | undefined;
@@ -990,6 +1066,11 @@ const plugin: Plugin = async ({ client, directory }: PluginInput, options?: Plug
 
     activeBash.delete(callID);
     if (state.stop) await state.stop().catch(() => undefined);
+    if (state.trapServer) {
+      await new Promise<void>((resolve) => {
+        state.trapServer!.close(() => resolve());
+      });
+    }
     rmSync(state.policyDir, { recursive: true, force: true });
   }
 
@@ -1034,6 +1115,11 @@ const plugin: Plugin = async ({ client, directory }: PluginInput, options?: Plug
     const effectiveConfig = {
       ...config,
       network: { ...config.network },
+      filesystem: {
+        ...config.filesystem,
+        allowRead: getEffectiveAllowRead(config),
+        allowWrite: getEffectiveAllowWrite(config),
+      },
     };
 
     if (!allowNetwork) {
@@ -1067,11 +1153,24 @@ const plugin: Plugin = async ({ client, directory }: PluginInput, options?: Plug
     }
 
     const originalCommand = args.command as string;
+
+    // Start a local trap server so landstrip's query traps are answered
+    // in-process instead of relying on the TUI plugin's discovery port.
+    const trapServer = await startTrapServer(
+      effectiveConfig.filesystem.allowRead,
+      effectiveConfig.filesystem.allowWrite,
+      effectiveConfig.filesystem.denyRead,
+      effectiveConfig.filesystem.denyWrite,
+      directory,
+      sessionAllowedReadPaths,
+      sessionAllowedWritePaths,
+    );
+
     const wrappedCommand = buildWrappedCommand(
       policy.path,
       configuredShell ?? process.env.SHELL ?? '/bin/sh',
       originalCommand,
-      await awaitQueryPort(directory),
+      trapServer.port,
     );
 
     activeBash.set(callID, {
@@ -1080,6 +1179,9 @@ const plugin: Plugin = async ({ client, directory }: PluginInput, options?: Plug
       policyDir: policy.dir,
       port: proxyPort,
       stop: proxy ? proxy.stop : null,
+      trapServer: trapServer.server,
+      trapServerPort: trapServer.port,
+      trapLines: trapServer.trapLines,
     });
 
     args.command = wrappedCommand;
@@ -1108,8 +1210,8 @@ const plugin: Plugin = async ({ client, directory }: PluginInput, options?: Plug
       const patterns = permissionPatterns(request);
 
       const decisions: SandboxPermissionDecision[] = [];
-      const effectiveAllowRead = config.filesystem.allowRead;
-      const effectiveAllowWrite = config.filesystem.allowWrite;
+      const effectiveAllowRead = getEffectiveAllowRead(config);
+      const effectiveAllowWrite = getEffectiveAllowWrite(config);
 
       if (permission === 'read') {
         for (const pattern of patterns) {
@@ -1158,8 +1260,8 @@ const plugin: Plugin = async ({ client, directory }: PluginInput, options?: Plug
       const config = await activeConfig();
       if (!config) return;
 
-      const effectiveAllowRead = config.filesystem.allowRead;
-      const effectiveAllowWrite = config.filesystem.allowWrite;
+      const effectiveAllowRead = getEffectiveAllowRead(config);
+      const effectiveAllowWrite = getEffectiveAllowWrite(config);
 
       if (input.tool === 'bash') {
         await prepareBash(input.callID, output.args, config);
@@ -1223,9 +1325,12 @@ const plugin: Plugin = async ({ client, directory }: PluginInput, options?: Plug
       }
 
       const outputText = output?.output ?? '';
-      // Query traps were already resolved interactively over the socket by the
-      // TUI plugin; only terminal (info) traps belong in the after-the-fact toast.
-      const errors = parseLandstripTraps(outputText).filter(
+      // Query traps were already resolved in-process by the local trap server;
+      // only terminal (info) traps and trap-server-collected lines belong in
+      // the after-the-fact toast.
+      const serverTrapOutput = state.trapLines.join('\n');
+      const combinedOutput = serverTrapOutput ? outputText + '\n' + serverTrapOutput : outputText;
+      const errors = parseLandstripTraps(combinedOutput).filter(
         (trap: LandstripTrap) => !(trap.kind === 'filesystem' && trap.state === 'query'),
       );
       if (errors.length > 0) {
@@ -1250,9 +1355,19 @@ const plugin: Plugin = async ({ client, directory }: PluginInput, options?: Plug
 
       const blockedPath = extractBlockedPath(outputText, directory, state.originalCommand);
       if (blockedPath) {
+        let blockedOperation: 'read' | 'write' = 'read';
+        for (const trap of errors) {
+          if (trap.kind === 'filesystem') {
+            blockedOperation = trap.operation;
+            break;
+          }
+        }
+        const scope = sessionScopeFor(blockedPath, directory);
+        if (blockedOperation === 'read') sessionAllowedReadPaths.add(scope);
+        else sessionAllowedWritePaths.add(scope);
         await notifyOnce(
           `blocked:${blockedPath}`,
-          `Sandbox blocked access to "${blockedPath}". Approve the related OpenCode permission prompt and retry if needed.`,
+          `Sandbox blocked ${blockedOperation} to "${blockedPath}". Added "${scope}" to session allowlist; retry the command.`,
           'warning',
         );
       }
@@ -1346,8 +1461,8 @@ const plugin: Plugin = async ({ client, directory }: PluginInput, options?: Plug
         const config = await activeConfig();
         if (!config) return;
 
-        const effectiveAllowRead = config.filesystem.allowRead;
-        const effectiveAllowWrite = config.filesystem.allowWrite;
+        const effectiveAllowRead = getEffectiveAllowRead(config);
+        const effectiveAllowWrite = getEffectiveAllowWrite(config);
 
         for (const path of extractCandidatePaths(shellCommand)) {
           const readDecision = evaluateReadPermission(path, config, directory, effectiveAllowRead);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "opencode-landstrip",
-  "version": "0.16.14",
+  "version": "0.16.16",
   "description": "Landlock-based sandboxing for opencode with landstrip",
   "keywords": [
     "landlock",

package/shared.ts

@@ -47,6 +47,52 @@ const LANDSTRIP_PACKAGE_NAMES = new Set([
   '@landstrip/landstrip-win32-x64',
 ]);
 
+// Breadth-first filesystem approval: a held read/write under a directory tree
+// is approved for the broadest reasonable ancestor (e.g. `~/.cargo`, not each
+// subcrate file), so a single approval covers sibling files under the same tree.
+export function pathUnderDirectory(filePath: string, dir: string): boolean {
+  if (filePath === dir) return true;
+  const sep = dir.endsWith('/') ? '' : '/';
+  return filePath.startsWith(dir + sep);
+}
+
+export function sessionAllows(prefixes: Set<string>, filePath: string): boolean {
+  for (const prefix of prefixes) {
+    if (pathUnderDirectory(filePath, prefix)) return true;
+  }
+  return false;
+}
+
+// The broadest ancestor worth approving in one click: the immediate child of
+// `$HOME` (e.g. `~/.cargo`) for paths under the user's home, the project root
+// for paths under it, otherwise the containing directory. When the file sits
+// directly on a boundary (so the only ancestor is `$HOME` itself, which would
+// over-broaden), fall back to the exact file so nothing widens silently.
+export function sessionScopeFor(filePath: string, baseDirectory: string): string {
+  const dir = dirname(filePath);
+  const home = homedir();
+  const boundaries = new Set<string>();
+  if (home) boundaries.add(home);
+  try {
+    const realHome = realpathSync.native(home);
+    if (realHome) boundaries.add(realHome);
+  } catch {
+    // $HOME not resolvable — fall back to the raw value only.
+  }
+
+  for (const boundary of boundaries) {
+    if (pathUnderDirectory(dir, boundary)) {
+      const rest = dir.slice(boundary.length).replace(/^\/+/, '');
+      const first = rest.split('/')[0];
+      if (!first) return filePath;
+      return boundary.endsWith('/') ? boundary + first : `${boundary}/${first}`;
+    }
+  }
+
+  if (pathUnderDirectory(dir, baseDirectory)) return baseDirectory;
+  return dir;
+}
+
 export function isRecord(value: unknown): value is Record<string, unknown> {
   return typeof value === 'object' && value !== null && !Array.isArray(value);
 }

package/tui.ts

@@ -2,10 +2,7 @@
 // Copyright (C) Jarkko Sakkinen 2026
 
 import type { TuiPlugin, TuiSlotContext, TuiSlotPlugin } from '@opencode-ai/plugin/tui';
-import { realpathSync } from 'node:fs';
 import { type AddressInfo, createServer, type Socket as NetSocket } from 'node:net';
-import { homedir } from 'node:os';
-import { dirname } from 'node:path';
 
 import {
   getConfigPaths,
@@ -15,7 +12,9 @@ import {
   permissionLabel,
   permissionResource,
   removeDiscoveryFile,
+  sessionAllows,
   sandboxSummary,
+  sessionScopeFor,
   updateForPermission,
   writeConfigFile,
   writeDiscoveryPort,
@@ -67,54 +66,6 @@ function permissionDetail(permission: PendingPermission): string {
   return resource && !label.includes(resource) ? `${label}: ${resource}` : label;
 }
 
-// Breadth-first filesystem approval: a held read/write under a directory tree
-// is approved for the broadest reasonable ancestor (e.g. `~/.cargo`, not each
-// subcrate file), so a single scan does not spawn one dialog per file. The
-// session set stores directory prefixes and is matched with separator-safe
-// prefix logic so a sibling file under an approved scope is auto-allowed.
-function pathUnderDirectory(filePath: string, dir: string): boolean {
-  if (filePath === dir) return true;
-  const sep = dir.endsWith('/') ? '' : '/';
-  return filePath.startsWith(dir + sep);
-}
-
-function sessionAllows(prefixes: Set<string>, filePath: string): boolean {
-  for (const prefix of prefixes) {
-    if (pathUnderDirectory(filePath, prefix)) return true;
-  }
-  return false;
-}
-
-// The broadest ancestor worth approving in one click: the immediate child of
-// `$HOME` (e.g. `~/.cargo`) for paths under the user's home, the project root
-// for paths under it, otherwise the containing directory. When the file sits
-// directly on a boundary (so the only ancestor is `$HOME` itself, which would
-// over-broaden), fall back to the exact file so nothing widens silently.
-function sessionScopeFor(filePath: string, baseDirectory: string): string {
-  const dir = dirname(filePath);
-  const home = homedir();
-  const boundaries = new Set<string>();
-  if (home) boundaries.add(home);
-  try {
-    const realHome = realpathSync.native(home);
-    if (realHome) boundaries.add(realHome);
-  } catch {
-    // $HOME not resolvable — fall back to the raw value only.
-  }
-
-  for (const boundary of boundaries) {
-    if (pathUnderDirectory(dir, boundary)) {
-      const rest = dir.slice(boundary.length).replace(/^\/+/, '');
-      const first = rest.split('/')[0];
-      if (!first) return filePath;
-      return boundary.endsWith('/') ? boundary + first : `${boundary}/${first}`;
-    }
-  }
-
-  if (pathUnderDirectory(dir, baseDirectory)) return baseDirectory;
-  return dir;
-}
-
 const tui: TuiPlugin = async (api, options, meta) => {
   const optionOverrides = normalizeOptions(options);