opencode-landstrip 0.16.17 → 0.16.19

package/index.ts

@@ -18,6 +18,7 @@ import {
   formatLandstripTraps,
   getConfigPaths,
   isRecord,
+  isSandboxDisabled,
   landstripBinaryPath,
   loadConfig,
   normalizeOptions,
@@ -26,6 +27,7 @@ import {
   permissionType,
   sandboxSummary,
   sessionScopeFor,
+  setSandboxDisabled,
 } from './shared.js';
 
 interface LandstripPolicy {
@@ -285,19 +287,12 @@ function evaluateReadPermission(
   const allowDepth = matchDepth(filePath, effectiveAllowRead, baseDirectory);
   const denyDepth = matchDepth(filePath, config.filesystem.denyRead, baseDirectory);
 
-  // The most specific rule wins, matching landstrip's read policy so the bash
-  // and read tools agree: a denyRead overrides allowRead only when it is more
-  // specific, while a tie or a more specific allowRead carves the path back in.
-  if (denyDepth > allowDepth) {
-    return {
-      status: 'deny',
-      kind: 'read',
-      resource: filePath,
-      message: `Sandbox: read access denied for "${filePath}" (denyRead overrides allowRead).`,
-    };
-  }
-
-  if (allowDepth >= 0) {
+  // Reads are interactive, so the read tool never hard-denies: a path covered by
+  // allowRead at least as specifically as any denyRead is allowed silently;
+  // everything else asks for approval (allow once/session/persist or reject)
+  // rather than being blocked outright. denyRead still hard-applies to bash
+  // through the landstrip binary policy, which has no way to prompt.
+  if (allowDepth >= 0 && allowDepth >= denyDepth) {
     return { status: 'allow', kind: 'read', resource: filePath, message: '' };
   }
 
@@ -305,7 +300,7 @@ function evaluateReadPermission(
     status: 'ask',
     kind: 'read',
     resource: filePath,
-    message: `Sandbox: read access requires approval for "${filePath}" (not in filesystem.allowRead).`,
+    message: `Sandbox: read access requires approval for "${filePath}".`,
   };
 }
 
@@ -846,6 +841,9 @@ const plugin: Plugin = async ({ client, directory }: PluginInput, options?: Plug
   }
   let enabledNotified = false;
   let sandboxDisabled = false;
+  // A previous session may have left a disable flag for this directory; start
+  // enabled so /sandbox-disable stays scoped to the current session.
+  setSandboxDisabled(directory, false);
   let configuredShell: string | undefined;
   let landstripCheck: { ok: true; version: string } | { ok: false; reason: string } | undefined;
 
@@ -899,7 +897,8 @@ const plugin: Plugin = async ({ client, directory }: PluginInput, options?: Plug
 
   function buildSandboxSummary(config: SandboxConfig): string {
     const { globalPath, projectPath } = getConfigPaths(directory);
-    const statusText = sandboxDisabled ? 'disabled for this session' : undefined;
+    const statusText =
+      sandboxDisabled || isSandboxDisabled(directory) ? 'disabled for this session' : undefined;
     const report = sandboxSummary(config, globalPath, projectPath, statusText);
     return ['# Sandbox Configuration', '', report].join('\n');
   }
@@ -1004,7 +1003,9 @@ const plugin: Plugin = async ({ client, directory }: PluginInput, options?: Plug
   }
 
   async function activeConfig(): Promise<SandboxConfig | null> {
-    if (sandboxDisabled) return null;
+    // The flag file lets the TUI plugin pause the sandbox cross-process; the
+    // in-memory bool covers the server's own command path.
+    if (sandboxDisabled || isSandboxDisabled(directory)) return null;
 
     const config = loadConfig(directory, optionOverrides);
     if (!config.enabled) {
@@ -1392,7 +1393,7 @@ const plugin: Plugin = async ({ client, directory }: PluginInput, options?: Plug
       }
 
       if (command === 'sandbox-disable') {
-        if (sandboxDisabled) {
+        if (sandboxDisabled || isSandboxDisabled(directory)) {
           pushCommandText(
             input,
             output,
@@ -1401,6 +1402,7 @@ const plugin: Plugin = async ({ client, directory }: PluginInput, options?: Plug
           return;
         }
         sandboxDisabled = true;
+        setSandboxDisabled(directory, true);
         pushCommandText(
           input,
           output,
@@ -1419,7 +1421,7 @@ const plugin: Plugin = async ({ client, directory }: PluginInput, options?: Plug
       }
 
       if (command === 'sandbox-enable') {
-        if (!sandboxDisabled) {
+        if (!sandboxDisabled && !isSandboxDisabled(directory)) {
           pushCommandText(
             input,
             output,
@@ -1428,6 +1430,7 @@ const plugin: Plugin = async ({ client, directory }: PluginInput, options?: Plug
           return;
         }
         sandboxDisabled = false;
+        setSandboxDisabled(directory, false);
         const config = await activeConfig();
         if (!config) {
           pushCommandText(

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "opencode-landstrip",
-  "version": "0.16.17",
+  "version": "0.16.19",
   "description": "Landlock-based sandboxing for opencode with landstrip",
   "keywords": [
     "landlock",
@@ -49,7 +49,7 @@
     "ci:test": "npm test"
   },
   "dependencies": {
-    "@landstrip/landstrip": "^0.16.13"
+    "@landstrip/landstrip": "^0.16.14"
   },
   "devDependencies": {
     "@opencode-ai/plugin": "^1.17.7",

package/shared.ts

@@ -528,15 +528,38 @@ function discoveryDir(): string {
   return join(base, 'opencode-landstrip');
 }
 
-export function discoveryFilePath(baseDirectory: string): string {
+function directoryHash(baseDirectory: string): string {
   let key = baseDirectory;
   try {
     key = realpathSync.native(baseDirectory);
   } catch {
     // Directory not resolvable — hash the raw path instead.
   }
-  const hash = createHash('sha256').update(key).digest('hex').slice(0, 16);
-  return join(discoveryDir(), `port-${hash}.json`);
+  return createHash('sha256').update(key).digest('hex').slice(0, 16);
+}
+
+export function discoveryFilePath(baseDirectory: string): string {
+  return join(discoveryDir(), `port-${directoryHash(baseDirectory)}.json`);
+}
+
+// /sandbox-disable pauses the sandbox per-directory. The flag lives beside the
+// discovery file so the TUI plugin (which runs the command) and the server
+// plugin (which gates wrapping) agree even though they are separate processes.
+export function disableFlagPath(baseDirectory: string): string {
+  return join(discoveryDir(), `disabled-${directoryHash(baseDirectory)}`);
+}
+
+export function setSandboxDisabled(baseDirectory: string, disabled: boolean): void {
+  if (disabled) {
+    mkdirSync(discoveryDir(), { recursive: true, mode: 0o700 });
+    writeFileSync(disableFlagPath(baseDirectory), `${process.pid}\n`);
+  } else {
+    rmSync(disableFlagPath(baseDirectory), { force: true });
+  }
+}
+
+export function isSandboxDisabled(baseDirectory: string): boolean {
+  return existsSync(disableFlagPath(baseDirectory));
 }
 
 export function writeDiscoveryPort(baseDirectory: string, port: number): void {

package/tui.ts

@@ -15,6 +15,7 @@ import {
   sessionAllows,
   sandboxSummary,
   sessionScopeFor,
+  setSandboxDisabled,
   updateForPermission,
   writeConfigFile,
   writeDiscoveryPort,
@@ -464,8 +465,18 @@ const tui: TuiPlugin = async (api, options, meta) => {
     );
   };
 
-  const executeServerCommand = async (command: string): Promise<boolean> => {
-    await api.client.tui.executeCommand({ command: `/${command}` });
+  // Toggle the per-directory disable flag directly. The server plugin gates
+  // wrapping on this flag, so disabling works without depending on a command
+  // round-trip reaching the server's command hook.
+  const setSandbox = (disabled: boolean): boolean => {
+    setSandboxDisabled(api.state.path.directory || process.cwd(), disabled);
+    api.ui.toast({
+      title: 'Sandbox',
+      message: disabled
+        ? 'Sandbox disabled for this session. Use /sandbox-enable to re-enable.'
+        : 'Sandbox re-enabled.',
+      variant: disabled ? 'warning' : 'success',
+    });
     return true;
   };
 
@@ -491,7 +502,7 @@ const tui: TuiPlugin = async (api, options, meta) => {
         suggested: true,
         slash: { name: 'sandbox-disable' },
         slashName: 'sandbox-disable',
-        run: () => executeServerCommand('sandbox-disable'),
+        run: () => setSandbox(true),
       },
       {
         namespace: 'palette',
@@ -502,7 +513,7 @@ const tui: TuiPlugin = async (api, options, meta) => {
         suggested: true,
         slash: { name: 'sandbox-enable' },
         slashName: 'sandbox-enable',
-        run: () => executeServerCommand('sandbox-enable'),
+        run: () => setSandbox(false),
       },
     ],
   });
@@ -524,7 +535,7 @@ const tui: TuiPlugin = async (api, options, meta) => {
       category: 'Sandbox',
       suggested: true,
       slash: { name: 'sandbox-disable' },
-      onSelect: () => executeServerCommand('sandbox-disable'),
+      onSelect: () => setSandbox(true),
     },
     {
       title: 'Enable sandbox',
@@ -533,7 +544,7 @@ const tui: TuiPlugin = async (api, options, meta) => {
       category: 'Sandbox',
       suggested: true,
       slash: { name: 'sandbox-enable' },
-      onSelect: () => executeServerCommand('sandbox-enable'),
+      onSelect: () => setSandbox(false),
     },
   ]);