opencode-landstrip 0.16.7 → 0.16.9

package/index.ts

@@ -267,9 +267,10 @@ function extractBlockedPath(
     }
   }
 
-  // If landstrip reported a trap but without a path, try to
-  // extract the blocked path from the command itself
-  if (landstripTraps.length > 0 && command) {
+  if (
+    landstripTraps.some((trap) => trap.kind === 'filesystem' || trap.kind === 'internal') &&
+    command
+  ) {
     for (const candidate of extractCandidatePaths(command)) {
       const resolved = canonicalizePath(candidate, baseDirectory);
       return resolved;
@@ -279,14 +280,6 @@ function extractBlockedPath(
   return null;
 }
 
-function extractBlockedWritePath(
-  output: string,
-  baseDirectory: string,
-  command?: string,
-): string | null {
-  return extractBlockedPath(output, baseDirectory, command);
-}
-
 function evaluateReadPermission(
   path: string,
   config: SandboxConfig,
@@ -652,6 +645,15 @@ function socketQueryPort(baseDirectory: string): number | null {
   return readDiscoveryPort(baseDirectory);
 }
 
+async function awaitQueryPort(baseDirectory: string): Promise<number | null> {
+  for (let attempt = 0; attempt < 5; attempt++) {
+    const port = socketQueryPort(baseDirectory);
+    if (port !== null) return port;
+    await new Promise((resolve) => setTimeout(resolve, 50));
+  }
+  return null;
+}
+
 function buildWrappedCommand(
   policyPath: string,
   shell: string,
@@ -663,12 +665,17 @@ function buildWrappedCommand(
   if (trapPort === null) return plain;
 
   // Connect fd 3 to the TUI's query-response socket BEFORE landstrip applies the
-  // sandbox, so a denied write can be approved live instead of forcing a re-run.
-  // The `&&`/`||` guard falls back to the plain (no --trap-fd) invocation when the
-  // redirect fails — a dead port, a non-bash outer shell without /dev/tcp, or an
-  // outer `set -e` — so a failed connect never hands the broker a dead fd 3.
+  // sandbox, so a denied filesystem access can be approved live instead of
+  // forcing a re-run.
+  //
+  // /dev/tcp is a bash/ksh built-in — it does not work in zsh, dash, or fish.
+  // We try the native redirect first (fast path when the host shell supports it)
+  // and fall back to an explicit bash invocation that always speaks /dev/tcp.
+  // If both fail (no bash, dead port, set -e in the outer shell) landstrip runs
+  // without --trap-fd so the toast-notify path still works.
   const trapped = [landstripBinaryPath(), '--trap-fd', '3', ...baseArgs].map(shellQuote).join(' ');
-  return `{ exec 3<>/dev/tcp/127.0.0.1/${trapPort} ; } 2>/dev/null && ${trapped} || ${plain}`;
+  const bashTrap = `bash -c ${shellQuote(`exec 3<>/dev/tcp/127.0.0.1/${trapPort} && exec "$@"`)} bash ${trapped}`;
+  return `{ exec 3<>/dev/tcp/127.0.0.1/${trapPort} ; } 2>/dev/null && ${trapped} || ${bashTrap} 2>/dev/null || ${plain}`;
 }
 
 function isGeneratedWrappedCommand(command: string): boolean {
@@ -1062,7 +1069,7 @@ const plugin: Plugin = async ({ client, directory }: PluginInput, options?: Plug
       policy.path,
       configuredShell ?? process.env.SHELL ?? '/bin/sh',
       originalCommand,
-      socketQueryPort(directory),
+      await awaitQueryPort(directory),
     );
 
     activeBash.set(callID, {
@@ -1239,7 +1246,7 @@ const plugin: Plugin = async ({ client, directory }: PluginInput, options?: Plug
           ?.catch?.(() => undefined);
       }
 
-      const blockedPath = extractBlockedWritePath(outputText, directory, state.originalCommand);
+      const blockedPath = extractBlockedPath(outputText, directory, state.originalCommand);
       if (blockedPath) {
         await notifyOnce(
           `blocked:${blockedPath}`,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "opencode-landstrip",
-  "version": "0.16.7",
+  "version": "0.16.9",
   "description": "Landlock-based sandboxing for opencode with landstrip",
   "keywords": [
     "landlock",