opencode-landstrip 0.3.10 → 0.3.12

package/index.ts

@@ -53,11 +53,12 @@ interface LandstripPolicy {
 }
 
 interface LandstripErrorResponse {
-  reason: 'Other' | 'LaunchFailed' | 'SetupFailed' | 'Usage';
+  reason: 'Other' | 'AccessDenied' | 'LaunchFailed' | 'SetupFailed' | 'Usage';
   file?: string;
+  operation?: 'read' | 'write';
   program?: string;
   type?: 'filesystem' | 'network' | 'platform' | 'launch' | 'encoding';
-  source: string;
+  source?: string;
 }
 
 interface SandboxConfigOverrides {
@@ -74,10 +75,59 @@ interface BashSandboxState {
   stop: (() => Promise<void>) | null;
 }
 
+type SandboxPermissionKind = 'read' | 'write' | 'domain';
+
+interface SandboxPermissionDecision {
+  status: 'allow' | 'ask' | 'deny';
+  kind: SandboxPermissionKind;
+  resource: string;
+  message: string;
+}
+
 type ToastVariant = 'info' | 'success' | 'warning' | 'error';
 
-const LANDSTRIP_VERSION = [0, 11, 0] as const;
+const LANDSTRIP_VERSION = [0, 11, 9] as const;
+const REQUIRED_LANDSTRIP_VERSION = LANDSTRIP_VERSION.join('.');
+const LANDSTRIP_ERROR_REASONS = new Set<LandstripErrorResponse['reason']>([
+  'Other',
+  'AccessDenied',
+  'LaunchFailed',
+  'SetupFailed',
+  'Usage',
+]);
+const LANDSTRIP_OPERATIONS = new Set<NonNullable<LandstripErrorResponse['operation']>>([
+  'read',
+  'write',
+]);
+const LANDSTRIP_ERROR_TYPES = new Set<NonNullable<LandstripErrorResponse['type']>>([
+  'filesystem',
+  'network',
+  'platform',
+  'launch',
+  'encoding',
+]);
 const SUPPORTED_PLATFORMS = new Set<NodeJS.Platform>(['linux', 'darwin', 'win32']);
+const LANDSTRIP_PACKAGE_NAMES = new Set([
+  '@jarkkojs/landstrip',
+  '@jarkkojs/landstrip-darwin-arm64',
+  '@jarkkojs/landstrip-darwin-x64',
+  '@jarkkojs/landstrip-linux-x64',
+  '@jarkkojs/landstrip-win32-x64',
+]);
+
+function isLandstripErrorReason(value: string): value is LandstripErrorResponse['reason'] {
+  return LANDSTRIP_ERROR_REASONS.has(value as LandstripErrorResponse['reason']);
+}
+
+function isLandstripOperation(
+  value: string,
+): value is NonNullable<LandstripErrorResponse['operation']> {
+  return LANDSTRIP_OPERATIONS.has(value as NonNullable<LandstripErrorResponse['operation']>);
+}
+
+function isLandstripErrorType(value: string): value is NonNullable<LandstripErrorResponse['type']> {
+  return LANDSTRIP_ERROR_TYPES.has(value as NonNullable<LandstripErrorResponse['type']>);
+}
 
 const DEFAULT_CONFIG: SandboxConfig = {
   enabled: true,
@@ -86,36 +136,14 @@ const DEFAULT_CONFIG: SandboxConfig = {
     allowLocalBinding: false,
     allowAllUnixSockets: false,
     allowUnixSockets: [],
-    allowedDomains: [
-      'npmjs.org',
-      '*.npmjs.org',
-      'registry.npmjs.org',
-      'registry.yarnpkg.com',
-      'pypi.org',
-      '*.pypi.org',
-      'github.com',
-      '*.github.com',
-      'api.github.com',
-      'raw.githubusercontent.com',
-      'crates.io',
-      '*.crates.io',
-      'static.crates.io',
-    ],
+    allowedDomains: [],
     deniedDomains: [],
   },
   filesystem: {
     denyRead: ['/Users', '/home'],
-    allowRead: [
-      '.',
-      '/dev/null',
-      '~/.config/opencode',
-      '~/.config/git',
-      '~/.gitconfig',
-      '~/.local',
-      '~/.cargo',
-    ],
-    allowWrite: ['.', '/tmp', '/dev/null'],
-    denyWrite: ['.env', '.env.*', '*.pem', '*.key'],
+    allowRead: ['.', '~/.gitconfig', '/dev/null'],
+    allowWrite: ['.', '/dev/null'],
+    denyWrite: ['**/.env', '**/.env.*', '**/*.pem', '**/*.key'],
   },
 };
 
@@ -189,16 +217,30 @@ function normalizeOptions(options: PluginOptions | undefined): SandboxConfigOver
   return normalizeConfig(isRecord(options.config) ? options.config : options);
 }
 
+function mergeArray(base: string[], override?: string[]): string[] {
+  if (!override) return base;
+  return [...new Set([...base, ...override])];
+}
+
 function deepMerge(base: SandboxConfig, overrides: SandboxConfigOverrides): SandboxConfig {
+  const network = overrides.network;
+  const filesystem = overrides.filesystem;
+
   return {
     enabled: overrides.enabled ?? base.enabled,
     network: {
-      ...base.network,
-      ...overrides.network,
+      allowNetwork: network?.allowNetwork ?? base.network.allowNetwork,
+      allowLocalBinding: network?.allowLocalBinding ?? base.network.allowLocalBinding,
+      allowAllUnixSockets: network?.allowAllUnixSockets ?? base.network.allowAllUnixSockets,
+      allowUnixSockets: mergeArray(base.network.allowUnixSockets, network?.allowUnixSockets),
+      allowedDomains: mergeArray(base.network.allowedDomains, network?.allowedDomains),
+      deniedDomains: mergeArray(base.network.deniedDomains, network?.deniedDomains),
     },
     filesystem: {
-      ...base.filesystem,
-      ...overrides.filesystem,
+      denyRead: mergeArray(base.filesystem.denyRead, filesystem?.denyRead),
+      allowRead: mergeArray(base.filesystem.allowRead, filesystem?.allowRead),
+      allowWrite: mergeArray(base.filesystem.allowWrite, filesystem?.allowWrite),
+      denyWrite: mergeArray(base.filesystem.denyWrite, filesystem?.denyWrite),
     },
   };
 }
@@ -239,6 +281,33 @@ function configuredShellPath(config: unknown): string | undefined {
   return typeof config.shell === 'string' ? config.shell : undefined;
 }
 
+function landstripBinaryPath(): string {
+  const filePath = realpathSync.native(binaryPath());
+  let probe = dirname(filePath);
+
+  while (true) {
+    const manifestPath = join(probe, 'package.json');
+    if (existsSync(manifestPath)) {
+      try {
+        const manifest = JSON.parse(readFileSync(manifestPath, 'utf-8')) as unknown;
+        if (isRecord(manifest) && LANDSTRIP_PACKAGE_NAMES.has(String(manifest.name))) {
+          return filePath;
+        }
+      } catch {
+        // malformed package.json — continue walking to parent
+      }
+    }
+
+    const parent = dirname(probe);
+    if (parent === probe) break;
+    probe = parent;
+  }
+
+  throw new Error(
+    `Refusing to use landstrip binary outside official @jarkkojs/landstrip packages: ${filePath}`,
+  );
+}
+
 function canonicalizePath(filePath: string, baseDirectory: string): string {
   const abs = expandPath(filePath, baseDirectory);
 
@@ -434,8 +503,91 @@ function firstBlockedDomain(
   return null;
 }
 
+function evaluateReadPermission(
+  path: string,
+  config: SandboxConfig,
+  baseDirectory: string,
+  effectiveAllowRead: string[],
+): SandboxPermissionDecision {
+  const filePath = canonicalizePath(path, baseDirectory);
+
+  if (!shouldPromptForRead(filePath, effectiveAllowRead, baseDirectory)) {
+    return { status: 'allow', kind: 'read', resource: filePath, message: '' };
+  }
+
+  if (isBlockedByDenyRead(filePath, config, baseDirectory)) {
+    return {
+      status: 'deny',
+      kind: 'read',
+      resource: filePath,
+      message: `Sandbox: read access denied for "${filePath}" (denyRead overrides allowRead).`,
+    };
+  }
+
+  return {
+    status: 'ask',
+    kind: 'read',
+    resource: filePath,
+    message: `Sandbox: read access requires approval for "${filePath}" (not in filesystem.allowRead).`,
+  };
+}
+
+function evaluateWritePermission(
+  path: string,
+  config: SandboxConfig,
+  baseDirectory: string,
+  effectiveAllowWrite: string[],
+): SandboxPermissionDecision {
+  const filePath = canonicalizePath(path, baseDirectory);
+
+  if (!shouldPromptForWrite(filePath, effectiveAllowWrite, baseDirectory)) {
+    return { status: 'allow', kind: 'write', resource: filePath, message: '' };
+  }
+
+  if (matchesPattern(filePath, config.filesystem.denyWrite, baseDirectory)) {
+    return {
+      status: 'deny',
+      kind: 'write',
+      resource: filePath,
+      message: `Sandbox: write access denied for "${filePath}" (in filesystem.denyWrite).`,
+    };
+  }
+
+  return {
+    status: 'ask',
+    kind: 'write',
+    resource: filePath,
+    message: `Sandbox: write access requires approval for "${filePath}" (not in filesystem.allowWrite).`,
+  };
+}
+
+function evaluateDomainPermission(
+  domain: string,
+  config: SandboxConfig,
+): SandboxPermissionDecision {
+  if (config.network.allowNetwork || domainMatchesAny(domain, config.network.allowedDomains)) {
+    return { status: 'allow', kind: 'domain', resource: domain, message: '' };
+  }
+
+  if (domainMatchesAny(domain, config.network.deniedDomains)) {
+    return {
+      status: 'deny',
+      kind: 'domain',
+      resource: domain,
+      message: `Sandbox: network access denied for "${domain}" (is blocked by network.deniedDomains).`,
+    };
+  }
+
+  return {
+    status: 'ask',
+    kind: 'domain',
+    resource: domain,
+    message: `Sandbox: network access requires approval for "${domain}" (not in network.allowedDomains).`,
+  };
+}
+
 function landstripVersion(): string | null {
-  const result = spawnSync(binaryPath(), ['--version'], { encoding: 'utf-8' });
+  const result = spawnSync(landstripBinaryPath(), ['--version'], { encoding: 'utf-8' });
   if (result.status !== 0) return null;
   return result.stdout.trim();
 }
@@ -472,25 +624,19 @@ function parseLandstripErrors(output: string): LandstripErrorResponse[] {
       if (key.length > 0 && value.length > 0) fields[key] = value;
     }
 
-    if (
-      fields.reason &&
-      ['Other', 'LaunchFailed', 'SetupFailed', 'Usage'].includes(fields.reason) &&
-      fields.source
-    ) {
+    if (fields.reason && isLandstripErrorReason(fields.reason)) {
       const error: LandstripErrorResponse = {
-        reason: fields.reason as LandstripErrorResponse['reason'],
-        source: fields.source,
+        reason: fields.reason,
       };
 
       if (fields.file) error.file = fields.file;
+      if (fields.operation && isLandstripOperation(fields.operation)) {
+        error.operation = fields.operation;
+      }
       if (fields.program) error.program = fields.program;
+      if (fields.source) error.source = fields.source;
 
-      if (
-        fields.type &&
-        ['filesystem', 'network', 'platform', 'launch', 'encoding'].includes(fields.type)
-      ) {
-        error.type = fields.type as LandstripErrorResponse['type'];
-      }
+      if (fields.type && isLandstripErrorType(fields.type)) error.type = fields.type;
 
       errors.push(error);
     }
@@ -507,13 +653,16 @@ function formatLandstripErrors(errors: LandstripErrorResponse[]): string {
       if (err.file) {
         parts.push(` (${err.file})`);
       }
+      if (err.operation) {
+        parts.push(` ${err.operation}`);
+      }
       if (err.program) {
         parts.push(` ${err.program}`);
       }
       if (err.type) {
         parts.push(`:${err.type}`);
       }
-      parts.push(`: ${err.source}`);
+      if (err.source) parts.push(`: ${err.source}`);
 
       return parts.join('');
     })
@@ -746,12 +895,12 @@ function shellArgs(shell: string, command: string): string[] {
 function buildWrappedCommand(policyPath: string, shell: string, command: string): string {
   const args = ['-p', policyPath, ...shellArgs(shell, command)];
 
-  return [binaryPath(), ...args].map(shellQuote).join(' ');
+  return [landstripBinaryPath(), ...args].map(shellQuote).join(' ');
 }
 
 function isGeneratedWrappedCommand(command: string): boolean {
   return (
-    command.startsWith(`${shellQuote(binaryPath())} `) &&
+    command.startsWith(`${shellQuote(landstripBinaryPath())} `) &&
     command.includes(` ${shellQuote('-p')} `) &&
     command.includes('opencode-landstrip-')
   );
@@ -829,69 +978,14 @@ function errorWithConfigPaths(baseDirectory: string, message: string): Error {
   return new Error(`${message}\n\nUpdate sandbox config in:\n  ${projectPath}\n  ${globalPath}`);
 }
 
-function assertReadAllowed(
-  path: string,
-  config: SandboxConfig,
-  baseDirectory: string,
-  effectiveAllowRead: string[],
-): void {
-  const filePath = canonicalizePath(path, baseDirectory);
-
-  if (!shouldPromptForRead(filePath, effectiveAllowRead, baseDirectory)) return;
-
-  if (isBlockedByDenyRead(filePath, config, baseDirectory)) {
-    throw errorWithConfigPaths(
-      baseDirectory,
-      `Sandbox: read access denied for "${filePath}" (denyRead overrides allowRead).`,
-    );
-  }
-
-  throw errorWithConfigPaths(
-    baseDirectory,
-    `Sandbox: read access denied for "${filePath}" (not in filesystem.allowRead).`,
-  );
-}
-
-function assertWriteAllowed(
-  path: string,
-  config: SandboxConfig,
-  baseDirectory: string,
-  effectiveAllowWrite: string[],
-): void {
-  const filePath = canonicalizePath(path, baseDirectory);
-
-  if (!shouldPromptForWrite(filePath, effectiveAllowWrite, baseDirectory)) return;
-
-  if (matchesPattern(filePath, config.filesystem.denyWrite, baseDirectory)) {
-    throw errorWithConfigPaths(
-      baseDirectory,
-      `Sandbox: write access denied for "${filePath}" (in filesystem.denyWrite).`,
-    );
-  }
-
-  throw errorWithConfigPaths(
-    baseDirectory,
-    `Sandbox: write access denied for "${filePath}" (not in filesystem.allowWrite).`,
-  );
-}
-
-function assertApplyPatchAllowed(
-  args: Record<string, unknown>,
-  config: SandboxConfig,
-  baseDirectory: string,
-  effectiveAllowWrite: string[],
-): void {
-  if (typeof args.patchText !== 'string') return;
-  for (const path of extractPatchPaths(args.patchText))
-    assertWriteAllowed(path, config, baseDirectory, effectiveAllowWrite);
-}
-
 const plugin: Plugin = async ({ client, directory }: PluginInput, options?: PluginOptions) => {
   const optionOverrides = normalizeOptions(options);
   const activeBash = new Map<string, BashSandboxState>();
   const notified = new Set<string>();
   const sessionAllowedReadPaths: string[] = [];
   const sessionAllowedWritePaths: string[] = [];
+  const sessionAllowedDomains: string[] = [];
+  const callAllowances = new Set<string>();
   let enabledNotified = false;
   let sandboxDisabled = false;
   let configuredShell: string | undefined;
@@ -905,6 +999,40 @@ const plugin: Plugin = async ({ client, directory }: PluginInput, options?: Plug
     return [...config.filesystem.allowWrite, ...sessionAllowedWritePaths];
   }
 
+  function getEffectiveAllowedDomains(config: SandboxConfig): string[] {
+    return [...config.network.allowedDomains, ...sessionAllowedDomains];
+  }
+
+  function allowanceKey(callID: string, kind: SandboxPermissionKind, resource: string): string {
+    return `${callID}:${kind}:${resource}`;
+  }
+
+  function rememberCallAllowance(
+    callID: string | undefined,
+    decision: SandboxPermissionDecision,
+  ): void {
+    if (!callID || decision.status === 'deny') return;
+    callAllowances.add(allowanceKey(callID, decision.kind, decision.resource));
+  }
+
+  function hasCallAllowance(callID: string, decision: SandboxPermissionDecision): boolean {
+    return callAllowances.has(allowanceKey(callID, decision.kind, decision.resource));
+  }
+
+  function enforcePermission(callID: string, decision: SandboxPermissionDecision): void {
+    if (decision.status === 'allow' || hasCallAllowance(callID, decision)) return;
+    client.tui
+      ?.showToast?.({
+        body: {
+          title: 'Sandbox blocked',
+          message: decision.message.slice(0, 120),
+          variant: 'error',
+        },
+      })
+      ?.catch?.(() => undefined);
+    throw errorWithConfigPaths(directory, decision.message);
+  }
+
   function pushCommandText(
     input: { sessionID: string },
     output: { parts: unknown[] },
@@ -922,7 +1050,7 @@ const plugin: Plugin = async ({ client, directory }: PluginInput, options?: Plug
   function sandboxSummary(config: SandboxConfig): string {
     const { globalPath, projectPath } = getConfigPaths(directory);
     const networkMode = config.network.allowNetwork ? 'unrestricted' : 'proxied';
-    const allowed = config.network.allowedDomains.join(', ') || '(none)';
+    const allowed = getEffectiveAllowedDomains(config).join(', ') || '(none)';
     const denied = config.network.deniedDomains.join(', ') || '(none)';
     const denyRead = config.filesystem.denyRead.join(', ') || '(none)';
     const allowRead = getEffectiveAllowRead(config).join(', ') || '(none)';
@@ -933,7 +1061,7 @@ const plugin: Plugin = async ({ client, directory }: PluginInput, options?: Plug
       '# Sandbox Configuration',
       '',
       `Status: ${sandboxDisabled ? 'disabled for this session' : 'active'}`,
-      `landstrip: ${binaryPath()}`,
+      `landstrip package binary: ${landstripBinaryPath()}`,
       '',
       'Config files:',
       `- project: ${projectPath}`,
@@ -1020,7 +1148,17 @@ const plugin: Plugin = async ({ client, directory }: PluginInput, options?: Plug
       return landstripCheck;
     }
 
-    const version = landstripVersion();
+    let version: string | null;
+    try {
+      version = landstripVersion();
+    } catch (error) {
+      landstripCheck = {
+        ok: false,
+        reason: error instanceof Error ? error.message : String(error),
+      };
+      return landstripCheck;
+    }
+
     if (!version) {
       landstripCheck = {
         ok: false,
@@ -1032,7 +1170,7 @@ const plugin: Plugin = async ({ client, directory }: PluginInput, options?: Plug
     if (!hasMinimumVersion(version, LANDSTRIP_VERSION)) {
       landstripCheck = {
         ok: false,
-        reason: `landstrip 0.11.0 or newer is required; found: ${version}`,
+        reason: `landstrip ${REQUIRED_LANDSTRIP_VERSION} or newer is required; found: ${version}`,
       };
       return landstripCheck;
     }
@@ -1045,7 +1183,14 @@ const plugin: Plugin = async ({ client, directory }: PluginInput, options?: Plug
     if (sandboxDisabled) return null;
 
     const config = loadConfig(directory, optionOverrides);
-    if (!config.enabled) return null;
+    if (!config.enabled) {
+      await notifyOnce(
+        `not-configured:${directory}`,
+        'Sandbox is not configured — no sandbox.json5 found',
+        'info',
+      );
+      return null;
+    }
 
     const check = checkLandstrip();
     if (!check?.ok) {
@@ -1130,27 +1275,37 @@ const plugin: Plugin = async ({ client, directory }: PluginInput, options?: Plug
     }
 
     const allowNetwork = config.network.allowNetwork;
+    const callAllowedDomains: string[] = [];
+    const effectiveConfig = {
+      ...config,
+      network: { ...config.network, allowedDomains: getEffectiveAllowedDomains(config) },
+    };
 
     if (!allowNetwork) {
-      const blockedDomain = firstBlockedDomain(args.command as string, config);
-      if (blockedDomain) {
-        const reason =
-          blockedDomain.reason === 'deniedDomains'
-            ? 'is blocked by network.deniedDomains'
-            : 'is not in network.allowedDomains';
-        throw errorWithConfigPaths(
-          directory,
-          `Sandbox: network access denied for "${blockedDomain.domain}" (${reason}).`,
-        );
+      for (const domain of extractDomainsFromCommand(args.command as string)) {
+        const decision = evaluateDomainPermission(domain, effectiveConfig);
+        if (decision.status === 'allow') continue;
+        if (decision.status === 'ask' && hasCallAllowance(callID, decision)) {
+          callAllowedDomains.push(domain);
+          continue;
+        }
+        throw errorWithConfigPaths(directory, decision.message);
       }
     }
 
-    const proxy = allowNetwork ? null : await startProxy(config);
+    if (callAllowedDomains.length > 0) {
+      effectiveConfig.network = {
+        ...effectiveConfig.network,
+        allowedDomains: [...effectiveConfig.network.allowedDomains, ...callAllowedDomains],
+      };
+    }
+
+    const proxy = allowNetwork ? null : await startProxy(effectiveConfig);
     const proxyPort = proxy ? proxy.port : null;
     let policy: { dir: string; path: string };
 
     try {
-      policy = writePolicyFile(config, directory, proxyPort);
+      policy = writePolicyFile(effectiveConfig, directory, proxyPort);
     } catch (error) {
       if (proxy) await proxy.stop().catch(() => undefined);
       throw error;
@@ -1181,6 +1336,80 @@ const plugin: Plugin = async ({ client, directory }: PluginInput, options?: Plug
       configuredShell = configuredShellPath(config);
     },
 
+    'permission.ask': async (input, output) => {
+      const config = await activeConfig();
+      if (!config) return;
+
+      const request = input as Record<string, unknown>;
+      const permission =
+        typeof request.type === 'string'
+          ? request.type
+          : typeof request.permission === 'string'
+            ? request.permission
+            : typeof request.action === 'string'
+              ? request.action
+              : '';
+      const metadata = isRecord(request.metadata) ? request.metadata : {};
+      const tool = isRecord(request.tool) ? request.tool : undefined;
+      const callID =
+        typeof request.callID === 'string'
+          ? request.callID
+          : typeof tool?.callID === 'string'
+            ? tool.callID
+            : undefined;
+      const patterns = Array.isArray(request.patterns)
+        ? request.patterns.filter((item): item is string => typeof item === 'string')
+        : typeof request.pattern === 'string'
+          ? [request.pattern]
+          : Array.isArray(request.resources)
+            ? request.resources.filter((item): item is string => typeof item === 'string')
+            : [];
+
+      const decisions: SandboxPermissionDecision[] = [];
+      const effectiveAllowRead = getEffectiveAllowRead(config);
+      const effectiveAllowWrite = getEffectiveAllowWrite(config);
+
+      if (permission === 'read') {
+        for (const pattern of patterns) {
+          decisions.push(evaluateReadPermission(pattern, config, directory, effectiveAllowRead));
+        }
+      }
+
+      if (permission === 'glob' || permission === 'grep' || permission === 'list') {
+        const searchPath = typeof metadata.path === 'string' ? metadata.path : '.';
+        decisions.push(evaluateReadPermission(searchPath, config, directory, effectiveAllowRead));
+      }
+
+      if (permission === 'edit') {
+        const filepath =
+          typeof metadata.filepath === 'string'
+            ? metadata.filepath
+            : patterns.length === 1
+              ? patterns[0]
+              : undefined;
+        if (filepath) {
+          decisions.push(evaluateWritePermission(filepath, config, directory, effectiveAllowWrite));
+        }
+      }
+
+      if (permission === 'bash') {
+        const command = typeof metadata.command === 'string' ? metadata.command : patterns[0];
+        if (typeof command === 'string' && !config.network.allowNetwork) {
+          for (const domain of extractDomainsFromCommand(command)) {
+            decisions.push(evaluateDomainPermission(domain, config));
+          }
+        }
+      }
+
+      const decision =
+        decisions.find((item) => item.status === 'deny') ??
+        decisions.find((item) => item.status === 'ask');
+      if (!decision) return;
+
+      output.status = decision.status;
+      rememberCallAllowance(callID, decision);
+    },
+
     'tool.execute.before': async (input, output) => {
       if (!isRecord(output.args)) return;
 
@@ -1197,23 +1426,40 @@ const plugin: Plugin = async ({ client, directory }: PluginInput, options?: Plug
 
       if (input.tool === 'read') {
         const path = getToolPath(output.args);
-        if (path) assertReadAllowed(path, config, directory, effectiveAllowRead);
+        if (path)
+          enforcePermission(
+            input.callID,
+            evaluateReadPermission(path, config, directory, effectiveAllowRead),
+          );
         return;
       }
 
       if (input.tool === 'glob' || input.tool === 'grep' || input.tool === 'list') {
-        assertReadAllowed(getSearchPath(output.args), config, directory, effectiveAllowRead);
+        enforcePermission(
+          input.callID,
+          evaluateReadPermission(getSearchPath(output.args), config, directory, effectiveAllowRead),
+        );
         return;
       }
 
       if (input.tool === 'write' || input.tool === 'edit') {
         const path = getToolPath(output.args);
-        if (path) assertWriteAllowed(path, config, directory, effectiveAllowWrite);
+        if (path)
+          enforcePermission(
+            input.callID,
+            evaluateWritePermission(path, config, directory, effectiveAllowWrite),
+          );
         return;
       }
 
-      if (input.tool === 'apply_patch')
-        assertApplyPatchAllowed(output.args, config, directory, effectiveAllowWrite);
+      if (input.tool === 'apply_patch' && typeof output.args.patchText === 'string') {
+        for (const path of extractPatchPaths(output.args.patchText)) {
+          enforcePermission(
+            input.callID,
+            evaluateWritePermission(path, config, directory, effectiveAllowWrite),
+          );
+        }
+      }
     },
 
     'shell.env': async (input, output) => {
@@ -1258,31 +1504,11 @@ const plugin: Plugin = async ({ client, directory }: PluginInput, options?: Plug
 
       const blockedPath = extractBlockedWritePath(outputText, directory, state.originalCommand);
       if (blockedPath) {
-        const config = loadConfig(directory, optionOverrides);
-        if (
-          !sessionAllowedWritePaths.includes(blockedPath) &&
-          !matchesPattern(blockedPath, config.filesystem.allowWrite, directory) &&
-          !matchesPattern(blockedPath, config.filesystem.denyWrite, directory)
-        ) {
-          sessionAllowedWritePaths.push(blockedPath);
-          await notifyOnce(
-            `write-allow:${blockedPath}`,
-            `Write access granted for session: "${blockedPath}"`,
-            'warning',
-          );
-        }
-        if (
-          !sessionAllowedReadPaths.includes(blockedPath) &&
-          !matchesPattern(blockedPath, config.filesystem.allowRead, directory) &&
-          !matchesPattern(blockedPath, config.filesystem.denyRead, directory)
-        ) {
-          sessionAllowedReadPaths.push(blockedPath);
-          await notifyOnce(
-            `read-allow:${blockedPath}`,
-            `Read access granted for session: "${blockedPath}"`,
-            'warning',
-          );
-        }
+        await notifyOnce(
+          `blocked:${blockedPath}`,
+          `Sandbox blocked access to "${blockedPath}". Approve the related OpenCode permission prompt and retry if needed.`,
+          'warning',
+        );
       }
 
       await cleanupBash(input.callID);
@@ -1292,6 +1518,11 @@ const plugin: Plugin = async ({ client, directory }: PluginInput, options?: Plug
       if (input.command.trim() === '/sandbox') {
         const config = loadConfig(directory, optionOverrides);
         pushCommandText(input, output, sandboxSummary(config));
+        await client.tui
+          ?.showToast?.({
+            body: { title: 'Sandbox', message: `Config loaded for ${directory}`, variant: 'info' },
+          })
+          ?.catch?.(() => undefined);
         return;
       }
 
@@ -1310,6 +1541,15 @@ const plugin: Plugin = async ({ client, directory }: PluginInput, options?: Plug
           output,
           'Sandbox disabled for this session. Use /sandbox-enable to re-enable.',
         );
+        await client.tui
+          ?.showToast?.({
+            body: {
+              title: 'Sandbox',
+              message: 'Sandbox disabled for this session. Use /sandbox-enable to re-enable.',
+              variant: 'warning',
+            },
+          })
+          ?.catch?.(() => undefined);
         return;
       }
 
@@ -1323,7 +1563,30 @@ const plugin: Plugin = async ({ client, directory }: PluginInput, options?: Plug
           return;
         }
         sandboxDisabled = false;
-        pushCommandText(input, output, 'Sandbox re-enabled.');
+        const config = await activeConfig();
+        if (!config) {
+          pushCommandText(
+            input,
+            output,
+            'Sandbox re-enabled but no sandbox.json5 found — no rules active.\nCreate sandbox.json5 to enforce sandboxing.',
+          );
+          await client.tui
+            ?.showToast?.({
+              body: {
+                title: 'Sandbox',
+                message: 'Sandbox re-enabled but no sandbox.json5 found — no rules active.',
+                variant: 'warning',
+              },
+            })
+            ?.catch?.(() => undefined);
+        } else {
+          pushCommandText(input, output, 'Sandbox re-enabled.');
+          await client.tui
+            ?.showToast?.({
+              body: { title: 'Sandbox', message: 'Sandbox re-enabled.', variant: 'success' },
+            })
+            ?.catch?.(() => undefined);
+        }
         return;
       }
 
@@ -1337,17 +1600,60 @@ const plugin: Plugin = async ({ client, directory }: PluginInput, options?: Plug
         const effectiveAllowWrite = getEffectiveAllowWrite(config);
 
         for (const path of extractCandidatePaths(shellCommand)) {
-          assertReadAllowed(path, config, directory, effectiveAllowRead);
-          assertWriteAllowed(path, config, directory, effectiveAllowWrite);
+          const readDecision = evaluateReadPermission(path, config, directory, effectiveAllowRead);
+          if (readDecision.status === 'deny') {
+            client.tui
+              ?.showToast?.({
+                body: {
+                  title: 'Sandbox blocked',
+                  message: readDecision.message.slice(0, 120),
+                  variant: 'error',
+                },
+              })
+              ?.catch?.(() => undefined);
+            throw errorWithConfigPaths(directory, readDecision.message);
+          }
+
+          const writeDecision = evaluateWritePermission(
+            path,
+            config,
+            directory,
+            effectiveAllowWrite,
+          );
+          if (writeDecision.status === 'deny') {
+            client.tui
+              ?.showToast?.({
+                body: {
+                  title: 'Sandbox blocked',
+                  message: writeDecision.message.slice(0, 120),
+                  variant: 'error',
+                },
+              })
+              ?.catch?.(() => undefined);
+            throw errorWithConfigPaths(directory, writeDecision.message);
+          }
         }
 
         if (!config.network.allowNetwork) {
-          const blockedDomain = firstBlockedDomain(shellCommand, config);
+          const effectiveConfig = {
+            ...config,
+            network: { ...config.network, allowedDomains: getEffectiveAllowedDomains(config) },
+          };
+          const blockedDomain = firstBlockedDomain(shellCommand, effectiveConfig);
           if (blockedDomain) {
             const reason =
               blockedDomain.reason === 'deniedDomains'
                 ? 'is blocked by network.deniedDomains'
                 : 'is not in network.allowedDomains';
+            client.tui
+              ?.showToast?.({
+                body: {
+                  title: 'Sandbox blocked',
+                  message: `Network access denied for "${blockedDomain.domain}"`,
+                  variant: 'error',
+                },
+              })
+              ?.catch?.(() => undefined);
             throw errorWithConfigPaths(
               directory,
               `Sandbox: network access denied for "${blockedDomain.domain}" (${reason}).`,