opencode-landstrip 0.3.11 → 0.3.12

package/README.md

@@ -20,7 +20,7 @@ manually:
 ```json
 {
   "$schema": "https://opencode.ai/config.json",
-  "plugin": ["opencode-landstrip"]
+  "plugin": ["opencode-landstrip/tui"]
 }
 ```
 
@@ -34,7 +34,8 @@ On unsupported platforms the plugin loads but leaves sandboxing disabled.
 ## Configure
 
 Create `.opencode/sandbox.json` in a project or
-`~/.config/opencode/sandbox.json` globally. Project config takes precedence.
+`~/.config/opencode/sandbox.json` globally. Project config takes precedence and
+array fields are merged with global/default values.
 
 See [`sandbox.json`](./sandbox.json) for a starter config.
 
@@ -42,14 +43,22 @@ See [`sandbox.json`](./sandbox.json) for a starter config.
 
 The plugin wraps opencode's AI `bash` tool in `landstrip`, routes proxy-aware
 network traffic through an allowlist proxy, and blocks read/write tool access
-outside configured filesystem allowlists.
+outside configured filesystem allowlists. The default policy is strict: network
+access is off unless domains are allowed, reads are limited to the project,
+`~/.gitconfig`, and `/dev/null`, and writes are limited to the project and
+`/dev/null`.
 
 Run `/sandbox` in the TUI to inspect the active sandbox configuration.
 
-opencode's current server plugin API does not expose Pi-style custom permission
-dialogs or a way to rewrite manually typed shell-mode commands. The `/sandbox`
-status view is provided by the TUI plugin entrypoint. Blocked access fails with
-an error that points at the sandbox config files.
+When OpenCode asks for a sandboxed permission, the TUI plugin adds choices to
+allow once, allow for the session, persist for the project, persist globally, or
+reject. Project approvals are written to `.opencode/sandbox.json`; global
+approvals are written to `~/.config/opencode/sandbox.json`.
+
+OpenCode's current plugin API allows wrapping AI `bash` tool calls, but does not
+allow a plugin to replace manually typed shell-mode commands with a landstrip
+wrapper. Those commands can still receive the proxy environment from OpenCode,
+but they are not process-sandboxed by this plugin.
 
 ## Disable
 
@@ -66,3 +75,6 @@ Set `enabled` to `false` in `sandbox.json`, or pass plugin options:
 
 `opencode-landstrip` is licensed under `MIT`. See [LICENSE](LICENSE) for more
 information.
+
+The bundled `@jarkkojs/landstrip` package is licensed separately as
+`Apache-2.0 AND LGPL-2.1-or-later`.

package/index.ts

@@ -53,11 +53,12 @@ interface LandstripPolicy {
 }
 
 interface LandstripErrorResponse {
-  reason: 'Other' | 'LaunchFailed' | 'SetupFailed' | 'Usage';
+  reason: 'Other' | 'AccessDenied' | 'LaunchFailed' | 'SetupFailed' | 'Usage';
   file?: string;
+  operation?: 'read' | 'write';
   program?: string;
   type?: 'filesystem' | 'network' | 'platform' | 'launch' | 'encoding';
-  source: string;
+  source?: string;
 }
 
 interface SandboxConfigOverrides {
@@ -85,8 +86,48 @@ interface SandboxPermissionDecision {
 
 type ToastVariant = 'info' | 'success' | 'warning' | 'error';
 
-const LANDSTRIP_VERSION = [0, 11, 0] as const;
+const LANDSTRIP_VERSION = [0, 11, 9] as const;
+const REQUIRED_LANDSTRIP_VERSION = LANDSTRIP_VERSION.join('.');
+const LANDSTRIP_ERROR_REASONS = new Set<LandstripErrorResponse['reason']>([
+  'Other',
+  'AccessDenied',
+  'LaunchFailed',
+  'SetupFailed',
+  'Usage',
+]);
+const LANDSTRIP_OPERATIONS = new Set<NonNullable<LandstripErrorResponse['operation']>>([
+  'read',
+  'write',
+]);
+const LANDSTRIP_ERROR_TYPES = new Set<NonNullable<LandstripErrorResponse['type']>>([
+  'filesystem',
+  'network',
+  'platform',
+  'launch',
+  'encoding',
+]);
 const SUPPORTED_PLATFORMS = new Set<NodeJS.Platform>(['linux', 'darwin', 'win32']);
+const LANDSTRIP_PACKAGE_NAMES = new Set([
+  '@jarkkojs/landstrip',
+  '@jarkkojs/landstrip-darwin-arm64',
+  '@jarkkojs/landstrip-darwin-x64',
+  '@jarkkojs/landstrip-linux-x64',
+  '@jarkkojs/landstrip-win32-x64',
+]);
+
+function isLandstripErrorReason(value: string): value is LandstripErrorResponse['reason'] {
+  return LANDSTRIP_ERROR_REASONS.has(value as LandstripErrorResponse['reason']);
+}
+
+function isLandstripOperation(
+  value: string,
+): value is NonNullable<LandstripErrorResponse['operation']> {
+  return LANDSTRIP_OPERATIONS.has(value as NonNullable<LandstripErrorResponse['operation']>);
+}
+
+function isLandstripErrorType(value: string): value is NonNullable<LandstripErrorResponse['type']> {
+  return LANDSTRIP_ERROR_TYPES.has(value as NonNullable<LandstripErrorResponse['type']>);
+}
 
 const DEFAULT_CONFIG: SandboxConfig = {
   enabled: true,
@@ -95,36 +136,14 @@ const DEFAULT_CONFIG: SandboxConfig = {
     allowLocalBinding: false,
     allowAllUnixSockets: false,
     allowUnixSockets: [],
-    allowedDomains: [
-      'npmjs.org',
-      '*.npmjs.org',
-      'registry.npmjs.org',
-      'registry.yarnpkg.com',
-      'pypi.org',
-      '*.pypi.org',
-      'github.com',
-      '*.github.com',
-      'api.github.com',
-      'raw.githubusercontent.com',
-      'crates.io',
-      '*.crates.io',
-      'static.crates.io',
-    ],
+    allowedDomains: [],
     deniedDomains: [],
   },
   filesystem: {
     denyRead: ['/Users', '/home'],
-    allowRead: [
-      '.',
-      '/dev/null',
-      '~/.config/opencode',
-      '~/.config/git',
-      '~/.gitconfig',
-      '~/.local',
-      '~/.cargo',
-    ],
-    allowWrite: ['.', '/tmp', '/dev/null'],
-    denyWrite: ['.env', '.env.*', '*.pem', '*.key'],
+    allowRead: ['.', '~/.gitconfig', '/dev/null'],
+    allowWrite: ['.', '/dev/null'],
+    denyWrite: ['**/.env', '**/.env.*', '**/*.pem', '**/*.key'],
   },
 };
 
@@ -198,16 +217,30 @@ function normalizeOptions(options: PluginOptions | undefined): SandboxConfigOver
   return normalizeConfig(isRecord(options.config) ? options.config : options);
 }
 
+function mergeArray(base: string[], override?: string[]): string[] {
+  if (!override) return base;
+  return [...new Set([...base, ...override])];
+}
+
 function deepMerge(base: SandboxConfig, overrides: SandboxConfigOverrides): SandboxConfig {
+  const network = overrides.network;
+  const filesystem = overrides.filesystem;
+
   return {
     enabled: overrides.enabled ?? base.enabled,
     network: {
-      ...base.network,
-      ...overrides.network,
+      allowNetwork: network?.allowNetwork ?? base.network.allowNetwork,
+      allowLocalBinding: network?.allowLocalBinding ?? base.network.allowLocalBinding,
+      allowAllUnixSockets: network?.allowAllUnixSockets ?? base.network.allowAllUnixSockets,
+      allowUnixSockets: mergeArray(base.network.allowUnixSockets, network?.allowUnixSockets),
+      allowedDomains: mergeArray(base.network.allowedDomains, network?.allowedDomains),
+      deniedDomains: mergeArray(base.network.deniedDomains, network?.deniedDomains),
     },
     filesystem: {
-      ...base.filesystem,
-      ...overrides.filesystem,
+      denyRead: mergeArray(base.filesystem.denyRead, filesystem?.denyRead),
+      allowRead: mergeArray(base.filesystem.allowRead, filesystem?.allowRead),
+      allowWrite: mergeArray(base.filesystem.allowWrite, filesystem?.allowWrite),
+      denyWrite: mergeArray(base.filesystem.denyWrite, filesystem?.denyWrite),
     },
   };
 }
@@ -248,6 +281,33 @@ function configuredShellPath(config: unknown): string | undefined {
   return typeof config.shell === 'string' ? config.shell : undefined;
 }
 
+function landstripBinaryPath(): string {
+  const filePath = realpathSync.native(binaryPath());
+  let probe = dirname(filePath);
+
+  while (true) {
+    const manifestPath = join(probe, 'package.json');
+    if (existsSync(manifestPath)) {
+      try {
+        const manifest = JSON.parse(readFileSync(manifestPath, 'utf-8')) as unknown;
+        if (isRecord(manifest) && LANDSTRIP_PACKAGE_NAMES.has(String(manifest.name))) {
+          return filePath;
+        }
+      } catch {
+        // malformed package.json — continue walking to parent
+      }
+    }
+
+    const parent = dirname(probe);
+    if (parent === probe) break;
+    probe = parent;
+  }
+
+  throw new Error(
+    `Refusing to use landstrip binary outside official @jarkkojs/landstrip packages: ${filePath}`,
+  );
+}
+
 function canonicalizePath(filePath: string, baseDirectory: string): string {
   const abs = expandPath(filePath, baseDirectory);
 
@@ -527,7 +587,7 @@ function evaluateDomainPermission(
 }
 
 function landstripVersion(): string | null {
-  const result = spawnSync(binaryPath(), ['--version'], { encoding: 'utf-8' });
+  const result = spawnSync(landstripBinaryPath(), ['--version'], { encoding: 'utf-8' });
   if (result.status !== 0) return null;
   return result.stdout.trim();
 }
@@ -564,25 +624,19 @@ function parseLandstripErrors(output: string): LandstripErrorResponse[] {
       if (key.length > 0 && value.length > 0) fields[key] = value;
     }
 
-    if (
-      fields.reason &&
-      ['Other', 'LaunchFailed', 'SetupFailed', 'Usage'].includes(fields.reason) &&
-      fields.source
-    ) {
+    if (fields.reason && isLandstripErrorReason(fields.reason)) {
       const error: LandstripErrorResponse = {
-        reason: fields.reason as LandstripErrorResponse['reason'],
-        source: fields.source,
+        reason: fields.reason,
       };
 
       if (fields.file) error.file = fields.file;
+      if (fields.operation && isLandstripOperation(fields.operation)) {
+        error.operation = fields.operation;
+      }
       if (fields.program) error.program = fields.program;
+      if (fields.source) error.source = fields.source;
 
-      if (
-        fields.type &&
-        ['filesystem', 'network', 'platform', 'launch', 'encoding'].includes(fields.type)
-      ) {
-        error.type = fields.type as LandstripErrorResponse['type'];
-      }
+      if (fields.type && isLandstripErrorType(fields.type)) error.type = fields.type;
 
       errors.push(error);
     }
@@ -599,13 +653,16 @@ function formatLandstripErrors(errors: LandstripErrorResponse[]): string {
       if (err.file) {
         parts.push(` (${err.file})`);
       }
+      if (err.operation) {
+        parts.push(` ${err.operation}`);
+      }
       if (err.program) {
         parts.push(` ${err.program}`);
       }
       if (err.type) {
         parts.push(`:${err.type}`);
       }
-      parts.push(`: ${err.source}`);
+      if (err.source) parts.push(`: ${err.source}`);
 
       return parts.join('');
     })
@@ -838,12 +895,12 @@ function shellArgs(shell: string, command: string): string[] {
 function buildWrappedCommand(policyPath: string, shell: string, command: string): string {
   const args = ['-p', policyPath, ...shellArgs(shell, command)];
 
-  return [binaryPath(), ...args].map(shellQuote).join(' ');
+  return [landstripBinaryPath(), ...args].map(shellQuote).join(' ');
 }
 
 function isGeneratedWrappedCommand(command: string): boolean {
   return (
-    command.startsWith(`${shellQuote(binaryPath())} `) &&
+    command.startsWith(`${shellQuote(landstripBinaryPath())} `) &&
     command.includes(` ${shellQuote('-p')} `) &&
     command.includes('opencode-landstrip-')
   );
@@ -964,6 +1021,15 @@ const plugin: Plugin = async ({ client, directory }: PluginInput, options?: Plug
 
   function enforcePermission(callID: string, decision: SandboxPermissionDecision): void {
     if (decision.status === 'allow' || hasCallAllowance(callID, decision)) return;
+    client.tui
+      ?.showToast?.({
+        body: {
+          title: 'Sandbox blocked',
+          message: decision.message.slice(0, 120),
+          variant: 'error',
+        },
+      })
+      ?.catch?.(() => undefined);
     throw errorWithConfigPaths(directory, decision.message);
   }
 
@@ -995,7 +1061,7 @@ const plugin: Plugin = async ({ client, directory }: PluginInput, options?: Plug
       '# Sandbox Configuration',
       '',
       `Status: ${sandboxDisabled ? 'disabled for this session' : 'active'}`,
-      `landstrip: ${binaryPath()}`,
+      `landstrip package binary: ${landstripBinaryPath()}`,
       '',
       'Config files:',
       `- project: ${projectPath}`,
@@ -1082,7 +1148,17 @@ const plugin: Plugin = async ({ client, directory }: PluginInput, options?: Plug
       return landstripCheck;
     }
 
-    const version = landstripVersion();
+    let version: string | null;
+    try {
+      version = landstripVersion();
+    } catch (error) {
+      landstripCheck = {
+        ok: false,
+        reason: error instanceof Error ? error.message : String(error),
+      };
+      return landstripCheck;
+    }
+
     if (!version) {
       landstripCheck = {
         ok: false,
@@ -1094,7 +1170,7 @@ const plugin: Plugin = async ({ client, directory }: PluginInput, options?: Plug
     if (!hasMinimumVersion(version, LANDSTRIP_VERSION)) {
       landstripCheck = {
         ok: false,
-        reason: `landstrip 0.11.0 or newer is required; found: ${version}`,
+        reason: `landstrip ${REQUIRED_LANDSTRIP_VERSION} or newer is required; found: ${version}`,
       };
       return landstripCheck;
     }
@@ -1107,7 +1183,14 @@ const plugin: Plugin = async ({ client, directory }: PluginInput, options?: Plug
     if (sandboxDisabled) return null;
 
     const config = loadConfig(directory, optionOverrides);
-    if (!config.enabled) return null;
+    if (!config.enabled) {
+      await notifyOnce(
+        `not-configured:${directory}`,
+        'Sandbox is not configured — no sandbox.json5 found',
+        'info',
+      );
+      return null;
+    }
 
     const check = checkLandstrip();
     if (!check?.ok) {
@@ -1435,6 +1518,11 @@ const plugin: Plugin = async ({ client, directory }: PluginInput, options?: Plug
       if (input.command.trim() === '/sandbox') {
         const config = loadConfig(directory, optionOverrides);
         pushCommandText(input, output, sandboxSummary(config));
+        await client.tui
+          ?.showToast?.({
+            body: { title: 'Sandbox', message: `Config loaded for ${directory}`, variant: 'info' },
+          })
+          ?.catch?.(() => undefined);
         return;
       }
 
@@ -1453,6 +1541,15 @@ const plugin: Plugin = async ({ client, directory }: PluginInput, options?: Plug
           output,
           'Sandbox disabled for this session. Use /sandbox-enable to re-enable.',
         );
+        await client.tui
+          ?.showToast?.({
+            body: {
+              title: 'Sandbox',
+              message: 'Sandbox disabled for this session. Use /sandbox-enable to re-enable.',
+              variant: 'warning',
+            },
+          })
+          ?.catch?.(() => undefined);
         return;
       }
 
@@ -1466,7 +1563,30 @@ const plugin: Plugin = async ({ client, directory }: PluginInput, options?: Plug
           return;
         }
         sandboxDisabled = false;
-        pushCommandText(input, output, 'Sandbox re-enabled.');
+        const config = await activeConfig();
+        if (!config) {
+          pushCommandText(
+            input,
+            output,
+            'Sandbox re-enabled but no sandbox.json5 found — no rules active.\nCreate sandbox.json5 to enforce sandboxing.',
+          );
+          await client.tui
+            ?.showToast?.({
+              body: {
+                title: 'Sandbox',
+                message: 'Sandbox re-enabled but no sandbox.json5 found — no rules active.',
+                variant: 'warning',
+              },
+            })
+            ?.catch?.(() => undefined);
+        } else {
+          pushCommandText(input, output, 'Sandbox re-enabled.');
+          await client.tui
+            ?.showToast?.({
+              body: { title: 'Sandbox', message: 'Sandbox re-enabled.', variant: 'success' },
+            })
+            ?.catch?.(() => undefined);
+        }
         return;
       }
 
@@ -1482,6 +1602,15 @@ const plugin: Plugin = async ({ client, directory }: PluginInput, options?: Plug
         for (const path of extractCandidatePaths(shellCommand)) {
           const readDecision = evaluateReadPermission(path, config, directory, effectiveAllowRead);
           if (readDecision.status === 'deny') {
+            client.tui
+              ?.showToast?.({
+                body: {
+                  title: 'Sandbox blocked',
+                  message: readDecision.message.slice(0, 120),
+                  variant: 'error',
+                },
+              })
+              ?.catch?.(() => undefined);
             throw errorWithConfigPaths(directory, readDecision.message);
           }
 
@@ -1492,6 +1621,15 @@ const plugin: Plugin = async ({ client, directory }: PluginInput, options?: Plug
             effectiveAllowWrite,
           );
           if (writeDecision.status === 'deny') {
+            client.tui
+              ?.showToast?.({
+                body: {
+                  title: 'Sandbox blocked',
+                  message: writeDecision.message.slice(0, 120),
+                  variant: 'error',
+                },
+              })
+              ?.catch?.(() => undefined);
             throw errorWithConfigPaths(directory, writeDecision.message);
           }
         }
@@ -1507,6 +1645,15 @@ const plugin: Plugin = async ({ client, directory }: PluginInput, options?: Plug
               blockedDomain.reason === 'deniedDomains'
                 ? 'is blocked by network.deniedDomains'
                 : 'is not in network.allowedDomains';
+            client.tui
+              ?.showToast?.({
+                body: {
+                  title: 'Sandbox blocked',
+                  message: `Network access denied for "${blockedDomain.domain}"`,
+                  variant: 'error',
+                },
+              })
+              ?.catch?.(() => undefined);
             throw errorWithConfigPaths(
               directory,
               `Sandbox: network access denied for "${blockedDomain.domain}" (${reason}).`,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "opencode-landstrip",
-  "version": "0.3.11",
+  "version": "0.3.12",
   "description": "Landlock-based sandboxing for opencode with landstrip",
   "keywords": [
     "landlock",
@@ -48,10 +48,10 @@
     "ci:test": "npm test"
   },
   "dependencies": {
-    "@jarkkojs/landstrip": "^0.11.0"
+    "@jarkkojs/landstrip": "^0.11.11"
   },
   "devDependencies": {
-    "@opencode-ai/plugin": "^1.17.3",
+    "@opencode-ai/plugin": "^1.17.6",
     "@opentui/core": ">=0.3.4",
     "@opentui/keymap": ">=0.3.4",
     "@opentui/solid": ">=0.3.4",
@@ -61,7 +61,7 @@
     "typescript": "^5.8.2"
   },
   "peerDependencies": {
-    "@opencode-ai/plugin": "^1.17.3"
+    "@opencode-ai/plugin": "^1.17.6"
   },
   "peerDependenciesMeta": {
     "@opencode-ai/plugin": {
@@ -69,6 +69,6 @@
     }
   },
   "engines": {
-    "opencode": ">=1.17.3"
+    "opencode": ">=1.17.6"
   }
 }

package/sandbox.json

@@ -1,57 +1,17 @@
 {
   "enabled": true,
   "network": {
-    "allowLocalBinding": true,
+    "allowNetwork": false,
+    "allowLocalBinding": false,
     "allowAllUnixSockets": false,
     "allowUnixSockets": [],
-    "allowedDomains": [
-      "github.com",
-      "*.github.com",
-      "api.github.com",
-      "raw.githubusercontent.com",
-      "objects.githubusercontent.com",
-      "codeload.github.com",
-      "registry.npmjs.org",
-      "npmjs.org",
-      "*.npmjs.org",
-      "nodejs.org",
-      "*.nodejs.org",
-      "crates.io",
-      "*.crates.io",
-      "static.crates.io"
-    ],
+    "allowedDomains": [],
     "deniedDomains": []
   },
   "filesystem": {
-    "denyRead": ["/home"],
-    "allowRead": [
-      ".",
-      "/tmp",
-      "/var/tmp",
-      "/dev/null",
-      "~/.config/opencode",
-      "~/.config/git",
-      "~/.gitconfig",
-      "~/.local",
-      "~/.cargo",
-      "~/.rustup",
-      "~/.npm",
-      "~/.cache",
-      "~/.bun",
-      "~/.node-gyp"
-    ],
-    "allowWrite": [
-      ".",
-      "/tmp",
-      "/var/tmp",
-      "/dev/null",
-      "~/.cargo",
-      "~/.rustup",
-      "~/.npm",
-      "~/.cache",
-      "~/.bun",
-      "~/.node-gyp"
-    ],
-    "denyWrite": [".env", ".env.*", "*.pem", "*.key"]
+    "denyRead": ["/Users", "/home"],
+    "allowRead": [".", "~/.gitconfig", "/dev/null"],
+    "allowWrite": [".", "/dev/null"],
+    "denyWrite": ["**/.env", "**/.env.*", "**/*.pem", "**/*.key"]
   }
 }

package/tui.ts

@@ -5,9 +5,9 @@ import type { TuiPlugin } from '@opencode-ai/plugin/tui';
 
 import { binaryPath } from '@jarkkojs/landstrip';
 
-import { existsSync, readFileSync } from 'node:fs';
+import { existsSync, mkdirSync, readFileSync, realpathSync, writeFileSync } from 'node:fs';
 import { homedir } from 'node:os';
-import { join } from 'node:path';
+import { dirname, join } from 'node:path';
 
 interface SandboxFilesystemConfig {
   denyRead: string[];
@@ -44,38 +44,23 @@ const DEFAULT_CONFIG: SandboxConfig = {
     allowLocalBinding: false,
     allowAllUnixSockets: false,
     allowUnixSockets: [],
-    allowedDomains: [
-      'npmjs.org',
-      '*.npmjs.org',
-      'registry.npmjs.org',
-      'registry.yarnpkg.com',
-      'pypi.org',
-      '*.pypi.org',
-      'github.com',
-      '*.github.com',
-      'api.github.com',
-      'raw.githubusercontent.com',
-      'crates.io',
-      '*.crates.io',
-      'static.crates.io',
-    ],
+    allowedDomains: [],
     deniedDomains: [],
   },
   filesystem: {
     denyRead: ['/Users', '/home'],
-    allowRead: [
-      '.',
-      '/dev/null',
-      '~/.config/opencode',
-      '~/.config/git',
-      '~/.gitconfig',
-      '~/.local',
-      '~/.cargo',
-    ],
-    allowWrite: ['.', '/tmp', '/dev/null'],
-    denyWrite: ['.env', '.env.*', '*.pem', '*.key'],
+    allowRead: ['.', '~/.gitconfig', '/dev/null'],
+    allowWrite: ['.', '/dev/null'],
+    denyWrite: ['**/.env', '**/.env.*', '**/*.pem', '**/*.key'],
   },
 };
+const LANDSTRIP_PACKAGE_NAMES = new Set([
+  '@jarkkojs/landstrip',
+  '@jarkkojs/landstrip-darwin-arm64',
+  '@jarkkojs/landstrip-darwin-x64',
+  '@jarkkojs/landstrip-linux-x64',
+  '@jarkkojs/landstrip-win32-x64',
+]);
 
 function isRecord(value: unknown): value is Record<string, unknown> {
   return typeof value === 'object' && value !== null && !Array.isArray(value);
@@ -147,16 +132,30 @@ function normalizeOptions(options: unknown): SandboxConfigOverrides {
   return normalizeConfig(isRecord(options.config) ? options.config : options);
 }
 
+function mergeArray(base: string[], override?: string[]): string[] {
+  if (!override) return base;
+  return [...new Set([...base, ...override])];
+}
+
 function deepMerge(base: SandboxConfig, overrides: SandboxConfigOverrides): SandboxConfig {
+  const network = overrides.network;
+  const filesystem = overrides.filesystem;
+
   return {
     enabled: overrides.enabled ?? base.enabled,
     network: {
-      ...base.network,
-      ...overrides.network,
+      allowNetwork: network?.allowNetwork ?? base.network.allowNetwork,
+      allowLocalBinding: network?.allowLocalBinding ?? base.network.allowLocalBinding,
+      allowAllUnixSockets: network?.allowAllUnixSockets ?? base.network.allowAllUnixSockets,
+      allowUnixSockets: mergeArray(base.network.allowUnixSockets, network?.allowUnixSockets),
+      allowedDomains: mergeArray(base.network.allowedDomains, network?.allowedDomains),
+      deniedDomains: mergeArray(base.network.deniedDomains, network?.deniedDomains),
     },
     filesystem: {
-      ...base.filesystem,
-      ...overrides.filesystem,
+      denyRead: mergeArray(base.filesystem.denyRead, filesystem?.denyRead),
+      allowRead: mergeArray(base.filesystem.allowRead, filesystem?.allowRead),
+      allowWrite: mergeArray(base.filesystem.allowWrite, filesystem?.allowWrite),
+      denyWrite: mergeArray(base.filesystem.denyWrite, filesystem?.denyWrite),
     },
   };
 }
@@ -168,20 +167,61 @@ function getConfigPaths(baseDirectory: string): { globalPath: string; projectPat
   };
 }
 
-function readConfigFile(configPath: string): SandboxConfigOverrides {
+function readConfigFile(configPath: string): SandboxConfigOverrides | null {
   if (!existsSync(configPath)) return {};
 
   try {
     return normalizeConfig(JSON.parse(readFileSync(configPath, 'utf-8')));
   } catch {
-    return {};
+    return null;
+  }
+}
+
+function landstripBinaryPath(): string {
+  const filePath = realpathSync.native(binaryPath());
+  let probe = dirname(filePath);
+
+  while (true) {
+    const manifestPath = join(probe, 'package.json');
+    if (existsSync(manifestPath)) {
+      try {
+        const manifest = JSON.parse(readFileSync(manifestPath, 'utf-8')) as unknown;
+        if (isRecord(manifest) && LANDSTRIP_PACKAGE_NAMES.has(String(manifest.name))) {
+          return filePath;
+        }
+      } catch {
+        // malformed package.json — continue walking to parent
+      }
+    }
+
+    const parent = dirname(probe);
+    if (parent === probe) break;
+    probe = parent;
+  }
+
+  throw new Error(
+    `Refusing to use landstrip binary outside official @jarkkojs/landstrip packages: ${filePath}`,
+  );
+}
+
+function writeConfigFile(configPath: string, update: SandboxConfigOverrides): void {
+  const current = readConfigFile(configPath);
+  if (current === null) {
+    throw new Error(`Config file ${configPath} is corrupted; refusing to overwrite`);
   }
+
+  const next = deepMerge(deepMerge(DEFAULT_CONFIG, current), update);
+
+  mkdirSync(dirname(configPath), { recursive: true });
+  writeFileSync(configPath, JSON.stringify(next, null, 2) + '\n');
 }
 
 function loadConfig(baseDirectory: string, optionOverrides: SandboxConfigOverrides): SandboxConfig {
   const { globalPath, projectPath } = getConfigPaths(baseDirectory);
+  const globalConfig = readConfigFile(globalPath);
+  const projectConfig = readConfigFile(projectPath);
   return deepMerge(
-    deepMerge(deepMerge(DEFAULT_CONFIG, readConfigFile(globalPath)), readConfigFile(projectPath)),
+    deepMerge(deepMerge(DEFAULT_CONFIG, globalConfig ?? {}), projectConfig ?? {}),
     optionOverrides,
   );
 }
@@ -201,7 +241,7 @@ function sandboxSummary(baseDirectory: string, optionOverrides: SandboxConfigOve
 
   return [
     `Status: ${config.enabled ? 'active' : 'disabled by config'}`,
-    `landstrip: ${binaryPath()}`,
+    `landstrip package binary: ${landstripBinaryPath()}`,
     '',
     'Config files',
     configPathLine('project', projectPath),
@@ -223,7 +263,150 @@ function sandboxSummary(baseDirectory: string, optionOverrides: SandboxConfigOve
   ].join('\n');
 }
 
+type PermissionChoice = 'once' | 'session' | 'project' | 'global' | 'reject';
+
+function permissionType(permission: Record<string, unknown>, fallback = ''): string {
+  if (typeof permission.permission === 'string') return permission.permission;
+  if (typeof permission.action === 'string') return permission.action;
+  if (typeof permission.type === 'string') return permission.type;
+  return fallback;
+}
+
+function permissionPattern(permission: Record<string, unknown>): string | undefined {
+  const patterns = permission.patterns;
+  if (Array.isArray(patterns))
+    return patterns.find((item): item is string => typeof item === 'string');
+
+  const pattern = permission.pattern;
+  if (typeof pattern === 'string') return pattern;
+  if (Array.isArray(pattern))
+    return pattern.find((item): item is string => typeof item === 'string');
+
+  return undefined;
+}
+
+function domainsFromCommand(command: string): string[] {
+  const domains = new Set<string>();
+  const urlRegex = /https?:\/\/([^\s/:?#'"]+)(?::\d+)?(?:[/?#]|\s|$)/g;
+  let match: RegExpExecArray | null;
+
+  while ((match = urlRegex.exec(command)) !== null) domains.add(match[1]);
+
+  return [...domains];
+}
+
+function updateForPermission(permission: Record<string, unknown>): SandboxConfigOverrides | null {
+  const metadata = isRecord(permission.metadata) ? permission.metadata : {};
+  const type = permissionType(permission);
+  const pattern = permissionPattern(permission);
+
+  if (type === 'bash') {
+    const command = typeof metadata.command === 'string' ? metadata.command : pattern;
+    const domains = typeof command === 'string' ? domainsFromCommand(command) : [];
+    return domains.length > 0 ? { network: { allowedDomains: domains } } : null;
+  }
+
+  if (type === 'read' || type === 'glob' || type === 'grep' || type === 'list') {
+    const filePath = typeof metadata.filepath === 'string' ? metadata.filepath : pattern;
+    return filePath ? { filesystem: { allowRead: [filePath] } } : null;
+  }
+
+  if (type === 'edit' || type === 'write' || type === 'apply_patch') {
+    const filePath = typeof metadata.filepath === 'string' ? metadata.filepath : pattern;
+    return filePath ? { filesystem: { allowWrite: [filePath] } } : null;
+  }
+
+  return null;
+}
+
+function permissionLabel(permission: Record<string, unknown>): string {
+  const type = permissionType(permission, 'permission');
+  const title = typeof permission.title === 'string' ? permission.title : type;
+  const pattern = permissionPattern(permission);
+  return pattern ? `${title}: ${pattern}` : title;
+}
+
 const tui: TuiPlugin = async (api, options) => {
+  const handledPermissions = new Set<string>();
+
+  async function replyPermission(
+    permission: Record<string, unknown>,
+    choice: PermissionChoice,
+  ): Promise<void> {
+    const id = typeof permission.id === 'string' ? permission.id : undefined;
+    if (!id || typeof permission.sessionID !== 'string') return;
+
+    const directory = api.state.path.directory || process.cwd();
+    const { globalPath, projectPath } = getConfigPaths(directory);
+
+    try {
+      if (choice === 'project' || choice === 'global') {
+        const update = updateForPermission(permission);
+        if (update) writeConfigFile(choice === 'project' ? projectPath : globalPath, update);
+      }
+
+      await api.client.permission.reply({
+        requestID: id,
+        reply: choice === 'reject' ? 'reject' : choice === 'once' ? 'once' : 'always',
+      });
+
+      api.ui.toast({
+        title: 'Sandbox',
+        message: choice === 'reject' ? 'Permission rejected' : `Permission allowed for ${choice}`,
+        variant: choice === 'reject' ? 'warning' : 'success',
+      });
+    } catch {
+      api.ui.toast({
+        title: 'Sandbox',
+        message: 'Permission was already handled or could not be updated',
+        variant: 'warning',
+      });
+    } finally {
+      api.ui.dialog.clear();
+    }
+  }
+
+  function showPermission(permission: Record<string, unknown>): void {
+    const id = typeof permission.id === 'string' ? permission.id : undefined;
+    if (!id || handledPermissions.has(id)) return;
+    handledPermissions.add(id);
+
+    api.ui.dialog.replace(
+      () =>
+        api.ui.DialogSelect<PermissionChoice>({
+          title: 'Sandbox Permission',
+          placeholder: permissionLabel(permission),
+          options: [
+            { title: 'Allow once', value: 'once', description: 'Approve only this request' },
+            {
+              title: 'Allow for session',
+              value: 'session',
+              description: 'Use OpenCode session approval for matching requests',
+            },
+            {
+              title: 'Allow for project',
+              value: 'project',
+              description: 'Persist to .opencode/sandbox.json and approve this session',
+            },
+            {
+              title: 'Allow globally',
+              value: 'global',
+              description: 'Persist to ~/.config/opencode/sandbox.json and approve this session',
+            },
+            { title: 'Reject', value: 'reject', description: 'Deny this request' },
+          ],
+          onSelect: (option) => {
+            void replyPermission(permission, option.value);
+          },
+        }),
+      () => api.ui.dialog.clear(),
+    );
+  }
+
+  api.event.on('permission.asked', (event) => {
+    showPermission(event.properties as Record<string, unknown>);
+  });
+
   const showSandbox = () => {
     const directory = api.state.path.directory || process.cwd();
     const message = sandboxSummary(directory, normalizeOptions(options));
@@ -239,32 +422,71 @@ const tui: TuiPlugin = async (api, options) => {
     );
   };
 
+  const executeServerCommand = async (command: string): Promise<boolean> => {
+    await api.client.tui.executeCommand({ command });
+    return true;
+  };
+
   api.keymap.registerLayer({
     commands: [
       {
-        namespace: 'palette',
-        name: 'landstrip.sandbox.show',
-        title: 'Show sandbox configuration',
-        desc: 'Show landstrip sandbox status and rules',
-        description: 'Show landstrip sandbox status and rules',
+        name: 'sandbox',
+        title: 'Sandbox',
+        description: 'Show sandbox configuration',
         category: 'Sandbox',
         suggested: true,
-        slashName: 'sandbox',
+        slash: { name: 'sandbox' },
         run: showSandbox,
       },
+      {
+        name: 'sandbox-disable',
+        title: 'Disable sandbox',
+        description: 'Disable sandbox for this session',
+        category: 'Sandbox',
+        suggested: true,
+        slash: { name: 'sandbox-disable' },
+        run: () => executeServerCommand('sandbox-disable'),
+      },
+      {
+        name: 'sandbox-enable',
+        title: 'Enable sandbox',
+        description: 'Re-enable sandbox for this session',
+        category: 'Sandbox',
+        suggested: true,
+        slash: { name: 'sandbox-enable' },
+        run: () => executeServerCommand('sandbox-enable'),
+      },
     ],
   });
 
   api.command?.register(() => [
     {
       title: 'Sandbox',
-      value: 'landstrip.sandbox.show',
+      value: 'sandbox',
       description: 'Show sandbox configuration',
       category: 'Sandbox',
       suggested: true,
       slash: { name: 'sandbox' },
       onSelect: showSandbox,
     },
+    {
+      title: 'Disable sandbox',
+      value: 'sandbox-disable',
+      description: 'Disable sandbox for this session',
+      category: 'Sandbox',
+      suggested: true,
+      slash: { name: 'sandbox-disable' },
+      onSelect: () => executeServerCommand('sandbox-disable'),
+    },
+    {
+      title: 'Enable sandbox',
+      value: 'sandbox-enable',
+      description: 'Re-enable sandbox for this session',
+      category: 'Sandbox',
+      suggested: true,
+      slash: { name: 'sandbox-enable' },
+      onSelect: () => executeServerCommand('sandbox-enable'),
+    },
   ]);
 };