opencode-landstrip 0.3.11 → 0.3.13

package/README.md

@@ -20,7 +20,7 @@ manually:
 ```json
 {
   "$schema": "https://opencode.ai/config.json",
-  "plugin": ["opencode-landstrip"]
+  "plugin": ["opencode-landstrip/tui"]
 }
 ```
 
@@ -29,12 +29,15 @@ manually:
 This installs `opencode-landstrip` and its `@jarkkojs/landstrip` dependency, which
 includes platform-specific native binaries for Linux, macOS, and Windows.
 
+Requires OpenCode `1.17.7` or newer.
+
 On unsupported platforms the plugin loads but leaves sandboxing disabled.
 
 ## Configure
 
 Create `.opencode/sandbox.json` in a project or
-`~/.config/opencode/sandbox.json` globally. Project config takes precedence.
+`~/.config/opencode/sandbox.json` globally. Project config takes precedence and
+array fields are merged with global/default values.
 
 See [`sandbox.json`](./sandbox.json) for a starter config.
 
@@ -42,14 +45,26 @@ See [`sandbox.json`](./sandbox.json) for a starter config.
 
 The plugin wraps opencode's AI `bash` tool in `landstrip`, routes proxy-aware
 network traffic through an allowlist proxy, and blocks read/write tool access
-outside configured filesystem allowlists.
-
-Run `/sandbox` in the TUI to inspect the active sandbox configuration.
-
-opencode's current server plugin API does not expose Pi-style custom permission
-dialogs or a way to rewrite manually typed shell-mode commands. The `/sandbox`
-status view is provided by the TUI plugin entrypoint. Blocked access fails with
-an error that points at the sandbox config files.
+outside configured filesystem allowlists. The default policy is strict: network
+access is off unless domains are allowed, reads are limited to the project,
+`~/.gitconfig`, and `/dev/null`, and writes are limited to the project and
+`/dev/null`.
+
+Run `/sandbox` in the TUI to inspect the active sandbox configuration. A compact
+status badge in the prompt area shows whether the sandbox is active and whether
+network is proxied or open.
+
+When OpenCode asks for a sandboxed permission, the TUI plugin plays the host's
+permission sound and desktop notification, then opens a single dialog with
+choices to allow once, allow for the session, persist for the project, persist
+globally, or reject. The dialog shows the exact path or domain being approved.
+Project approvals are written to `.opencode/sandbox.json`; global approvals are
+written to `~/.config/opencode/sandbox.json`.
+
+OpenCode's current plugin API allows wrapping AI `bash` tool calls, but does not
+allow a plugin to replace manually typed shell-mode commands with a landstrip
+wrapper. Those commands can still receive the proxy environment from OpenCode,
+but they are not process-sandboxed by this plugin.
 
 ## Disable
 
@@ -66,3 +81,6 @@ Set `enabled` to `false` in `sandbox.json`, or pass plugin options:
 
 `opencode-landstrip` is licensed under `MIT`. See [LICENSE](LICENSE) for more
 information.
+
+The bundled `@jarkkojs/landstrip` package is licensed separately as
+`Apache-2.0 AND LGPL-2.1-or-later`.

package/index.ts

@@ -3,43 +3,23 @@
 
 import type { Hooks, Plugin, PluginInput, PluginOptions } from '@opencode-ai/plugin';
 
-import { binaryPath } from '@jarkkojs/landstrip';
-
 import { spawnSync } from 'node:child_process';
-import {
-  existsSync,
-  mkdtempSync,
-  readFileSync,
-  realpathSync,
-  rmSync,
-  writeFileSync,
-} from 'node:fs';
+import { existsSync, mkdtempSync, realpathSync, rmSync, writeFileSync } from 'node:fs';
 import { type AddressInfo, connect as connectNet, createServer, type Socket } from 'node:net';
 import { homedir, tmpdir } from 'node:os';
 import { basename, dirname, isAbsolute, join, resolve } from 'node:path';
 import { URL } from 'node:url';
 
-interface SandboxFilesystemConfig {
-  denyRead: string[];
-  allowRead: string[];
-  allowWrite: string[];
-  denyWrite: string[];
-}
-
-interface SandboxNetworkConfig {
-  allowNetwork: boolean;
-  allowLocalBinding: boolean;
-  allowAllUnixSockets: boolean;
-  allowUnixSockets: string[];
-  allowedDomains: string[];
-  deniedDomains: string[];
-}
-
-interface SandboxConfig {
-  enabled: boolean;
-  network: SandboxNetworkConfig;
-  filesystem: SandboxFilesystemConfig;
-}
+import {
+  type SandboxConfig,
+  type SandboxFilesystemConfig,
+  extractDomainsFromCommand,
+  getConfigPaths,
+  isRecord,
+  landstripBinaryPath,
+  loadConfig,
+  normalizeOptions,
+} from './shared.js';
 
 interface LandstripPolicy {
   network: {
@@ -53,17 +33,12 @@ interface LandstripPolicy {
 }
 
 interface LandstripErrorResponse {
-  reason: 'Other' | 'LaunchFailed' | 'SetupFailed' | 'Usage';
+  reason: 'Other' | 'AccessDenied' | 'LaunchFailed' | 'SetupFailed' | 'Usage';
   file?: string;
+  operation?: 'read' | 'write';
   program?: string;
   type?: 'filesystem' | 'network' | 'platform' | 'launch' | 'encoding';
-  source: string;
-}
-
-interface SandboxConfigOverrides {
-  enabled?: boolean;
-  network?: Partial<SandboxNetworkConfig>;
-  filesystem?: Partial<SandboxFilesystemConfig>;
+  source?: string;
 }
 
 interface BashSandboxState {
@@ -85,157 +60,40 @@ interface SandboxPermissionDecision {
 
 type ToastVariant = 'info' | 'success' | 'warning' | 'error';
 
-const LANDSTRIP_VERSION = [0, 11, 0] as const;
+const LANDSTRIP_VERSION = [0, 11, 9] as const;
+const REQUIRED_LANDSTRIP_VERSION = LANDSTRIP_VERSION.join('.');
+const LANDSTRIP_ERROR_REASONS = new Set<LandstripErrorResponse['reason']>([
+  'Other',
+  'AccessDenied',
+  'LaunchFailed',
+  'SetupFailed',
+  'Usage',
+]);
+const LANDSTRIP_OPERATIONS = new Set<NonNullable<LandstripErrorResponse['operation']>>([
+  'read',
+  'write',
+]);
+const LANDSTRIP_ERROR_TYPES = new Set<NonNullable<LandstripErrorResponse['type']>>([
+  'filesystem',
+  'network',
+  'platform',
+  'launch',
+  'encoding',
+]);
 const SUPPORTED_PLATFORMS = new Set<NodeJS.Platform>(['linux', 'darwin', 'win32']);
 
-const DEFAULT_CONFIG: SandboxConfig = {
-  enabled: true,
-  network: {
-    allowNetwork: false,
-    allowLocalBinding: false,
-    allowAllUnixSockets: false,
-    allowUnixSockets: [],
-    allowedDomains: [
-      'npmjs.org',
-      '*.npmjs.org',
-      'registry.npmjs.org',
-      'registry.yarnpkg.com',
-      'pypi.org',
-      '*.pypi.org',
-      'github.com',
-      '*.github.com',
-      'api.github.com',
-      'raw.githubusercontent.com',
-      'crates.io',
-      '*.crates.io',
-      'static.crates.io',
-    ],
-    deniedDomains: [],
-  },
-  filesystem: {
-    denyRead: ['/Users', '/home'],
-    allowRead: [
-      '.',
-      '/dev/null',
-      '~/.config/opencode',
-      '~/.config/git',
-      '~/.gitconfig',
-      '~/.local',
-      '~/.cargo',
-    ],
-    allowWrite: ['.', '/tmp', '/dev/null'],
-    denyWrite: ['.env', '.env.*', '*.pem', '*.key'],
-  },
-};
-
-function isRecord(value: unknown): value is Record<string, unknown> {
-  return typeof value === 'object' && value !== null && !Array.isArray(value);
-}
-
-function stringArray(value: unknown): string[] | undefined {
-  if (!Array.isArray(value)) return undefined;
-  return value.every((item) => typeof item === 'string') ? [...value] : undefined;
-}
-
-function normalizeNetworkConfig(value: unknown): Partial<SandboxNetworkConfig> | undefined {
-  if (!isRecord(value)) return undefined;
-
-  const config: Partial<SandboxNetworkConfig> = {};
-  if (typeof value.allowNetwork === 'boolean') config.allowNetwork = value.allowNetwork;
-  if (typeof value.allowLocalBinding === 'boolean')
-    config.allowLocalBinding = value.allowLocalBinding;
-  if (typeof value.allowAllUnixSockets === 'boolean')
-    config.allowAllUnixSockets = value.allowAllUnixSockets;
-
-  const allowUnixSockets = stringArray(value.allowUnixSockets);
-  if (allowUnixSockets) config.allowUnixSockets = allowUnixSockets;
-
-  const allowedDomains = stringArray(value.allowedDomains);
-  if (allowedDomains) config.allowedDomains = allowedDomains;
-
-  const deniedDomains = stringArray(value.deniedDomains);
-  if (deniedDomains) config.deniedDomains = deniedDomains;
-
-  return config;
-}
-
-function normalizeFilesystemConfig(value: unknown): Partial<SandboxFilesystemConfig> | undefined {
-  if (!isRecord(value)) return undefined;
-
-  const config: Partial<SandboxFilesystemConfig> = {};
-  const denyRead = stringArray(value.denyRead);
-  if (denyRead) config.denyRead = denyRead;
-
-  const allowRead = stringArray(value.allowRead);
-  if (allowRead) config.allowRead = allowRead;
-
-  const allowWrite = stringArray(value.allowWrite);
-  if (allowWrite) config.allowWrite = allowWrite;
-
-  const denyWrite = stringArray(value.denyWrite);
-  if (denyWrite) config.denyWrite = denyWrite;
-
-  return config;
-}
-
-function normalizeConfig(value: unknown): SandboxConfigOverrides {
-  if (!isRecord(value)) return {};
-
-  const config: SandboxConfigOverrides = {};
-  if (typeof value.enabled === 'boolean') config.enabled = value.enabled;
-
-  const network = normalizeNetworkConfig(value.network);
-  if (network) config.network = network;
-
-  const filesystem = normalizeFilesystemConfig(value.filesystem);
-  if (filesystem) config.filesystem = filesystem;
-
-  return config;
-}
-
-function normalizeOptions(options: PluginOptions | undefined): SandboxConfigOverrides {
-  if (!isRecord(options)) return {};
-  return normalizeConfig(isRecord(options.config) ? options.config : options);
-}
-
-function deepMerge(base: SandboxConfig, overrides: SandboxConfigOverrides): SandboxConfig {
-  return {
-    enabled: overrides.enabled ?? base.enabled,
-    network: {
-      ...base.network,
-      ...overrides.network,
-    },
-    filesystem: {
-      ...base.filesystem,
-      ...overrides.filesystem,
-    },
-  };
-}
-
-function getConfigPaths(baseDirectory: string): { globalPath: string; projectPath: string } {
-  return {
-    globalPath: join(homedir(), '.config', 'opencode', 'sandbox.json'),
-    projectPath: join(baseDirectory, '.opencode', 'sandbox.json'),
-  };
+function isLandstripErrorReason(value: string): value is LandstripErrorResponse['reason'] {
+  return LANDSTRIP_ERROR_REASONS.has(value as LandstripErrorResponse['reason']);
 }
 
-function readConfigFile(configPath: string): SandboxConfigOverrides {
-  if (!existsSync(configPath)) return {};
-
-  try {
-    return normalizeConfig(JSON.parse(readFileSync(configPath, 'utf-8')));
-  } catch (error) {
-    console.error(`Warning: Could not parse ${configPath}: ${error}`);
-    return {};
-  }
+function isLandstripOperation(
+  value: string,
+): value is NonNullable<LandstripErrorResponse['operation']> {
+  return LANDSTRIP_OPERATIONS.has(value as NonNullable<LandstripErrorResponse['operation']>);
 }
 
-function loadConfig(baseDirectory: string, optionOverrides: SandboxConfigOverrides): SandboxConfig {
-  const { globalPath, projectPath } = getConfigPaths(baseDirectory);
-  return deepMerge(
-    deepMerge(deepMerge(DEFAULT_CONFIG, readConfigFile(globalPath)), readConfigFile(projectPath)),
-    optionOverrides,
-  );
+function isLandstripErrorType(value: string): value is NonNullable<LandstripErrorResponse['type']> {
+  return LANDSTRIP_ERROR_TYPES.has(value as NonNullable<LandstripErrorResponse['type']>);
 }
 
 function expandPath(filePath: string, baseDirectory: string): string {
@@ -318,18 +176,6 @@ function shouldPromptForWrite(path: string, allowWrite: string[], baseDirectory:
   return allowWrite.length === 0 || !matchesPattern(path, allowWrite, baseDirectory);
 }
 
-function extractDomainsFromCommand(command: string): string[] {
-  const urlRegex = /https?:\/\/([^\s/:?#'"]+)(?::\d+)?(?:[/?#]|\s|$)/g;
-  const domains = new Set<string>();
-  let match: RegExpExecArray | null;
-
-  while ((match = urlRegex.exec(command)) !== null) {
-    domains.add(match[1]);
-  }
-
-  return [...domains];
-}
-
 function domainMatchesPattern(domain: string, pattern: string): boolean {
   const normalizedDomain = domain.toLowerCase();
   const normalizedPattern = pattern.toLowerCase();
@@ -527,7 +373,7 @@ function evaluateDomainPermission(
 }
 
 function landstripVersion(): string | null {
-  const result = spawnSync(binaryPath(), ['--version'], { encoding: 'utf-8' });
+  const result = spawnSync(landstripBinaryPath(), ['--version'], { encoding: 'utf-8' });
   if (result.status !== 0) return null;
   return result.stdout.trim();
 }
@@ -564,25 +410,19 @@ function parseLandstripErrors(output: string): LandstripErrorResponse[] {
       if (key.length > 0 && value.length > 0) fields[key] = value;
     }
 
-    if (
-      fields.reason &&
-      ['Other', 'LaunchFailed', 'SetupFailed', 'Usage'].includes(fields.reason) &&
-      fields.source
-    ) {
+    if (fields.reason && isLandstripErrorReason(fields.reason)) {
       const error: LandstripErrorResponse = {
-        reason: fields.reason as LandstripErrorResponse['reason'],
-        source: fields.source,
+        reason: fields.reason,
       };
 
       if (fields.file) error.file = fields.file;
+      if (fields.operation && isLandstripOperation(fields.operation)) {
+        error.operation = fields.operation;
+      }
       if (fields.program) error.program = fields.program;
+      if (fields.source) error.source = fields.source;
 
-      if (
-        fields.type &&
-        ['filesystem', 'network', 'platform', 'launch', 'encoding'].includes(fields.type)
-      ) {
-        error.type = fields.type as LandstripErrorResponse['type'];
-      }
+      if (fields.type && isLandstripErrorType(fields.type)) error.type = fields.type;
 
       errors.push(error);
     }
@@ -599,13 +439,16 @@ function formatLandstripErrors(errors: LandstripErrorResponse[]): string {
       if (err.file) {
         parts.push(` (${err.file})`);
       }
+      if (err.operation) {
+        parts.push(` ${err.operation}`);
+      }
       if (err.program) {
         parts.push(` ${err.program}`);
       }
       if (err.type) {
         parts.push(`:${err.type}`);
       }
-      parts.push(`: ${err.source}`);
+      if (err.source) parts.push(`: ${err.source}`);
 
       return parts.join('');
     })
@@ -838,12 +681,12 @@ function shellArgs(shell: string, command: string): string[] {
 function buildWrappedCommand(policyPath: string, shell: string, command: string): string {
   const args = ['-p', policyPath, ...shellArgs(shell, command)];
 
-  return [binaryPath(), ...args].map(shellQuote).join(' ');
+  return [landstripBinaryPath(), ...args].map(shellQuote).join(' ');
 }
 
 function isGeneratedWrappedCommand(command: string): boolean {
   return (
-    command.startsWith(`${shellQuote(binaryPath())} `) &&
+    command.startsWith(`${shellQuote(landstripBinaryPath())} `) &&
     command.includes(` ${shellQuote('-p')} `) &&
     command.includes('opencode-landstrip-')
   );
@@ -964,6 +807,15 @@ const plugin: Plugin = async ({ client, directory }: PluginInput, options?: Plug
 
   function enforcePermission(callID: string, decision: SandboxPermissionDecision): void {
     if (decision.status === 'allow' || hasCallAllowance(callID, decision)) return;
+    client.tui
+      ?.showToast?.({
+        body: {
+          title: 'Sandbox blocked',
+          message: decision.message.slice(0, 120),
+          variant: 'error',
+        },
+      })
+      ?.catch?.(() => undefined);
     throw errorWithConfigPaths(directory, decision.message);
   }
 
@@ -995,7 +847,7 @@ const plugin: Plugin = async ({ client, directory }: PluginInput, options?: Plug
       '# Sandbox Configuration',
       '',
       `Status: ${sandboxDisabled ? 'disabled for this session' : 'active'}`,
-      `landstrip: ${binaryPath()}`,
+      `landstrip package binary: ${landstripBinaryPath()}`,
       '',
       'Config files:',
       `- project: ${projectPath}`,
@@ -1082,7 +934,17 @@ const plugin: Plugin = async ({ client, directory }: PluginInput, options?: Plug
       return landstripCheck;
     }
 
-    const version = landstripVersion();
+    let version: string | null;
+    try {
+      version = landstripVersion();
+    } catch (error) {
+      landstripCheck = {
+        ok: false,
+        reason: error instanceof Error ? error.message : String(error),
+      };
+      return landstripCheck;
+    }
+
     if (!version) {
       landstripCheck = {
         ok: false,
@@ -1094,7 +956,7 @@ const plugin: Plugin = async ({ client, directory }: PluginInput, options?: Plug
     if (!hasMinimumVersion(version, LANDSTRIP_VERSION)) {
       landstripCheck = {
         ok: false,
-        reason: `landstrip 0.11.0 or newer is required; found: ${version}`,
+        reason: `landstrip ${REQUIRED_LANDSTRIP_VERSION} or newer is required; found: ${version}`,
       };
       return landstripCheck;
     }
@@ -1107,7 +969,14 @@ const plugin: Plugin = async ({ client, directory }: PluginInput, options?: Plug
     if (sandboxDisabled) return null;
 
     const config = loadConfig(directory, optionOverrides);
-    if (!config.enabled) return null;
+    if (!config.enabled) {
+      await notifyOnce(
+        `not-configured:${directory}`,
+        'Sandbox is not configured — no sandbox.json5 found',
+        'info',
+      );
+      return null;
+    }
 
     const check = checkLandstrip();
     if (!check?.ok) {
@@ -1435,6 +1304,11 @@ const plugin: Plugin = async ({ client, directory }: PluginInput, options?: Plug
       if (input.command.trim() === '/sandbox') {
         const config = loadConfig(directory, optionOverrides);
         pushCommandText(input, output, sandboxSummary(config));
+        await client.tui
+          ?.showToast?.({
+            body: { title: 'Sandbox', message: `Config loaded for ${directory}`, variant: 'info' },
+          })
+          ?.catch?.(() => undefined);
         return;
       }
 
@@ -1453,6 +1327,15 @@ const plugin: Plugin = async ({ client, directory }: PluginInput, options?: Plug
           output,
           'Sandbox disabled for this session. Use /sandbox-enable to re-enable.',
         );
+        await client.tui
+          ?.showToast?.({
+            body: {
+              title: 'Sandbox',
+              message: 'Sandbox disabled for this session. Use /sandbox-enable to re-enable.',
+              variant: 'warning',
+            },
+          })
+          ?.catch?.(() => undefined);
         return;
       }
 
@@ -1466,7 +1349,30 @@ const plugin: Plugin = async ({ client, directory }: PluginInput, options?: Plug
           return;
         }
         sandboxDisabled = false;
-        pushCommandText(input, output, 'Sandbox re-enabled.');
+        const config = await activeConfig();
+        if (!config) {
+          pushCommandText(
+            input,
+            output,
+            'Sandbox re-enabled but no sandbox.json5 found — no rules active.\nCreate sandbox.json5 to enforce sandboxing.',
+          );
+          await client.tui
+            ?.showToast?.({
+              body: {
+                title: 'Sandbox',
+                message: 'Sandbox re-enabled but no sandbox.json5 found — no rules active.',
+                variant: 'warning',
+              },
+            })
+            ?.catch?.(() => undefined);
+        } else {
+          pushCommandText(input, output, 'Sandbox re-enabled.');
+          await client.tui
+            ?.showToast?.({
+              body: { title: 'Sandbox', message: 'Sandbox re-enabled.', variant: 'success' },
+            })
+            ?.catch?.(() => undefined);
+        }
         return;
       }
 
@@ -1482,6 +1388,15 @@ const plugin: Plugin = async ({ client, directory }: PluginInput, options?: Plug
         for (const path of extractCandidatePaths(shellCommand)) {
           const readDecision = evaluateReadPermission(path, config, directory, effectiveAllowRead);
           if (readDecision.status === 'deny') {
+            client.tui
+              ?.showToast?.({
+                body: {
+                  title: 'Sandbox blocked',
+                  message: readDecision.message.slice(0, 120),
+                  variant: 'error',
+                },
+              })
+              ?.catch?.(() => undefined);
             throw errorWithConfigPaths(directory, readDecision.message);
           }
 
@@ -1492,6 +1407,15 @@ const plugin: Plugin = async ({ client, directory }: PluginInput, options?: Plug
             effectiveAllowWrite,
           );
           if (writeDecision.status === 'deny') {
+            client.tui
+              ?.showToast?.({
+                body: {
+                  title: 'Sandbox blocked',
+                  message: writeDecision.message.slice(0, 120),
+                  variant: 'error',
+                },
+              })
+              ?.catch?.(() => undefined);
             throw errorWithConfigPaths(directory, writeDecision.message);
           }
         }
@@ -1507,6 +1431,15 @@ const plugin: Plugin = async ({ client, directory }: PluginInput, options?: Plug
               blockedDomain.reason === 'deniedDomains'
                 ? 'is blocked by network.deniedDomains'
                 : 'is not in network.allowedDomains';
+            client.tui
+              ?.showToast?.({
+                body: {
+                  title: 'Sandbox blocked',
+                  message: `Network access denied for "${blockedDomain.domain}"`,
+                  variant: 'error',
+                },
+              })
+              ?.catch?.(() => undefined);
             throw errorWithConfigPaths(
               directory,
               `Sandbox: network access denied for "${blockedDomain.domain}" (${reason}).`,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "opencode-landstrip",
-  "version": "0.3.11",
+  "version": "0.3.13",
   "description": "Landlock-based sandboxing for opencode with landstrip",
   "keywords": [
     "landlock",
@@ -16,6 +16,7 @@
   "files": [
     "index.ts",
     "tui.ts",
+    "shared.ts",
     "landstrip.d.ts",
     "README.md",
     "sandbox.json"
@@ -37,8 +38,8 @@
     }
   },
   "scripts": {
-    "fmt": "oxfmt index.ts tui.ts package.json tsconfig.json sandbox.json .oxfmtrc.json README.md test/*.test.mjs",
-    "lint": "oxlint index.ts tui.ts",
+    "fmt": "oxfmt index.ts tui.ts shared.ts package.json tsconfig.json sandbox.json .oxfmtrc.json README.md test/*.test.mjs",
+    "lint": "oxlint index.ts tui.ts shared.ts",
     "check": "tsc --noEmit",
     "test": "node --test test/*.test.mjs",
     "all": "npm run fmt && npm run lint && npm run check && npm test",
@@ -48,10 +49,10 @@
     "ci:test": "npm test"
   },
   "dependencies": {
-    "@jarkkojs/landstrip": "^0.11.0"
+    "@jarkkojs/landstrip": "^0.11.11"
   },
   "devDependencies": {
-    "@opencode-ai/plugin": "^1.17.3",
+    "@opencode-ai/plugin": "^1.17.7",
     "@opentui/core": ">=0.3.4",
     "@opentui/keymap": ">=0.3.4",
     "@opentui/solid": ">=0.3.4",
@@ -61,7 +62,7 @@
     "typescript": "^5.8.2"
   },
   "peerDependencies": {
-    "@opencode-ai/plugin": "^1.17.3"
+    "@opencode-ai/plugin": "^1.17.7"
   },
   "peerDependenciesMeta": {
     "@opencode-ai/plugin": {
@@ -69,6 +70,6 @@
     }
   },
   "engines": {
-    "opencode": ">=1.17.3"
+    "opencode": ">=1.17.7"
   }
 }