opencode-landstrip 0.3.9 → 0.3.11

package/README.md

@@ -14,6 +14,18 @@ Add the plugin to `opencode.json`:
 }
 ```
 
+Add the TUI entrypoint to `tui.json` if you install or configure the plugin
+manually:
+
+```json
+{
+  "$schema": "https://opencode.ai/config.json",
+  "plugin": ["opencode-landstrip"]
+}
+```
+
+`opencode plugin install opencode-landstrip` configures both entrypoints.
+
 This installs `opencode-landstrip` and its `@jarkkojs/landstrip` dependency, which
 includes platform-specific native binaries for Linux, macOS, and Windows.
 
@@ -32,9 +44,12 @@ The plugin wraps opencode's AI `bash` tool in `landstrip`, routes proxy-aware
 network traffic through an allowlist proxy, and blocks read/write tool access
 outside configured filesystem allowlists.
 
+Run `/sandbox` in the TUI to inspect the active sandbox configuration.
+
 opencode's current server plugin API does not expose Pi-style custom permission
-dialogs or a way to rewrite manually typed shell-mode commands. Blocked access
-fails with an error that points at the sandbox config files.
+dialogs or a way to rewrite manually typed shell-mode commands. The `/sandbox`
+status view is provided by the TUI plugin entrypoint. Blocked access fails with
+an error that points at the sandbox config files.
 
 ## Disable
 

package/index.ts

@@ -74,6 +74,15 @@ interface BashSandboxState {
   stop: (() => Promise<void>) | null;
 }
 
+type SandboxPermissionKind = 'read' | 'write' | 'domain';
+
+interface SandboxPermissionDecision {
+  status: 'allow' | 'ask' | 'deny';
+  kind: SandboxPermissionKind;
+  resource: string;
+  message: string;
+}
+
 type ToastVariant = 'info' | 'success' | 'warning' | 'error';
 
 const LANDSTRIP_VERSION = [0, 11, 0] as const;
@@ -310,7 +319,7 @@ function shouldPromptForWrite(path: string, allowWrite: string[], baseDirectory:
 }
 
 function extractDomainsFromCommand(command: string): string[] {
-  const urlRegex = /https?:\/\/([^\s/:?#]+)(?::\d+)?(?:[/?#]|\s|$)/g;
+  const urlRegex = /https?:\/\/([^\s/:?#'"]+)(?::\d+)?(?:[/?#]|\s|$)/g;
   const domains = new Set<string>();
   let match: RegExpExecArray | null;
 
@@ -434,6 +443,89 @@ function firstBlockedDomain(
   return null;
 }
 
+function evaluateReadPermission(
+  path: string,
+  config: SandboxConfig,
+  baseDirectory: string,
+  effectiveAllowRead: string[],
+): SandboxPermissionDecision {
+  const filePath = canonicalizePath(path, baseDirectory);
+
+  if (!shouldPromptForRead(filePath, effectiveAllowRead, baseDirectory)) {
+    return { status: 'allow', kind: 'read', resource: filePath, message: '' };
+  }
+
+  if (isBlockedByDenyRead(filePath, config, baseDirectory)) {
+    return {
+      status: 'deny',
+      kind: 'read',
+      resource: filePath,
+      message: `Sandbox: read access denied for "${filePath}" (denyRead overrides allowRead).`,
+    };
+  }
+
+  return {
+    status: 'ask',
+    kind: 'read',
+    resource: filePath,
+    message: `Sandbox: read access requires approval for "${filePath}" (not in filesystem.allowRead).`,
+  };
+}
+
+function evaluateWritePermission(
+  path: string,
+  config: SandboxConfig,
+  baseDirectory: string,
+  effectiveAllowWrite: string[],
+): SandboxPermissionDecision {
+  const filePath = canonicalizePath(path, baseDirectory);
+
+  if (!shouldPromptForWrite(filePath, effectiveAllowWrite, baseDirectory)) {
+    return { status: 'allow', kind: 'write', resource: filePath, message: '' };
+  }
+
+  if (matchesPattern(filePath, config.filesystem.denyWrite, baseDirectory)) {
+    return {
+      status: 'deny',
+      kind: 'write',
+      resource: filePath,
+      message: `Sandbox: write access denied for "${filePath}" (in filesystem.denyWrite).`,
+    };
+  }
+
+  return {
+    status: 'ask',
+    kind: 'write',
+    resource: filePath,
+    message: `Sandbox: write access requires approval for "${filePath}" (not in filesystem.allowWrite).`,
+  };
+}
+
+function evaluateDomainPermission(
+  domain: string,
+  config: SandboxConfig,
+): SandboxPermissionDecision {
+  if (config.network.allowNetwork || domainMatchesAny(domain, config.network.allowedDomains)) {
+    return { status: 'allow', kind: 'domain', resource: domain, message: '' };
+  }
+
+  if (domainMatchesAny(domain, config.network.deniedDomains)) {
+    return {
+      status: 'deny',
+      kind: 'domain',
+      resource: domain,
+      message: `Sandbox: network access denied for "${domain}" (is blocked by network.deniedDomains).`,
+    };
+  }
+
+  return {
+    status: 'ask',
+    kind: 'domain',
+    resource: domain,
+    message: `Sandbox: network access requires approval for "${domain}" (not in network.allowedDomains).`,
+  };
+}
+
 function landstripVersion(): string | null {
   const result = spawnSync(binaryPath(), ['--version'], { encoding: 'utf-8' });
   if (result.status !== 0) return null;
@@ -577,7 +669,7 @@ function writePolicyFile(
   baseDirectory: string,
   proxyPort: number | null,
 ): { dir: string; path: string } {
-  const dir = mkdtempSync(join(tmpdir(), 'opencode-landstrip-XXXXXX'));
+  const dir = mkdtempSync(join(tmpdir(), 'opencode-landstrip-'));
   const path = join(dir, 'policy.json');
   writeFileSync(
     path,
@@ -666,8 +758,11 @@ function startProxy(config: SandboxConfig): Promise<{ port: number; stop: () =>
       buffered = Buffer.concat([buffered, chunk]);
       const headerEnd = buffered.indexOf('\r\n\r\n');
       if (headerEnd === -1) {
-        if (buffered.length > 65536)
+        if (buffered.length > 65536) {
+          client.removeAllListeners('data');
+          client.pause();
           denyProxyRequest(client, '431 Request Header Fields Too Large');
+        }
         return;
       }
 
@@ -758,6 +853,43 @@ function landstripDescription(description: string): string {
   return description.endsWith(' (landstrip)') ? description : `${description} (landstrip)`;
 }
 
+function splitShellQuotedArgs(command: string): string[] {
+  const args: string[] = [];
+  let i = 0;
+  while (i < command.length) {
+    while (i < command.length && command[i] === ' ') i++;
+    if (i >= command.length) break;
+    if (command[i] === "'") {
+      i++;
+      let arg = '';
+      while (i < command.length && command[i] !== "'") {
+        arg += command[i];
+        i++;
+      }
+      if (i < command.length) i++;
+      args.push(arg);
+    } else {
+      let arg = '';
+      while (i < command.length && command[i] !== ' ') {
+        arg += command[i];
+        i++;
+      }
+      args.push(arg);
+    }
+  }
+  return args;
+}
+
+function extractOriginalCommand(wrappedCommand: string): string | null {
+  const args = splitShellQuotedArgs(wrappedCommand);
+  const pIdx = args.indexOf('-p');
+  if (pIdx === -1 || pIdx + 3 >= args.length) return null;
+  const flagIdx = pIdx + 3;
+  const flag = args[flagIdx];
+  if (flag !== '-lc' && flag !== '-c') return null;
+  return args.slice(flagIdx + 1).join(' ');
+}
+
 function getToolPath(args: Record<string, unknown>): string | undefined {
   const filePath = args.filePath ?? args.path;
   return typeof filePath === 'string' ? filePath : undefined;
@@ -789,71 +921,16 @@ function errorWithConfigPaths(baseDirectory: string, message: string): Error {
   return new Error(`${message}\n\nUpdate sandbox config in:\n  ${projectPath}\n  ${globalPath}`);
 }
 
-function assertReadAllowed(
-  path: string,
-  config: SandboxConfig,
-  baseDirectory: string,
-  effectiveAllowRead: string[],
-): void {
-  const filePath = canonicalizePath(path, baseDirectory);
-
-  if (!shouldPromptForRead(filePath, effectiveAllowRead, baseDirectory)) return;
-
-  if (isBlockedByDenyRead(filePath, config, baseDirectory)) {
-    throw errorWithConfigPaths(
-      baseDirectory,
-      `Sandbox: read access denied for "${filePath}" (denyRead overrides allowRead).`,
-    );
-  }
-
-  throw errorWithConfigPaths(
-    baseDirectory,
-    `Sandbox: read access denied for "${filePath}" (not in filesystem.allowRead).`,
-  );
-}
-
-function assertWriteAllowed(
-  path: string,
-  config: SandboxConfig,
-  baseDirectory: string,
-  effectiveAllowWrite: string[],
-): void {
-  const filePath = canonicalizePath(path, baseDirectory);
-
-  if (!shouldPromptForWrite(filePath, effectiveAllowWrite, baseDirectory)) return;
-
-  if (matchesPattern(filePath, config.filesystem.denyWrite, baseDirectory)) {
-    throw errorWithConfigPaths(
-      baseDirectory,
-      `Sandbox: write access denied for "${filePath}" (in filesystem.denyWrite).`,
-    );
-  }
-
-  throw errorWithConfigPaths(
-    baseDirectory,
-    `Sandbox: write access denied for "${filePath}" (not in filesystem.allowWrite).`,
-  );
-}
-
-function assertApplyPatchAllowed(
-  args: Record<string, unknown>,
-  config: SandboxConfig,
-  baseDirectory: string,
-  effectiveAllowWrite: string[],
-): void {
-  if (typeof args.patchText !== 'string') return;
-  for (const path of extractPatchPaths(args.patchText))
-    assertWriteAllowed(path, config, baseDirectory, effectiveAllowWrite);
-}
-
 const plugin: Plugin = async ({ client, directory }: PluginInput, options?: PluginOptions) => {
   const optionOverrides = normalizeOptions(options);
   const activeBash = new Map<string, BashSandboxState>();
   const notified = new Set<string>();
-  const sessionAllowedDomains: string[] = [];
   const sessionAllowedReadPaths: string[] = [];
   const sessionAllowedWritePaths: string[] = [];
+  const sessionAllowedDomains: string[] = [];
+  const callAllowances = new Set<string>();
   let enabledNotified = false;
+  let sandboxDisabled = false;
   let configuredShell: string | undefined;
   let landstripCheck: { ok: true; version: string } | { ok: false; reason: string } | undefined;
 
@@ -865,8 +942,80 @@ const plugin: Plugin = async ({ client, directory }: PluginInput, options?: Plug
     return [...config.filesystem.allowWrite, ...sessionAllowedWritePaths];
   }
 
+  function getEffectiveAllowedDomains(config: SandboxConfig): string[] {
+    return [...config.network.allowedDomains, ...sessionAllowedDomains];
+  }
+
+  function allowanceKey(callID: string, kind: SandboxPermissionKind, resource: string): string {
+    return `${callID}:${kind}:${resource}`;
+  }
+
+  function rememberCallAllowance(
+    callID: string | undefined,
+    decision: SandboxPermissionDecision,
+  ): void {
+    if (!callID || decision.status === 'deny') return;
+    callAllowances.add(allowanceKey(callID, decision.kind, decision.resource));
+  }
+
+  function hasCallAllowance(callID: string, decision: SandboxPermissionDecision): boolean {
+    return callAllowances.has(allowanceKey(callID, decision.kind, decision.resource));
+  }
+
+  function enforcePermission(callID: string, decision: SandboxPermissionDecision): void {
+    if (decision.status === 'allow' || hasCallAllowance(callID, decision)) return;
+    throw errorWithConfigPaths(directory, decision.message);
+  }
+
+  function pushCommandText(
+    input: { sessionID: string },
+    output: { parts: unknown[] },
+    text: string,
+  ): void {
+    output.parts.push({
+      type: 'text',
+      text,
+      id: '',
+      sessionID: input.sessionID,
+      messageID: '',
+    });
+  }
+
+  function sandboxSummary(config: SandboxConfig): string {
+    const { globalPath, projectPath } = getConfigPaths(directory);
+    const networkMode = config.network.allowNetwork ? 'unrestricted' : 'proxied';
+    const allowed = getEffectiveAllowedDomains(config).join(', ') || '(none)';
+    const denied = config.network.deniedDomains.join(', ') || '(none)';
+    const denyRead = config.filesystem.denyRead.join(', ') || '(none)';
+    const allowRead = getEffectiveAllowRead(config).join(', ') || '(none)';
+    const allowWrite = getEffectiveAllowWrite(config).join(', ') || '(none)';
+    const denyWrite = config.filesystem.denyWrite.join(', ') || '(none)';
+
+    return [
+      '# Sandbox Configuration',
+      '',
+      `Status: ${sandboxDisabled ? 'disabled for this session' : 'active'}`,
+      `landstrip: ${binaryPath()}`,
+      '',
+      'Config files:',
+      `- project: ${projectPath}`,
+      `- global: ${globalPath}`,
+      '',
+      `Network (${networkMode}):`,
+      `- allow network: ${config.network.allowNetwork ? 'yes' : 'no'}`,
+      `- allowed: ${allowed}`,
+      `- denied: ${denied}`,
+      '',
+      'Filesystem:',
+      `- deny read: ${denyRead}`,
+      `- allow read: ${allowRead}`,
+      `- allow write: ${allowWrite}`,
+      `- deny write: ${denyWrite}`,
+    ].join('\n');
+  }
+
   client.app
-    .log({
+    ?.log?.({
       body: {
         service: 'opencode-landstrip',
         level: 'info',
@@ -874,10 +1023,10 @@ const plugin: Plugin = async ({ client, directory }: PluginInput, options?: Plug
       },
       query: { directory },
     })
-    .catch(() => undefined);
+    ?.catch?.(() => undefined);
 
   client.tui
-    .showToast({
+    ?.showToast?.({
       body: {
         title: 'Sandbox',
         message: `Loaded for ${directory}`,
@@ -885,29 +1034,41 @@ const plugin: Plugin = async ({ client, directory }: PluginInput, options?: Plug
         duration: 5000,
       },
     })
-    .catch(() => undefined);
+    ?.catch?.(() => undefined);
+
+  const notifyGate = new Map<string, Promise<void>>();
 
   async function notifyOnce(key: string, message: string, variant: ToastVariant): Promise<void> {
     if (notified.has(key)) return;
-    notified.add(key);
-
-    await client.tui
-      .showToast({
-        body: { title: 'opencode-landstrip', message, variant },
-        query: { directory },
-      })
-      .catch(() => undefined);
-
-    await client.app
-      .log({
-        body: {
-          service: 'opencode-landstrip',
-          level: variant === 'error' ? 'error' : variant === 'warning' ? 'warn' : 'info',
-          message,
-        },
-        query: { directory },
-      })
-      .catch(() => undefined);
+    const pending = notifyGate.get(key);
+    if (pending) return pending;
+
+    const promise = (async () => {
+      notified.add(key);
+
+      await client.tui
+        ?.showToast?.({
+          body: { title: 'opencode-landstrip', message, variant },
+          query: { directory },
+        })
+        ?.catch?.(() => undefined);
+
+      await client.app
+        ?.log?.({
+          body: {
+            service: 'opencode-landstrip',
+            level: variant === 'error' ? 'error' : variant === 'warning' ? 'warn' : 'info',
+            message,
+          },
+          query: { directory },
+        })
+        ?.catch?.(() => undefined);
+
+      notifyGate.delete(key);
+    })();
+
+    notifyGate.set(key, promise);
+    return promise;
   }
 
   function checkLandstrip(): typeof landstripCheck {
@@ -943,6 +1104,8 @@ const plugin: Plugin = async ({ client, directory }: PluginInput, options?: Plug
   }
 
   async function activeConfig(): Promise<SandboxConfig | null> {
+    if (sandboxDisabled) return null;
+
     const config = loadConfig(directory, optionOverrides);
     if (!config.enabled) return null;
 
@@ -1014,40 +1177,58 @@ const plugin: Plugin = async ({ client, directory }: PluginInput, options?: Plug
       await cleanupBash(callID);
     }
 
-    if (isGeneratedWrappedCommand(args.command)) {
-      if (typeof args.description === 'string')
-        args.description = landstripDescription(args.description);
-      return;
+    if (isGeneratedWrappedCommand(args.command as string)) {
+      const policyMatch = (args.command as string).match(/\s'-p'\s+'([^']+)'/);
+      if (policyMatch && existsSync(policyMatch[1])) {
+        if (typeof args.description === 'string')
+          args.description = landstripDescription(args.description);
+        return;
+      }
+      if (activeBash.has(callID)) await cleanupBash(callID);
+      const original = extractOriginalCommand(args.command as string);
+      if (original) {
+        args.command = original;
+      }
     }
 
     const allowNetwork = config.network.allowNetwork;
+    const callAllowedDomains: string[] = [];
+    const effectiveConfig = {
+      ...config,
+      network: { ...config.network, allowedDomains: getEffectiveAllowedDomains(config) },
+    };
 
     if (!allowNetwork) {
-      const blockedDomain = firstBlockedDomain(args.command, config);
-      if (blockedDomain) {
-        const reason =
-          blockedDomain.reason === 'deniedDomains'
-            ? 'is blocked by network.deniedDomains'
-            : 'is not in network.allowedDomains';
-        throw errorWithConfigPaths(
-          directory,
-          `Sandbox: network access denied for "${blockedDomain.domain}" (${reason}).`,
-        );
+      for (const domain of extractDomainsFromCommand(args.command as string)) {
+        const decision = evaluateDomainPermission(domain, effectiveConfig);
+        if (decision.status === 'allow') continue;
+        if (decision.status === 'ask' && hasCallAllowance(callID, decision)) {
+          callAllowedDomains.push(domain);
+          continue;
+        }
+        throw errorWithConfigPaths(directory, decision.message);
       }
     }
 
-    const proxy = allowNetwork ? null : await startProxy(config);
+    if (callAllowedDomains.length > 0) {
+      effectiveConfig.network = {
+        ...effectiveConfig.network,
+        allowedDomains: [...effectiveConfig.network.allowedDomains, ...callAllowedDomains],
+      };
+    }
+
+    const proxy = allowNetwork ? null : await startProxy(effectiveConfig);
     const proxyPort = proxy ? proxy.port : null;
     let policy: { dir: string; path: string };
 
     try {
-      policy = writePolicyFile(config, directory, proxyPort);
+      policy = writePolicyFile(effectiveConfig, directory, proxyPort);
     } catch (error) {
       if (proxy) await proxy.stop().catch(() => undefined);
       throw error;
     }
 
-    const originalCommand = args.command;
+    const originalCommand = args.command as string;
     const wrappedCommand = buildWrappedCommand(
       policy.path,
       configuredShell ?? process.env.SHELL ?? '/bin/sh',
@@ -1067,45 +1248,85 @@ const plugin: Plugin = async ({ client, directory }: PluginInput, options?: Plug
       args.description = landstripDescription(args.description);
   }
 
-  function buildConfigSummary(config: SandboxConfig): string {
-    const { globalPath, projectPath } = getConfigPaths(directory);
-    const check = checkLandstrip();
-    const version = check?.ok === true ? check.version : 'unknown';
-    const status = config.enabled && check?.ok === true ? 'enabled' : 'disabled';
-
-    const lines = [
-      'Sandbox Configuration',
-      `  Status:         ${status}`,
-      `  Project config: ${projectPath}`,
-      `  Global config:  ${globalPath}`,
-      `  landstrip:      ${binaryPath()} (v${version})`,
-      '',
-      `  Allow network:  ${config.network.allowNetwork}`,
-      '',
-      'Network (bash commands go through HTTP proxy):',
-      `  Allow local binding: ${config.network.allowLocalBinding}`,
-      `  Allow all Unix sockets: ${config.network.allowAllUnixSockets}`,
-      ...(config.network.allowUnixSockets.length > 0
-        ? [`  Allow Unix sockets: ${config.network.allowUnixSockets.join(', ')}`]
-        : []),
-      `  Allowed domains: ${config.network.allowedDomains.join(', ') || '(none)'}`,
-      `  Denied domains:  ${config.network.deniedDomains.join(', ') || '(none)'}`,
-      '',
-      'Filesystem (bash + read/write/edit tools):',
-      `  Deny Read:   ${config.filesystem.denyRead.join(', ') || '(none)'}`,
-      `  Allow Read:  ${config.filesystem.allowRead.join(', ') || '(none)'}`,
-      `  Allow Write: ${config.filesystem.allowWrite.join(', ') || '(none)'}`,
-      `  Deny Write:  ${config.filesystem.denyWrite.join(', ') || '(none)'}`,
-    ];
-
-    return lines.join('\n');
-  }
-
   const hooks: Hooks = {
     config: async (config) => {
       configuredShell = configuredShellPath(config);
     },
 
+    'permission.ask': async (input, output) => {
+      const config = await activeConfig();
+      if (!config) return;
+
+      const request = input as Record<string, unknown>;
+      const permission =
+        typeof request.type === 'string'
+          ? request.type
+          : typeof request.permission === 'string'
+            ? request.permission
+            : typeof request.action === 'string'
+              ? request.action
+              : '';
+      const metadata = isRecord(request.metadata) ? request.metadata : {};
+      const tool = isRecord(request.tool) ? request.tool : undefined;
+      const callID =
+        typeof request.callID === 'string'
+          ? request.callID
+          : typeof tool?.callID === 'string'
+            ? tool.callID
+            : undefined;
+      const patterns = Array.isArray(request.patterns)
+        ? request.patterns.filter((item): item is string => typeof item === 'string')
+        : typeof request.pattern === 'string'
+          ? [request.pattern]
+          : Array.isArray(request.resources)
+            ? request.resources.filter((item): item is string => typeof item === 'string')
+            : [];
+
+      const decisions: SandboxPermissionDecision[] = [];
+      const effectiveAllowRead = getEffectiveAllowRead(config);
+      const effectiveAllowWrite = getEffectiveAllowWrite(config);
+
+      if (permission === 'read') {
+        for (const pattern of patterns) {
+          decisions.push(evaluateReadPermission(pattern, config, directory, effectiveAllowRead));
+        }
+      }
+
+      if (permission === 'glob' || permission === 'grep' || permission === 'list') {
+        const searchPath = typeof metadata.path === 'string' ? metadata.path : '.';
+        decisions.push(evaluateReadPermission(searchPath, config, directory, effectiveAllowRead));
+      }
+
+      if (permission === 'edit') {
+        const filepath =
+          typeof metadata.filepath === 'string'
+            ? metadata.filepath
+            : patterns.length === 1
+              ? patterns[0]
+              : undefined;
+        if (filepath) {
+          decisions.push(evaluateWritePermission(filepath, config, directory, effectiveAllowWrite));
+        }
+      }
+
+      if (permission === 'bash') {
+        const command = typeof metadata.command === 'string' ? metadata.command : patterns[0];
+        if (typeof command === 'string' && !config.network.allowNetwork) {
+          for (const domain of extractDomainsFromCommand(command)) {
+            decisions.push(evaluateDomainPermission(domain, config));
+          }
+        }
+      }
+
+      const decision =
+        decisions.find((item) => item.status === 'deny') ??
+        decisions.find((item) => item.status === 'ask');
+      if (!decision) return;
+
+      output.status = decision.status;
+      rememberCallAllowance(callID, decision);
+    },
+
     'tool.execute.before': async (input, output) => {
       if (!isRecord(output.args)) return;
 
@@ -1122,23 +1343,40 @@ const plugin: Plugin = async ({ client, directory }: PluginInput, options?: Plug
 
       if (input.tool === 'read') {
         const path = getToolPath(output.args);
-        if (path) assertReadAllowed(path, config, directory, effectiveAllowRead);
+        if (path)
+          enforcePermission(
+            input.callID,
+            evaluateReadPermission(path, config, directory, effectiveAllowRead),
+          );
         return;
       }
 
       if (input.tool === 'glob' || input.tool === 'grep' || input.tool === 'list') {
-        assertReadAllowed(getSearchPath(output.args), config, directory, effectiveAllowRead);
+        enforcePermission(
+          input.callID,
+          evaluateReadPermission(getSearchPath(output.args), config, directory, effectiveAllowRead),
+        );
         return;
       }
 
       if (input.tool === 'write' || input.tool === 'edit') {
         const path = getToolPath(output.args);
-        if (path) assertWriteAllowed(path, config, directory, effectiveAllowWrite);
+        if (path)
+          enforcePermission(
+            input.callID,
+            evaluateWritePermission(path, config, directory, effectiveAllowWrite),
+          );
         return;
       }
 
-      if (input.tool === 'apply_patch')
-        assertApplyPatchAllowed(output.args, config, directory, effectiveAllowWrite);
+      if (input.tool === 'apply_patch' && typeof output.args.patchText === 'string') {
+        for (const path of extractPatchPaths(output.args.patchText)) {
+          enforcePermission(
+            input.callID,
+            evaluateWritePermission(path, config, directory, effectiveAllowWrite),
+          );
+        }
+      }
     },
 
     'shell.env': async (input, output) => {
@@ -1164,13 +1402,13 @@ const plugin: Plugin = async ({ client, directory }: PluginInput, options?: Plug
       if (errors.length > 0) {
         const message = formatLandstripErrors(errors);
         await client.tui
-          .showToast({
+          ?.showToast?.({
             body: { title: 'opencode-landstrip', message, variant: 'error' },
             query: { directory },
           })
-          .catch(() => undefined);
+          ?.catch?.(() => undefined);
         await client.app
-          .log({
+          ?.log?.({
             body: {
               service: 'opencode-landstrip',
               level: 'error',
@@ -1178,61 +1416,102 @@ const plugin: Plugin = async ({ client, directory }: PluginInput, options?: Plug
             },
             query: { directory },
           })
-          .catch(() => undefined);
+          ?.catch?.(() => undefined);
       }
 
       const blockedPath = extractBlockedWritePath(outputText, directory, state.originalCommand);
       if (blockedPath) {
-        const config = loadConfig(directory, optionOverrides);
-        if (
-          !sessionAllowedWritePaths.includes(blockedPath) &&
-          !matchesPattern(blockedPath, config.filesystem.allowWrite, directory) &&
-          !matchesPattern(blockedPath, config.filesystem.denyWrite, directory)
-        ) {
-          sessionAllowedWritePaths.push(blockedPath);
-          await notifyOnce(
-            `write-allow:${blockedPath}`,
-            `Write access granted for session: "${blockedPath}"`,
-            'warning',
-          );
-        }
+        await notifyOnce(
+          `blocked:${blockedPath}`,
+          `Sandbox blocked access to "${blockedPath}". Approve the related OpenCode permission prompt and retry if needed.`,
+          'warning',
+        );
       }
 
       await cleanupBash(input.callID);
     },
 
     'command.execute.before': async (input, output) => {
-      if (input.command === 'sandbox' || input.command === '/sandbox') {
+      if (input.command.trim() === '/sandbox') {
         const config = loadConfig(directory, optionOverrides);
-        const summary = buildConfigSummary(config);
-        await client.tui
-          .showToast({
-            body: { title: 'Sandbox', message: summary, variant: 'info', duration: 15000 },
-            query: { directory },
-          })
-          .catch(() => undefined);
+        pushCommandText(input, output, sandboxSummary(config));
         return;
       }
 
-      // Check domain in user shell commands (commands starting with !)
+      if (input.command.trim() === '/sandbox-disable') {
+        if (sandboxDisabled) {
+          pushCommandText(
+            input,
+            output,
+            'Sandbox is already disabled. Use /sandbox-enable to re-enable.',
+          );
+          return;
+        }
+        sandboxDisabled = true;
+        pushCommandText(
+          input,
+          output,
+          'Sandbox disabled for this session. Use /sandbox-enable to re-enable.',
+        );
+        return;
+      }
+
+      if (input.command.trim() === '/sandbox-enable') {
+        if (!sandboxDisabled) {
+          pushCommandText(
+            input,
+            output,
+            'Sandbox is already enabled. Use /sandbox-disable to pause.',
+          );
+          return;
+        }
+        sandboxDisabled = false;
+        pushCommandText(input, output, 'Sandbox re-enabled.');
+        return;
+      }
+
+      // Check domain and filesystem in user shell commands (commands starting with !)
       if (input.command.startsWith('!')) {
         const shellCommand = input.command.slice(1).trim();
         const config = await activeConfig();
-        if (!config || config.network.allowNetwork) return;
-
-        const blockedDomain = firstBlockedDomain(shellCommand, config);
-        if (blockedDomain) {
-          const reason =
-            blockedDomain.reason === 'deniedDomains'
-              ? 'is blocked by network.deniedDomains'
-              : 'is not in network.allowedDomains';
-          output.parts.push({
-            type: 'text',
-            text: `Sandbox: network access denied for "${blockedDomain.domain}" (${reason}).`,
-            id: '',
-            sessionID: input.sessionID,
-            messageID: '',
-          });
+        if (!config) return;
+
+        const effectiveAllowRead = getEffectiveAllowRead(config);
+        const effectiveAllowWrite = getEffectiveAllowWrite(config);
+
+        for (const path of extractCandidatePaths(shellCommand)) {
+          const readDecision = evaluateReadPermission(path, config, directory, effectiveAllowRead);
+          if (readDecision.status === 'deny') {
+            throw errorWithConfigPaths(directory, readDecision.message);
+          }
+
+          const writeDecision = evaluateWritePermission(
+            path,
+            config,
+            directory,
+            effectiveAllowWrite,
+          );
+          if (writeDecision.status === 'deny') {
+            throw errorWithConfigPaths(directory, writeDecision.message);
+          }
+        }
+
+        if (!config.network.allowNetwork) {
+          const effectiveConfig = {
+            ...config,
+            network: { ...config.network, allowedDomains: getEffectiveAllowedDomains(config) },
+          };
+          const blockedDomain = firstBlockedDomain(shellCommand, effectiveConfig);
+          if (blockedDomain) {
+            const reason =
+              blockedDomain.reason === 'deniedDomains'
+                ? 'is blocked by network.deniedDomains'
+                : 'is not in network.allowedDomains';
+            throw errorWithConfigPaths(
+              directory,
+              `Sandbox: network access denied for "${blockedDomain.domain}" (${reason}).`,
+            );
+          }
         }
       }
     },

package/landstrip.d.ts

@@ -0,0 +1,3 @@
+declare module '@jarkkojs/landstrip' {
+  function binaryPath(): string;
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "opencode-landstrip",
-  "version": "0.3.9",
+  "version": "0.3.11",
   "description": "Landlock-based sandboxing for opencode with landstrip",
   "keywords": [
     "landlock",
@@ -16,6 +16,7 @@
   "files": [
     "index.ts",
     "tui.ts",
+    "landstrip.d.ts",
     "README.md",
     "sandbox.json"
   ],
@@ -50,17 +51,17 @@
     "@jarkkojs/landstrip": "^0.11.0"
   },
   "devDependencies": {
-    "@opencode-ai/plugin": "^1.16.2",
-    "@opentui/core": ">=0.3.2",
-    "@opentui/keymap": ">=0.3.2",
-    "@opentui/solid": ">=0.3.2",
+    "@opencode-ai/plugin": "^1.17.3",
+    "@opentui/core": ">=0.3.4",
+    "@opentui/keymap": ">=0.3.4",
+    "@opentui/solid": ">=0.3.4",
     "@types/node": "^24.0.0",
     "oxfmt": "^0.53.0",
     "oxlint": "^1.68.0",
     "typescript": "^5.8.2"
   },
   "peerDependencies": {
-    "@opencode-ai/plugin": "^1.16.2"
+    "@opencode-ai/plugin": "^1.17.3"
   },
   "peerDependenciesMeta": {
     "@opencode-ai/plugin": {
@@ -68,6 +69,6 @@
     }
   },
   "engines": {
-    "opencode": ">=1.16.2"
+    "opencode": ">=1.17.3"
   }
 }

package/tui.ts

@@ -3,64 +3,269 @@
 
 import type { TuiPlugin } from '@opencode-ai/plugin/tui';
 
-const tui: TuiPlugin = async (api) => {
+import { binaryPath } from '@jarkkojs/landstrip';
+
+import { existsSync, readFileSync } from 'node:fs';
+import { homedir } from 'node:os';
+import { join } from 'node:path';
+
+interface SandboxFilesystemConfig {
+  denyRead: string[];
+  allowRead: string[];
+  allowWrite: string[];
+  denyWrite: string[];
+}
+
+interface SandboxNetworkConfig {
+  allowNetwork: boolean;
+  allowLocalBinding: boolean;
+  allowAllUnixSockets: boolean;
+  allowUnixSockets: string[];
+  allowedDomains: string[];
+  deniedDomains: string[];
+}
+
+interface SandboxConfig {
+  enabled: boolean;
+  network: SandboxNetworkConfig;
+  filesystem: SandboxFilesystemConfig;
+}
+
+interface SandboxConfigOverrides {
+  enabled?: boolean;
+  network?: Partial<SandboxNetworkConfig>;
+  filesystem?: Partial<SandboxFilesystemConfig>;
+}
+
+const DEFAULT_CONFIG: SandboxConfig = {
+  enabled: true,
+  network: {
+    allowNetwork: false,
+    allowLocalBinding: false,
+    allowAllUnixSockets: false,
+    allowUnixSockets: [],
+    allowedDomains: [
+      'npmjs.org',
+      '*.npmjs.org',
+      'registry.npmjs.org',
+      'registry.yarnpkg.com',
+      'pypi.org',
+      '*.pypi.org',
+      'github.com',
+      '*.github.com',
+      'api.github.com',
+      'raw.githubusercontent.com',
+      'crates.io',
+      '*.crates.io',
+      'static.crates.io',
+    ],
+    deniedDomains: [],
+  },
+  filesystem: {
+    denyRead: ['/Users', '/home'],
+    allowRead: [
+      '.',
+      '/dev/null',
+      '~/.config/opencode',
+      '~/.config/git',
+      '~/.gitconfig',
+      '~/.local',
+      '~/.cargo',
+    ],
+    allowWrite: ['.', '/tmp', '/dev/null'],
+    denyWrite: ['.env', '.env.*', '*.pem', '*.key'],
+  },
+};
+
+function isRecord(value: unknown): value is Record<string, unknown> {
+  return typeof value === 'object' && value !== null && !Array.isArray(value);
+}
+
+function stringArray(value: unknown): string[] | undefined {
+  if (!Array.isArray(value)) return undefined;
+  return value.every((item) => typeof item === 'string') ? [...value] : undefined;
+}
+
+function normalizeNetworkConfig(value: unknown): Partial<SandboxNetworkConfig> | undefined {
+  if (!isRecord(value)) return undefined;
+
+  const config: Partial<SandboxNetworkConfig> = {};
+  if (typeof value.allowNetwork === 'boolean') config.allowNetwork = value.allowNetwork;
+  if (typeof value.allowLocalBinding === 'boolean')
+    config.allowLocalBinding = value.allowLocalBinding;
+  if (typeof value.allowAllUnixSockets === 'boolean')
+    config.allowAllUnixSockets = value.allowAllUnixSockets;
+
+  const allowUnixSockets = stringArray(value.allowUnixSockets);
+  if (allowUnixSockets) config.allowUnixSockets = allowUnixSockets;
+
+  const allowedDomains = stringArray(value.allowedDomains);
+  if (allowedDomains) config.allowedDomains = allowedDomains;
+
+  const deniedDomains = stringArray(value.deniedDomains);
+  if (deniedDomains) config.deniedDomains = deniedDomains;
+
+  return config;
+}
+
+function normalizeFilesystemConfig(value: unknown): Partial<SandboxFilesystemConfig> | undefined {
+  if (!isRecord(value)) return undefined;
+
+  const config: Partial<SandboxFilesystemConfig> = {};
+  const denyRead = stringArray(value.denyRead);
+  if (denyRead) config.denyRead = denyRead;
+
+  const allowRead = stringArray(value.allowRead);
+  if (allowRead) config.allowRead = allowRead;
+
+  const allowWrite = stringArray(value.allowWrite);
+  if (allowWrite) config.allowWrite = allowWrite;
+
+  const denyWrite = stringArray(value.denyWrite);
+  if (denyWrite) config.denyWrite = denyWrite;
+
+  return config;
+}
+
+function normalizeConfig(value: unknown): SandboxConfigOverrides {
+  if (!isRecord(value)) return {};
+
+  const config: SandboxConfigOverrides = {};
+  if (typeof value.enabled === 'boolean') config.enabled = value.enabled;
+
+  const network = normalizeNetworkConfig(value.network);
+  if (network) config.network = network;
+
+  const filesystem = normalizeFilesystemConfig(value.filesystem);
+  if (filesystem) config.filesystem = filesystem;
+
+  return config;
+}
+
+function normalizeOptions(options: unknown): SandboxConfigOverrides {
+  if (!isRecord(options)) return {};
+  return normalizeConfig(isRecord(options.config) ? options.config : options);
+}
+
+function deepMerge(base: SandboxConfig, overrides: SandboxConfigOverrides): SandboxConfig {
+  return {
+    enabled: overrides.enabled ?? base.enabled,
+    network: {
+      ...base.network,
+      ...overrides.network,
+    },
+    filesystem: {
+      ...base.filesystem,
+      ...overrides.filesystem,
+    },
+  };
+}
+
+function getConfigPaths(baseDirectory: string): { globalPath: string; projectPath: string } {
+  return {
+    globalPath: join(homedir(), '.config', 'opencode', 'sandbox.json'),
+    projectPath: join(baseDirectory, '.opencode', 'sandbox.json'),
+  };
+}
+
+function readConfigFile(configPath: string): SandboxConfigOverrides {
+  if (!existsSync(configPath)) return {};
+
   try {
-    api.keymap.registerLayer({
-      commands: [
-        {
-          name: 'sandbox',
-          title: 'Sandbox',
-          description: 'Show sandbox configuration',
-          category: 'plugin',
-          keybind: 'ctrl+x b',
-          suggested: true,
-          slash: { name: 'sandbox' },
-          run: async () => {
-            await api.client.tui.executeCommand({ command: 'sandbox' });
-            return true;
-          },
-        },
-      ],
-    });
-
-    if (api.command) {
-      api.command.register(() => [
-        {
-          title: 'Sandbox',
-          value: 'sandbox',
-          description: 'Show sandbox configuration',
-          category: 'plugin',
-          suggested: true,
-          slash: { name: 'sandbox' },
-          onSelect: async () => {
-            await api.client.tui.executeCommand({ command: 'sandbox' });
-          },
-        },
-      ]);
-    }
-
-    const client = api.client;
-    if (client?.tui?.showToast) {
-      client.tui
-        .showToast({
-          title: 'Sandbox',
-          message: '/sandbox command registered',
-          variant: 'info',
-        })
-        .catch(() => undefined);
-    }
-  } catch (err) {
-    const client = api.client;
-    if (client?.tui?.showToast) {
-      client.tui
-        .showToast({
-          title: 'Sandbox error',
-          message: err instanceof Error ? err.message : String(err),
-          variant: 'error',
-        })
-        .catch(() => undefined);
-    }
+    return normalizeConfig(JSON.parse(readFileSync(configPath, 'utf-8')));
+  } catch {
+    return {};
   }
+}
+
+function loadConfig(baseDirectory: string, optionOverrides: SandboxConfigOverrides): SandboxConfig {
+  const { globalPath, projectPath } = getConfigPaths(baseDirectory);
+  return deepMerge(
+    deepMerge(deepMerge(DEFAULT_CONFIG, readConfigFile(globalPath)), readConfigFile(projectPath)),
+    optionOverrides,
+  );
+}
+
+function list(values: string[]): string {
+  return values.join(', ') || '(none)';
+}
+
+function configPathLine(label: string, filePath: string): string {
+  return `${label}: ${filePath} ${existsSync(filePath) ? '(found)' : '(missing)'}`;
+}
+
+function sandboxSummary(baseDirectory: string, optionOverrides: SandboxConfigOverrides): string {
+  const config = loadConfig(baseDirectory, optionOverrides);
+  const { globalPath, projectPath } = getConfigPaths(baseDirectory);
+  const networkMode = config.network.allowNetwork ? 'unrestricted' : 'proxied';
+
+  return [
+    `Status: ${config.enabled ? 'active' : 'disabled by config'}`,
+    `landstrip: ${binaryPath()}`,
+    '',
+    'Config files',
+    configPathLine('project', projectPath),
+    configPathLine('global', globalPath),
+    '',
+    `Network: ${networkMode}`,
+    `allow network: ${config.network.allowNetwork ? 'yes' : 'no'}`,
+    `allowed: ${list(config.network.allowedDomains)}`,
+    `denied: ${list(config.network.deniedDomains)}`,
+    `unix sockets: ${config.network.allowAllUnixSockets ? 'all' : list(config.network.allowUnixSockets)}`,
+    '',
+    'Filesystem',
+    `deny read: ${list(config.filesystem.denyRead)}`,
+    `allow read: ${list(config.filesystem.allowRead)}`,
+    `allow write: ${list(config.filesystem.allowWrite)}`,
+    `deny write: ${list(config.filesystem.denyWrite)}`,
+    '',
+    'esc or any key to close',
+  ].join('\n');
+}
+
+const tui: TuiPlugin = async (api, options) => {
+  const showSandbox = () => {
+    const directory = api.state.path.directory || process.cwd();
+    const message = sandboxSummary(directory, normalizeOptions(options));
+
+    api.ui.dialog.replace(
+      () =>
+        api.ui.DialogAlert({
+          title: 'Sandbox Configuration',
+          message,
+          onConfirm: () => api.ui.dialog.clear(),
+        }),
+      () => api.ui.dialog.clear(),
+    );
+  };
+
+  api.keymap.registerLayer({
+    commands: [
+      {
+        namespace: 'palette',
+        name: 'landstrip.sandbox.show',
+        title: 'Show sandbox configuration',
+        desc: 'Show landstrip sandbox status and rules',
+        description: 'Show landstrip sandbox status and rules',
+        category: 'Sandbox',
+        suggested: true,
+        slashName: 'sandbox',
+        run: showSandbox,
+      },
+    ],
+  });
+
+  api.command?.register(() => [
+    {
+      title: 'Sandbox',
+      value: 'landstrip.sandbox.show',
+      description: 'Show sandbox configuration',
+      category: 'Sandbox',
+      suggested: true,
+      slash: { name: 'sandbox' },
+      onSelect: showSandbox,
+    },
+  ]);
 };
 
 export { tui };