opencode-sandbox 0.1.22 → 0.1.24

package/README.md

@@ -125,10 +125,25 @@ Everything else is **blocked by default**.
 
 ## Configuration
 
-### Option 1: Config file
+Config files are stored outside the project directory (in `~/.config/opencode-sandbox/`) so that sandboxed commands cannot modify them. This prevents indirect prompt injection from weakening the sandbox by overwriting the config.
+
+### Config file locations
+
+The plugin searches for configuration in this order (first match wins):
+
+1. **Environment variable** `OPENCODE_SANDBOX_CONFIG` (JSON string)
+2. **Per-project config** `~/.config/opencode-sandbox/projects/<project-name>.json`
+3. **Global config** `~/.config/opencode-sandbox/config.json`
+4. **Built-in defaults**
+
+The `<project-name>` is the basename of the project directory (e.g., `my-app` for `/home/user/projects/my-app`).
+
+If `XDG_CONFIG_HOME` is set, it is used instead of `~/.config`.
+
+### Example: Global config
 
 ```json
-// .opencode/sandbox.json
+// ~/.config/opencode-sandbox/config.json
 {
   "filesystem": {
     "denyRead": ["~/.ssh", "~/.aws/credentials"],
@@ -149,19 +164,30 @@ Everything else is **blocked by default**.
 }
 ```
 
-### Option 2: Environment variable
+### Example: Per-project config
+
+```json
+// ~/.config/opencode-sandbox/projects/my-app.json
+{
+  "network": {
+    "allowedDomains": ["my-internal-api.company.com"]
+  }
+}
+```
+
+### Environment variable
 
 ```bash
 OPENCODE_SANDBOX_CONFIG='{"filesystem":{"denyRead":["~/.ssh"]},"network":{"allowedDomains":["github.com"]}}' opencode
 ```
 
-### Option 3: Disable
+### Disable
 
 ```bash
 OPENCODE_DISABLE_SANDBOX=1 opencode
 ```
 
-Or in `.opencode/sandbox.json`:
+Or in any config file:
 
 ```json
 {

package/dist/config.d.ts

@@ -15,4 +15,5 @@ export interface SandboxPluginConfig {
     };
 }
 export declare function resolveConfig(projectDir: string, worktree: string, user?: SandboxPluginConfig): SandboxRuntimeConfig;
+export declare function getConfigDir(): string;
 export declare function loadConfig(projectDir: string): Promise<SandboxPluginConfig>;

package/dist/index.js

@@ -9,8 +9,13 @@ var DEFAULT_DENY_READ_DIRS = [
   ".ssh",
   ".gnupg",
   ".aws/credentials",
+  ".azure",
   ".config/gcloud",
+  ".config/gh",
+  ".kube",
+  ".docker/config.json",
   ".npmrc",
+  ".netrc",
   ".env"
 ];
 var DEFAULT_ALLOWED_DOMAINS = [
@@ -68,6 +73,18 @@ function resolveConfig(projectDir, worktree, user) {
     }
   };
 }
+function getConfigDir() {
+  const xdgConfig = process.env.XDG_CONFIG_HOME || path.join(os.homedir(), ".config");
+  return path.join(xdgConfig, "opencode-sandbox");
+}
+async function tryLoadJsonFile(filePath) {
+  try {
+    const content = await fs.readFile(filePath, "utf-8");
+    return JSON.parse(content);
+  } catch {
+    return null;
+  }
+}
 async function loadConfig(projectDir) {
   const envConfig = process.env.OPENCODE_SANDBOX_CONFIG;
   if (envConfig) {
@@ -77,13 +94,15 @@ async function loadConfig(projectDir) {
       console.warn("[opencode-sandbox] Invalid JSON in OPENCODE_SANDBOX_CONFIG, using defaults");
     }
   }
-  const configPath = path.join(projectDir, ".opencode", "sandbox.json");
-  try {
-    const content = await fs.readFile(configPath, "utf-8");
-    return JSON.parse(content);
-  } catch {
-    return {};
-  }
+  const configDir = getConfigDir();
+  const projectName = path.basename(projectDir);
+  const projectConfig = await tryLoadJsonFile(path.join(configDir, "projects", `${projectName}.json`));
+  if (projectConfig)
+    return projectConfig;
+  const globalConfig = await tryLoadJsonFile(path.join(configDir, "config.json"));
+  if (globalConfig)
+    return globalConfig;
+  return {};
 }
 
 // src/index.ts

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "opencode-sandbox",
-  "version": "0.1.22",
+  "version": "0.1.24",
   "description": "OpenCode plugin that sandboxes agent commands using @anthropic-ai/sandbox-runtime (seatbelt on macOS, bubblewrap on Linux)",
   "type": "module",
   "main": "dist/index.js",