npm - opencode-sandbox - Versions diffs - 0.2.0 → 0.3.0 - Mend

opencode-sandbox 0.2.0 → 0.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/README.md CHANGED Viewed

@@ -107,6 +107,9 @@ $ curl https://registry.npmjs.org
 - `~/.aws/credentials`, `~/.config/gcloud`
 - `~/.npmrc`, `~/.env`
+**Filesystem (allow-read)**:
+- Empty by default
 **Filesystem (allow-write)**:
 - Project directory
 - Git worktree (validated — unsafe paths like `/` are rejected)
@@ -147,6 +150,7 @@ If `XDG_CONFIG_HOME` is set, it is used instead of `~/.config`.
 {
   "filesystem": {
     "denyRead": ["~/.ssh", "~/.aws/credentials"],
+    "allowRead": ["~/.ssh/id_ed25519.pub"],
     "allowWrite": [".", "/tmp", "/var/data"],
     "denyWrite": [".env.production"]
   },
@@ -164,6 +168,39 @@ If `XDG_CONFIG_HOME` is set, it is used instead of `~/.config`.
 }
 ```
+### Path precedence
+Path precedence is inherited from `@anthropic-ai/sandbox-runtime`:
+- Read: `allowRead` takes precedence over `denyRead`
+- Write: `denyWrite` takes precedence over `allowWrite`
+### Example: allow git commit signing with SSH public key
+If your Git workflow needs to read a public key (for example `~/.ssh/id_ed25519.pub`) while keeping `~/.ssh` blocked by default, re-allow only that file:
+```json
+// ~/.config/opencode-sandbox/config.json
+{
+  "filesystem": {
+    "denyRead": [
+      "~/.ssh",
+      "~/.gnupg",
+      "~/.aws/credentials",
+      "~/.azure",
+      "~/.config/gcloud",
+      "~/.config/gh",
+      "~/.kube",
+      "~/.docker/config.json",
+      "~/.npmrc",
+      "~/.netrc",
+      "~/.env"
+    ],
+    "allowRead": ["~/.ssh/id_ed25519.pub"]
+  }
+}
+```
 ### Example: Per-project config
 ```json
@@ -181,6 +218,12 @@ If `XDG_CONFIG_HOME` is set, it is used instead of `~/.config`.
 OPENCODE_SANDBOX_CONFIG='{"filesystem":{"denyRead":["~/.ssh"]},"network":{"allowedDomains":["github.com"]}}' opencode
 ```
+Example allowing only the SSH public key to be read:
+```bash
+OPENCODE_SANDBOX_CONFIG='{"filesystem":{"denyRead":["~/.ssh","~/.gnupg","~/.aws/credentials","~/.azure","~/.config/gcloud","~/.config/gh","~/.kube","~/.docker/config.json","~/.npmrc","~/.netrc","~/.env"],"allowRead":["~/.ssh/id_ed25519.pub"]}}' opencode
+```
 ### Disable
 ```bash

package/dist/config.d.ts CHANGED Viewed

@@ -3,6 +3,7 @@ export interface SandboxPluginConfig {
     disabled?: boolean;
     filesystem?: {
         denyRead?: string[];
+        allowRead?: string[];
         allowWrite?: string[];
         denyWrite?: string[];
     };

package/dist/index.js CHANGED Viewed

@@ -61,6 +61,7 @@ function resolveConfig(projectDir, worktree, user) {
   return {
     filesystem: {
       denyRead: user?.filesystem?.denyRead ?? DEFAULT_DENY_READ_DIRS.map((p) => path.join(homeDir, p)),
+      allowRead: user?.filesystem?.allowRead ?? [],
       allowWrite: writePaths,
       denyWrite: user?.filesystem?.denyWrite ?? []
     },

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "opencode-sandbox",
-  "version": "0.2.0",
+  "version": "0.3.0",
   "description": "OpenCode plugin that sandboxes agent commands using @anthropic-ai/sandbox-runtime (seatbelt on macOS, bubblewrap on Linux)",
   "type": "module",
   "main": "dist/index.js",
@@ -55,7 +55,7 @@
     "registry": "https://registry.npmjs.org/"
   },
   "dependencies": {
-    "@anthropic-ai/sandbox-runtime": "^0.0.38"
+    "@anthropic-ai/sandbox-runtime": "^0.0.43"
   },
   "peerDependencies": {
     "@opencode-ai/plugin": ">=1.0.0"
@@ -65,6 +65,6 @@
     "@opencode-ai/plugin": "^1.2.1",
     "@opencode-ai/sdk": "^1.2.1",
     "@types/bun": "^1.3.9",
-    "typescript": "^5.8.0"
+    "typescript": "^6.0.2"
   }
 }