npm - pi-landstrip - Versions diffs - 0.3.2 → 0.4.0 - Mend

pi-landstrip 0.3.2 → 0.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/index.ts CHANGED Viewed

@@ -47,6 +47,7 @@ interface SandboxFilesystemConfig {
 }
 interface SandboxNetworkConfig {
+  allowNetwork: boolean;
   allowLocalBinding: boolean;
   allowAllUnixSockets: boolean;
   allowUnixSockets: string[];
@@ -62,10 +63,11 @@ interface SandboxConfig {
 interface LandstripPolicy {
   network: {
+    allowNetwork: boolean;
     allowLocalBinding: boolean;
     allowAllUnixSockets: boolean;
     allowUnixSockets: string[];
-    httpProxyPort: number;
+    httpProxyPort?: number;
   };
   filesystem: SandboxFilesystemConfig;
 }
@@ -78,12 +80,13 @@ interface LandstripErrorResponse {
   message: string;
 }
-const LANDSTRIP_VERSION = [0, 9, 5] as const;
+const LANDSTRIP_VERSION = [0, 10, 1] as const;
 const SUPPORTED_PLATFORMS = new Set<NodeJS.Platform>(['linux', 'darwin', 'win32']);
 const DEFAULT_CONFIG: SandboxConfig = {
   enabled: true,
   network: {
+    allowNetwork: false,
     allowLocalBinding: false,
     allowAllUnixSockets: false,
     allowUnixSockets: [],
@@ -345,25 +348,38 @@ function extractBlockedWritePath(output: string, cwd: string): string | null {
 function parseLandstripErrors(output: string): LandstripErrorResponse[] {
   const errors: LandstripErrorResponse[] = [];
-  for (const line of output.split('\n')) {
-    try {
-      const parsed = JSON.parse(line);
+  for (const block of output.trim().split(/\n\n+/)) {
+    const fields: Record<string, string> = {};
+    for (const line of block.split('\n')) {
+      const colonIndex = line.indexOf(':');
+      if (colonIndex === -1) continue;
+      const key = line.slice(0, colonIndex).trim();
+      const value = line.slice(colonIndex + 1).trim();
+      if (key.length > 0 && value.length > 0) fields[key] = value;
+    }
+    if (
+      fields.category &&
+      ['policy', 'tool', 'platform', 'system'].includes(fields.category) &&
+      fields.message
+    ) {
+      const error: LandstripErrorResponse = {
+        category: fields.category as LandstripErrorResponse['category'],
+        message: fields.message,
+      };
+      if (fields.file) error.file = fields.file;
+      if (fields.program) error.program = fields.program;
       if (
-        typeof parsed === 'object' &&
-        parsed !== null &&
-        typeof parsed.category === 'string' &&
-        ['policy', 'tool', 'platform', 'system'].includes(parsed.category) &&
-        (parsed.type === undefined ||
-          (typeof parsed.type === 'string' &&
-            ['filesystem', 'network', 'platform', 'launch', 'encoding'].includes(parsed.type))) &&
-        typeof parsed.message === 'string' &&
-        parsed.message.length > 0
+        fields.type &&
+        ['filesystem', 'network', 'platform', 'launch', 'encoding'].includes(fields.type)
       ) {
-        errors.push(parsed as LandstripErrorResponse);
+        error.type = fields.type as LandstripErrorResponse['type'];
       }
-    } catch {
-      // ignore non-JSON lines
+      errors.push(error);
     }
   }
@@ -694,15 +710,16 @@ export function createLandstripIntegration(
     return true;
   }
-  function buildLandstripPolicy(cwd: string, proxyPort: number): LandstripPolicy {
+  function buildLandstripPolicy(cwd: string, proxyPort: number | null): LandstripPolicy {
     const config = loadConfig(cwd);
     return {
       network: {
+        allowNetwork: config.network.allowNetwork,
         allowLocalBinding: config.network.allowLocalBinding,
         allowAllUnixSockets: config.network.allowAllUnixSockets,
         allowUnixSockets: config.network.allowUnixSockets,
-        httpProxyPort: proxyPort,
+        ...(proxyPort !== null ? { httpProxyPort: proxyPort } : {}),
       },
       filesystem: {
         denyRead: config.filesystem.denyRead,
@@ -713,7 +730,7 @@ export function createLandstripIntegration(
     };
   }
-  function writePolicyFile(cwd: string, proxyPort: number): { dir: string; path: string } {
+  function writePolicyFile(cwd: string, proxyPort: number | null): { dir: string; path: string } {
     const dir = mkdtempSync(join(tmpdir(), 'pi-landstrip-'));
     const path = join(dir, 'policy.json');
     writeFileSync(
@@ -858,8 +875,11 @@ export function createLandstripIntegration(
         if (!existsSync(cwd)) throw new Error(`Working directory does not exist: ${cwd}`);
         const { shell, args } = getShellConfig(SettingsManager.create(cwd).getShellPath());
-        const proxy = await startProxy(ctx, cwd);
-        const policy = writePolicyFile(cwd, proxy.port);
+        const config = loadConfig(cwd);
+        const allowNetwork = config.network.allowNetwork;
+        const proxy = allowNetwork ? null : await startProxy(ctx, cwd);
+        const proxyPort = proxy ? proxy.port : null;
+        const policy = writePolicyFile(cwd, proxyPort);
         const landstripArgs = ['-p', policy.path, shell, ...args, command];
         return new Promise((resolvePromise, reject) => {
@@ -872,13 +892,13 @@ export function createLandstripIntegration(
             cleaned = true;
             if (timeoutHandle) clearTimeout(timeoutHandle);
             signal?.removeEventListener('abort', onAbort);
-            void proxy.stop();
+            void proxy?.stop();
             rmSync(policy.dir, { recursive: true, force: true });
           };
           const child = spawn(binaryPath(), landstripArgs, {
             cwd,
-            env: proxyEnv(env, proxy.port),
+            env: allowNetwork ? { ...process.env, ...env } : proxyEnv(env, proxy!.port),
             detached: true,
             stdio: ['ignore', 'pipe', 'pipe'],
           });
@@ -1005,6 +1025,10 @@ export function createLandstripIntegration(
   }
   function warnIfAllDomainsAllowed(ctx: ExtensionContext, config: SandboxConfig): void {
+    if (config.network.allowNetwork) {
+      ctx.ui.notify('Network sandbox is disabled because network.allowNetwork is true.', 'warning');
+      return;
+    }
     if (!allowsAllDomains(config.network.allowedDomains)) return;
     ctx.ui.notify(
       'Network sandbox allows all domains because network.allowedDomains contains "*".',
@@ -1013,9 +1037,11 @@ export function createLandstripIntegration(
   }
   function enableStatus(ctx: ExtensionContext, config: SandboxConfig): void {
-    const networkLabel = allowsAllDomains(config.network.allowedDomains)
-      ? 'all domains'
-      : `${config.network.allowedDomains.length} domains`;
+    const networkLabel = config.network.allowNetwork
+      ? 'unrestricted'
+      : allowsAllDomains(config.network.allowedDomains)
+        ? 'all domains'
+        : `${config.network.allowedDomains.length} domains`;
     ctx.ui.setStatus(
       'sandbox',
       ctx.ui.theme.fg(
@@ -1049,7 +1075,7 @@ export function createLandstripIntegration(
     if (!hasMinimumVersion(version, LANDSTRIP_VERSION)) {
       sandboxEnabled = false;
       sandboxReady = false;
-      ctx.ui.notify(`landstrip 0.9.5 or newer is required; found: ${version}`, 'error');
+      ctx.ui.notify(`landstrip 0.10.1 or newer is required; found: ${version}`, 'error');
       return false;
     }
@@ -1093,18 +1119,21 @@ export function createLandstripIntegration(
     pi.on('user_bash', async (event, ctx) => {
       if (!sandboxEnabled || !sandboxReady) return;
-      if (!loadConfig(ctx.cwd).enabled) return;
-      const blockedDomain = await preflightCommandDomains(event.command, ctx);
-      if (blockedDomain) {
-        return {
-          result: {
-            output: `Blocked: "${blockedDomain}" is not allowed by the sandbox. Use /sandbox to review your config.`,
-            exitCode: 1,
-            cancelled: false,
-            truncated: false,
-          },
-        };
+      const config = loadConfig(ctx.cwd);
+      if (!config.enabled) return;
+      if (!config.network.allowNetwork) {
+        const blockedDomain = await preflightCommandDomains(event.command, ctx);
+        if (blockedDomain) {
+          return {
+            result: {
+              output: `Blocked: "${blockedDomain}" is not allowed by the sandbox. Use /sandbox to review your config.`,
+              exitCode: 1,
+              cancelled: false,
+              truncated: false,
+            },
+          };
+        }
       }
       return { operations: createLandstripBashOps(ctx) };
@@ -1119,12 +1148,14 @@ export function createLandstripIntegration(
       const { globalPath, projectPath } = getConfigPaths(ctx.cwd);
       if (sandboxReady && isToolCallEventType('bash', event)) {
-        const blockedDomain = await preflightCommandDomains(event.input.command, ctx);
-        if (blockedDomain) {
-          return {
-            block: true,
-            reason: `Network access to "${blockedDomain}" is blocked by the sandbox.`,
-          };
+        if (!config.network.allowNetwork) {
+          const blockedDomain = await preflightCommandDomains(event.input.command, ctx);
+          if (blockedDomain) {
+            return {
+              block: true,
+              reason: `Network access to "${blockedDomain}" is blocked by the sandbox.`,
+            };
+          }
         }
       }
@@ -1231,7 +1262,8 @@ export function createLandstripIntegration(
           `  Global config:  ${globalPath}`,
           `  landstrip:      ${binaryPath()}`,
           '',
-          'Network (bash through HTTP proxy):',
+          `Network (bash ${config.network.allowNetwork ? 'unrestricted' : 'through HTTP proxy'}):`,
+          `  Allow network:  ${config.network.allowNetwork}`,
           `  Allowed domains: ${config.network.allowedDomains.join(', ') || '(none)'}`,
           `  Denied domains:  ${config.network.deniedDomains.join(', ') || '(none)'}`,
           ...(sessionAllowedDomains.length > 0

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "pi-landstrip",
-  "version": "0.3.2",
+  "version": "0.4.0",
   "description": "Landlock-based sandboxing for pi with interactive permission prompts",
   "keywords": [
     "landstrip",
@@ -31,7 +31,7 @@
   },
   "dependencies": {
     "@earendil-works/pi-tui": "^0.78.0",
-    "@jarkkojs/landstrip": "^0.9.5"
+    "@jarkkojs/landstrip": "^0.10.1"
   },
   "devDependencies": {
     "@earendil-works/pi-coding-agent": "^0.78.0",

package/sandbox.json CHANGED Viewed

@@ -1,6 +1,7 @@
 {
   "enabled": true,
   "network": {
+    "allowNetwork": false,
     "allowLocalBinding": true,
     "allowAllUnixSockets": false,
     "allowUnixSockets": [],