OpenCode harness: add kernel-level sandbox isolation #36
Description
Problem
The OpenCode harness currently translates AgentConfig.sandbox into OpenCode's per-tool permission system (edit: "deny", bash: "deny" for read-only profiles). This is application-level enforcement only — it relies on OpenCode respecting its own permission flags, not OS kernel restrictions.
The other two harnesses have kernel-level isolation:
- ChibiHarness → nono (Landlock on Linux, Seatbelt on macOS)
- ClaudeCodeHarness → SDK sandbox (Seatbelt on macOS, bubblewrap on Linux)
Desired Behavior
When AgentConfig.sandbox is set, the OpenCode harness should enforce file access restrictions at the kernel level, matching the protection guarantees of the other harnesses.
Options to Explore
- Wrap the opencode server process with nono — similar to how ChibiHarness wraps
chibi-json. Would require passingreadPaths/writePathsthrough to nono args when spawning the server. - Use OpenCode's sandbox worktrees — the SDK has a
sandboxesAPI (v2/gen/types.gen.d.ts). Worth investigating whether this provides file isolation. - Contribute upstream — if OpenCode doesn't support kernel sandboxing, consider contributing Seatbelt/bubblewrap support to the OpenCode project.
Current State
Application-level permission enforcement was added in the terra/docs-sandbox-capabilities branch. See src/harness/opencode-harness.ts and docs/security-model.md for details.
References
src/harness/opencode-harness.ts— current permission-based sandboxsrc/harness/sandbox.ts— nono wrapper (reference implementation)docs/security-model.md— documents the gap