feat: configurable sandboxing for bash commands and local MCP servers on linux/macos

[kyuz0]

Issue for this PR

Closes none

Type of change

• Bug fix
• New feature
• Refactor / code improvement
• Documentation

What does this PR do?

Adds bash sandboxing to OpenCode via Anthropic's Sandbox Runtime (srt). This executes agent commands in an isolated environment (bubblewrap on Linux, sandbox-exec on macOS).

The architecture is built around an abstract SandboxProvider interface so that other sandbox backends (like native bubblewrap, nsjail, or gVisor) can be easily implemented and selected in the configuration file in the future.

The sandbox is configured in opencode.json and supports:

• Network Isolation: Blocks outbound requests except for explicit domains.
• Environment Scrubbing: Clears process.env and injects only the env_whitelist.
• Workspace Constraints: Restricts access to cwd and /tmp. Matches in deny_workspace_patterns are bind-mounted to /dev/null allowing neither read nor write access.
• Binary Blocklisting: Prevents execution of binaries in deny_binaries.

Example Configuration (opencode.json):

{
  "$schema": "https://opencode.ai/config.json",
  "bash_sandbox": {
    "enabled": true,
    "provider": "srt",
    "domains": ["github.com", "registry.npmjs.org"],
    "env_whitelist": ["PATH", "HOME", "USER", "SHELL", "TERM"],
    "deny_workspace_patterns": [
      "**/*.env",
      "**/*.secret",
      "**/*_rsa"
    ],
    "deny_binaries": ["terraform", "aws", "docker"]
  }
}

How did you verify your code works?

Ran local tests (bun test test/sandbox/srt.test.ts) that check:

• Unapproved network requests fail.
• Environment variables are dropped.
• Out-of-workspace reads (e.g. ~/.bash_history) fail.
• Matches against .env block read, write, rm, and chmod syscalls, including files created dynamically by the agent.

Note for reviewers: I am not sure if the tests as written fit the repository's standard CI flow, as they require srt to be installed on the host machine to pass.

Screenshots / recordings

If this is a UI change, please include a screenshot or recording.

Checklist

• I have tested my changes locally
• I have not included unrelated changes in this PR

[github-actions]

Hey! Your PR title Configurable sandboxing for Bash commands on linux/macos doesn't follow conventional commit format.

Please update it to start with one of:

• feat: or feat(scope): new feature
• fix: or fix(scope): bug fix
• docs: or docs(scope): documentation changes
• chore: or chore(scope): maintenance tasks
• refactor: or refactor(scope): code refactoring
• test: or test(scope): adding or updating tests

Where scope is the package name (e.g., app, desktop, opencode).

See CONTRIBUTING.md for details.

[github-actions]

Thanks for updating your PR! It now meets our contributing guidelines. 👍