remove useless

Author: e-n-0

packages/opencode/src/sandbox/policy.ts

@@ -15,7 +15,6 @@ export namespace SandboxPolicy {
     extra_deny_paths?: string[]
     opencode_roots?: string[]
     allow_network?: boolean
-    allow_unix_sockets?: boolean
   }
 
   export interface Output {
@@ -96,13 +95,6 @@ export namespace SandboxPolicy {
       ...deny(denyRoots),
       ...denyWrite(protectedRoots),
       ...(input.allow_network ? ["(allow network*)"] : []),
-      ...(input.allow_unix_sockets
-        ? [
-            "(allow system-socket (socket-domain AF_UNIX))",
-            "(allow network-bind (local unix-socket))",
-            "(allow network-outbound (remote unix-socket))",
-          ]
-        : []),
     ].join("\n")
     return {
       profile,

packages/opencode/src/sandbox/spawn.ts

@@ -34,7 +34,6 @@ export namespace SandboxSpawn {
     write_roots: string[]
     unsafe_roots: string[]
     allow_network: boolean
-    allow_unix_sockets: boolean
   }
 
   export interface Settings {
@@ -59,7 +58,6 @@ export namespace SandboxSpawn {
     preset?: string
     mode?: Mode
     allow_network?: boolean
-    allow_unix_sockets?: boolean
   }
 
   export interface PlanInput extends ResolveInput {
@@ -224,7 +222,6 @@ export namespace SandboxSpawn {
       write_roots: [],
       unsafe_roots: [],
       allow_network: input.allow_network === true,
-      allow_unix_sockets: input.allow_unix_sockets === true,
     } satisfies Diag
   }
 
@@ -370,7 +367,6 @@ export namespace SandboxSpawn {
       opencode_roots: input.opencode_roots,
       mode: input.mode,
       allow_network: input.allow_network,
-      allow_unix_sockets: input.allow_unix_sockets,
     })
 
     const diag = {
@@ -384,7 +380,6 @@ export namespace SandboxSpawn {
       write_roots: policy.write,
       unsafe_roots: [],
       allow_network: input.allow_network === true,
-      allow_unix_sockets: input.allow_unix_sockets === true,
     } satisfies Diag
 
     return {
@@ -444,7 +439,6 @@ export namespace SandboxSpawn {
       extra_write_roots: mode === "read-only" ? writeRoots : [...writeRoots, ...temp],
       extra_deny_paths: raw.extra_deny_paths.map(Filesystem.resolve),
       allow_network: allowNetwork,
-      allow_unix_sockets: input.allow_unix_sockets,
     })
 
     if (out.active) log.debug("sandbox active", out.diag)

packages/opencode/test/pty/pty-session.test.ts

@@ -1,11 +1,22 @@
-import { describe, expect, test } from "bun:test"
+import { afterEach, describe, expect, test } from "bun:test"
+import fs from "fs/promises"
+import path from "path"
 import { Bus } from "../../src/bus"
 import { Instance } from "../../src/project/instance"
 import { Pty } from "../../src/pty"
 import type { PtyID } from "../../src/pty/schema"
 import { tmpdir } from "../fixture/fixture"
 import { setTimeout as sleep } from "node:timers/promises"
 
+const env = {
+  HOME: process.env.HOME,
+}
+
+afterEach(() => {
+  if (env.HOME === undefined) delete process.env.HOME
+  else process.env.HOME = env.HOME
+})
+
 const wait = async (fn: () => boolean, ms = 5000) => {
   const end = Date.now() + ms
   while (Date.now() < end) {
@@ -129,6 +140,43 @@ describe("pty", () => {
     })
   })
 
+  test("keeps pty shell startup deterministic in sandbox mode", async () => {
+    if (process.platform !== "darwin") return
+
+    await using home = await tmpdir({
+      init: async (dir) => {
+        await Bun.write(path.join(dir, ".bashrc"), 'printf hit > "$HOME/bashrc-hit"\n')
+      },
+    })
+    await using dir = await tmpdir({
+      config: {
+        experimental: {
+          sandbox: {
+            enabled: true,
+          },
+        },
+      },
+    })
+    process.env.HOME = home.path
+
+    await Instance.provide({
+      directory: dir.path,
+      fn: async () => {
+        const info = await Pty.create({ command: "/bin/bash", title: "bash" })
+        try {
+          await sleep(150)
+          const hit = await fs
+            .access(path.join(home.path, "bashrc-hit"))
+            .then(() => true)
+            .catch(() => false)
+          expect(hit).toBe(false)
+        } finally {
+          await Pty.remove(info.id)
+        }
+      },
+    })
+  })
+
   test("blocks excluded commands on initial pty spawn", async () => {
     await using dir = await tmpdir({
       config: {

packages/opencode/test/sandbox/policy.test.ts

@@ -41,20 +41,19 @@ describe("sandbox.policy", () => {
     expect(out.profile).toContain('(subpath "/opt/homebrew")')
   })
 
-  test("adds network and unix socket rules only when requested", () => {
+  test("adds network rules only when requested", () => {
     const out = SandboxPolicy.build({
       cwd: "/tmp/project",
       project_root: "/tmp/project",
       worktree_root: "/tmp/project",
       home: "/Users/tester",
       allow_network: true,
-      allow_unix_sockets: true,
     })
 
     expect(out.profile).toContain("(allow network*)")
-    expect(out.profile).toContain("AF_UNIX")
-    expect(out.profile).toContain("network-bind")
-    expect(out.profile).toContain("network-outbound")
+    expect(out.profile).not.toContain("AF_UNIX")
+    expect(out.profile).not.toContain("network-bind")
+    expect(out.profile).not.toContain("network-outbound")
   })
 
   test("supports read-only mode without project write roots", () => {