jailoc audit — static configuration auditor

[thejoeejoee]

config.Validate() catches broken configs but not dangerous ones. You can happily mount $HOME (exposing .ssh/, .aws/), leak OPENAI_API_KEY=sk-live-... through env, or allowlist a network that entrypoint.sh silently blocks — and jailoc won't say a word.

Idea

jailoc audit [workspace] — static checker that goes beyond validation and flags risky-but-valid configs.

What it'd catch

🔴 Errors (this won't work):

• Paths/dockerfiles/build_contexts that don't exist on disk
• allowed_networks overlapping the RFC 1918/link-local/CGNAT ranges that entrypoint.sh blocks (silently dead config)

🟡 Warnings (probably not what you want):

• Overly broad mounts ($HOME, /) — agent sees way more than intended
• Sensitive dirs (.ssh/, .gnupg/, .aws/) reachable under mounted paths
• Secret-looking env values (sk-live-*, ghp_*, AKIA*, -----BEGIN) or suspicious keys (*_TOKEN, *_SECRET)
• allowed_hosts that don't resolve

🔵 Info (just so you know):

• No network access configured at all (might be intentional)
• Empty workspace, default image

CLI sketch

jailoc audit [workspace]
jailoc audit --json
jailoc audit --level=warning

Exit: 0 clean, 1 warnings, 2 errors.

Implementation

• internal/cmd/audit.go + internal/config/audit.go returning []Finding
• Runs on top of config.Load() (validation first, audit second)
• DNS checks with timeout (warning-only, DNS is flaky)
• Network overlap uses same blocked CIDRs as entrypoint.sh
• Sensitive dir scan: shallow walk (1 level) under mounted paths

Advisory only — doesn't block jailoc up.

[thejoeejoee]

MCP server accessibility

Another category worth checking: MCP servers configured in OpenCode (mcpServers in ~/.opencode.json or ~/.config/opencode/config.json).

Two failure modes:

🔴 stdio MCP — binary not available in container
Stdio servers reference a host binary (command: "npx", command: "/usr/local/bin/mcp-server", etc.) that likely doesn't exist inside the container image. Only workspace paths and opencode config dirs are bind-mounted — host tool paths (/usr/local/bin, ~/.npm, etc.) are not.

🟡 SSE/HTTP MCP — host blocked by iptables
Remote MCP servers (url: "http://localhost:8080/sse", url: "http://192.168.1.50:3000") hit the entrypoint's OUTPUT DROP rules for private ranges unless the host is in allowed_hosts. Localhost-bound MCP servers are especially tricky — 127.0.0.1 inside the container refers to the container itself, not the host.

Suggested checks:

• Parse mcpServers from the mounted opencode config (ro mount exists in compose template)
• For stdio: warn if command is not a known container binary and not under a mounted workspace path
• For SSE/HTTP: warn if url host resolves to a private IP not covered by allowed_hosts or allowed_networks
• Info: list configured MCP servers and their expected reachability

[thejoeejoee]

Stale plugin install lock detection

When a container is stopped mid-plugin-install (jailoc down during npm install), the package directory in the persistent cache volume (opencode-cache-{workspace}) is left as an empty skeleton. On next start, opencode's lock mechanism sees it and times out:

ERROR service=plugin pkg=oh-my-opencode version=v3.14.0
  error=Timed out waiting for lock: npm-install:/home/agent/.cache/opencode/packages/oh-my-opencode@v3.14.0
  failed to install plugin

Suggested check:

• Mount/inspect the workspace's opencode-cache-* volume
• Find package directories under packages/ that are empty (no node_modules, no package.json) — these are interrupted installs
• 🟡 Warning: list stale package dirs and suggest removal (docker run --rm -v {volume}:/cache alpine rm -rf /cache/opencode/packages/{pkg})