feat(llm-security): OS sandbox for /security ide-scan <url> (v6.5.0)

VSIX fetch + extract for URL targets now runs in a sub-process wrapped by
sandbox-exec (macOS) or bwrap (Linux), reusing the same primitives proven
by the v5.1 git-clone sandbox. Defense-in-depth — even if our own
zip-extract.mjs ever has a bypass, the kernel refuses any write outside
the per-scan temp directory.

New files:
- scanners/lib/vsix-fetch-worker.mjs — sub-process worker. Argv: --url
  --tmpdir; emits one JSON line on stdout (ok/sha256/size/source/extRoot
  or ok:false/error/code). Silent on stderr. Exit 0/1.
- scanners/lib/vsix-sandbox.mjs — wrapper. Exports buildSandboxProfile,
  buildBwrapArgs, buildSandboxedWorker, runVsixWorker. 35s timeout, 1 MB
  stdout cap.

Changes:
- scanners/ide-extension-scanner.mjs: fetchAndExtractVsixUrl is now
  sandbox-aware (useSandbox option, default true). In-process logic
  preserved as fallback. New meta.source.sandbox field:
  'sandbox-exec' | 'bwrap' | 'none' | 'in-process'.
- scan(target, { useSandbox }) defaults to true; tests pass false because
  globalThis.fetch mocks do not cross process boundaries.
- Windows fallback: in-process with meta.warnings advisory.

Tests:
- 8 new tests in tests/scanners/vsix-sandbox.test.mjs (per-platform
  profile generation, worker arg construction, live worker exit
  behavior on invalid URLs — no network).
- Existing URL tests updated to opt out of sandbox (useSandbox: false).
- 1344 → 1352 tests, all green.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

plugins/llm-security/scanners/lib/vsix-sandbox.mjs

@@ -0,0 +1,169 @@
+// vsix-sandbox.mjs — Spawn vsix-fetch-worker.mjs under an OS sandbox so any
+// filesystem writes the ZIP extractor performs are restricted to a single
+// temp directory.
+//
+// Reuses the same sandbox primitives proven by `git-clone.mjs`:
+//   - macOS: sandbox-exec with a deny-file-write profile + subpath allow
+//   - Linux: bwrap with --ro-bind / --bind / --unshare-all
+//   - Windows / fallback: spawn directly + WARN to stderr (no OS sandbox)
+//
+// Defense-in-depth: even if our own zip-extract.mjs has a zip-slip / symlink
+// bypass we did not foresee, the OS will refuse the write. The in-process
+// validation in zip-extract.mjs remains the first line of defense.
+
+import { spawn } from 'node:child_process';
+import { spawnSync } from 'node:child_process';
+import { realpathSync } from 'node:fs';
+import { fileURLToPath } from 'node:url';
+import { dirname, resolve as resolvePath } from 'node:path';
+
+const __dirname = dirname(fileURLToPath(import.meta.url));
+const WORKER_PATH = resolvePath(__dirname, 'vsix-fetch-worker.mjs');
+const WORKER_TIMEOUT_MS = 35_000; // fetch is 30s, give worker 5s of slack
+const MAX_OUTPUT_BYTES = 1024 * 1024; // 1MB JSON cap (output is tiny in practice)
+
+/**
+ * Build the sandbox-exec profile that allows writes only to `allowedWritePath`.
+ * Mirrors `buildSandboxProfile` in git-clone.mjs.
+ * @returns {string|null}  null if not on macOS or sandbox-exec missing
+ */
+export function buildSandboxProfile(allowedWritePath) {
+  if (process.platform !== 'darwin') return null;
+  const check = spawnSync('which', ['sandbox-exec'], { encoding: 'utf8' });
+  if (check.status !== 0) return null;
+  const realPath = realpathSync(allowedWritePath);
+  return [
+    '(version 1)',
+    '(allow default)',
+    '(deny file-write*)',
+    `(allow file-write* (subpath "${realPath}"))`,
+    '(allow file-write* (literal "/dev/null"))',
+    '(allow file-write* (literal "/dev/tty"))',
+  ].join('');
+}
+
+/**
+ * Build bwrap arguments that allow writes only to `allowedWritePath`.
+ * Mirrors `buildBwrapArgs` in git-clone.mjs.
+ * @returns {string[]|null}  null if not on Linux or bwrap unusable
+ */
+export function buildBwrapArgs(allowedWritePath, innerArgs) {
+  if (process.platform !== 'linux') return null;
+  const check = spawnSync('which', ['bwrap'], { encoding: 'utf8' });
+  if (check.status !== 0) return null;
+  // Probe — bwrap is shipped on Ubuntu 24.04+ but may need admin AppArmor config.
+  const probe = spawnSync(
+    'bwrap',
+    ['--ro-bind', '/', '/', '--dev', '/dev', '/bin/true'],
+    { stdio: 'ignore', timeout: 5000 },
+  );
+  if (probe.status !== 0) return null;
+  return [
+    '--ro-bind', '/', '/',
+    '--bind', allowedWritePath, allowedWritePath,
+    '--dev', '/dev',
+    '--unshare-all',
+    '--new-session',
+    '--die-with-parent',
+    ...innerArgs,
+  ];
+}
+
+/**
+ * Resolve the spawn command for a worker invocation. Returns the OS sandbox
+ * if available; otherwise plain `node` with a `sandbox: null` flag so the
+ * caller can WARN. Identical pattern to `buildSandboxedClone`.
+ *
+ * @param {string} tmpDir  writable temp dir for the worker
+ * @param {string[]} workerArgs  argv for the worker (after `node <worker>`)
+ * @returns {{cmd:string, args:string[], sandbox: 'sandbox-exec'|'bwrap'|null}}
+ */
+export function buildSandboxedWorker(tmpDir, workerArgs) {
+  const innerArgs = ['node', WORKER_PATH, ...workerArgs];
+
+  const profile = buildSandboxProfile(tmpDir);
+  if (profile) {
+    return { cmd: 'sandbox-exec', args: ['-p', profile, ...innerArgs], sandbox: 'sandbox-exec' };
+  }
+
+  const bwrapArgs = buildBwrapArgs(tmpDir, innerArgs);
+  if (bwrapArgs) {
+    return { cmd: 'bwrap', args: bwrapArgs, sandbox: 'bwrap' };
+  }
+
+  // Fallback — Windows or sandbox tools missing. Worker still runs, just not boxed.
+  return { cmd: innerArgs[0], args: innerArgs.slice(1), sandbox: null };
+}
+
+/**
+ * Spawn the VSIX worker and parse its single JSON line of output.
+ *
+ * @param {string} url       URL to fetch (passed via argv to worker)
+ * @param {string} tmpDir    writable directory for extracted files
+ * @param {object} [opts]
+ * @param {boolean} [opts.allowFallback=true]  if false, throw when no OS sandbox
+ * @returns {Promise<{ok:boolean, sandbox:'sandbox-exec'|'bwrap'|null, payload:object}>}
+ */
+export function runVsixWorker(url, tmpDir, opts = {}) {
+  const { allowFallback = true } = opts;
+  const { cmd, args, sandbox } = buildSandboxedWorker(tmpDir, ['--url', url, '--tmpdir', tmpDir]);
+
+  if (!sandbox && !allowFallback) {
+    return Promise.reject(new Error('no OS sandbox available and fallback disabled'));
+  }
+
+  return new Promise((resolve, reject) => {
+    const child = spawn(cmd, args, {
+      stdio: ['ignore', 'pipe', 'pipe'],
+      timeout: WORKER_TIMEOUT_MS,
+      env: { ...process.env },
+    });
+
+    let stdout = '';
+    let stdoutBytes = 0;
+    let truncated = false;
+    child.stdout.on('data', (chunk) => {
+      stdoutBytes += chunk.length;
+      if (stdoutBytes > MAX_OUTPUT_BYTES) {
+        truncated = true;
+        try { child.kill('SIGKILL'); } catch {}
+        return;
+      }
+      stdout += chunk.toString('utf8');
+    });
+
+    let stderr = '';
+    child.stderr.on('data', (chunk) => { stderr += chunk.toString('utf8'); });
+
+    child.on('error', (err) => reject(new Error(`worker spawn failed: ${err.message}`)));
+
+    child.on('close', (code, signal) => {
+      if (truncated) {
+        return reject(new Error('worker output exceeded 1MB cap'));
+      }
+      if (signal === 'SIGTERM' && code === null) {
+        return reject(new Error(`worker timed out after ${WORKER_TIMEOUT_MS}ms`));
+      }
+      // Parse the last non-empty line as JSON (worker writes one line on success/failure).
+      const lines = stdout.split('\n').map((l) => l.trim()).filter(Boolean);
+      const last = lines[lines.length - 1];
+      if (!last) {
+        const tail = stderr.trim().slice(0, 200);
+        return reject(new Error(`worker produced no output${tail ? ` (stderr: ${tail})` : ''}`));
+      }
+      let payload;
+      try {
+        payload = JSON.parse(last);
+      } catch {
+        return reject(new Error(`worker emitted non-JSON: ${last.slice(0, 120)}`));
+      }
+      resolve({ ok: payload.ok === true, sandbox, payload });
+    });
+  });
+}
+
+export const __testing = {
+  WORKER_PATH,
+  WORKER_TIMEOUT_MS,
+  MAX_OUTPUT_BYTES,
+};