Expand description
macOS sandbox strategy using sandbox-exec (Seatbelt).
Builds an inline SBPL profile that denies everything by default, allows broad reads (so tools can introspect the system), and grants writes only to the project directory plus any explicitly allowed paths. Forbidden read paths are denied after the broad read rule.
Note: sandbox-exec is documented as deprecated on newer macOS versions
but remains functional. A future follow-up will add an Endpoint Security
based strategy; this ships today.
Structsยง
- Seatbelt
Strategy - macOS Seatbelt strategy. See module docs.