use seatbelt on macos, with two profiles: minimal (default) which only restricts writes, and strict, which is deny-by-default and only allows specific operations (#283)

1 files changed, 29 insertions, 0 deletions

diff --git a/packages/cli/src/utils/sandbox.ts b/packages/cli/src/utils/sandbox.ts
index 508ce368..697ff7e3 100644
--- a/packages/cli/src/utils/sandbox.ts
+++ b/packages/cli/src/utils/sandbox.ts
@@ -45,6 +45,14 @@ export function sandbox_command(sandbox?: string | boolean): string {
       process.exit(1);
     }
   } else {
+    // if we are on macOS (Darwin) and sandbox-exec is available, use that for minimal sandboxing
+    if (
+      os.platform() === 'darwin' &&
+      execSync('command -v sandbox-exec || true').toString().trim()
+    ) {
+      return 'sandbox-exec';
+    }
+
     return ''; // no sandbox
   }
 }
@@ -133,6 +141,27 @@ function entrypoint(workdir: string): string[] {
 }
 
 export async function start_sandbox(sandbox: string) {
+  if (sandbox === 'sandbox-exec') {
+    process.env.SANDBOX_EXEC_PROFILE ??= 'minimal';
+    const args = [
+      '-D',
+      `TARGET_DIR=${process.cwd()}`,
+      '-D',
+      `TMP_DIR=${fs.realpathSync(os.tmpdir())}`,
+      '-f',
+      new URL(
+        `sandbox-macos-${process.env.SANDBOX_EXEC_PROFILE}.sb`,
+        import.meta.url,
+      ).pathname,
+      'bash',
+      '-c',
+      'SANDBOX=sandbox-exec ' +
+        process.argv.map((arg) => quote([arg])).join(' '),
+    ];
+    spawnSync(sandbox, args, { stdio: 'inherit' });
+    return;
+  }
+
   // determine full path for gemini-code to distinguish linked vs installed setting
   const gcPath = execSync(`realpath $(which gemini-code)`).toString().trim();