packages/cli/src/utils/sandbox-macos-minimal.sb


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19

(version 1)

;; allow everything by default
(allow default)

;; deny all writes EXCEPT under specific paths
(deny file-write*)
(allow file-write*
    (subpath (param "TARGET_DIR"))
    (subpath (param "TMP_DIR"))
    (subpath (param "CACHE_DIR"))
    (subpath (string-append (param "HOME_DIR") "/.gemini"))
    (subpath (string-append (param "HOME_DIR") "/.npm"))
    (subpath (string-append (param "HOME_DIR") "/.cache"))
    (subpath (string-append (param "HOME_DIR") "/.gitconfig"))
    (literal "/dev/stdout")
    (literal "/dev/stderr")
    (literal "/dev/null")
)