use seatbelt on macos, with two profiles: minimal (default) which only restricts writes, and strict, which is deny-by-default and only allows specific operations (#283)

2025-12-19 09:33:53 +00:00 · 2025-05-07 20:03:29 -07:00
parent 34fe142894
commit d524309e3c
5 changed files with 133 additions and 3 deletions
--- a/packages/cli/src/ui/components/Footer.tsx
+++ b/packages/cli/src/ui/components/Footer.tsx
@@ -45,10 +45,14 @@ export const Footer: React.FC<FooterProps> = ({
      justifyContent="center"
      display="flex"
    >
-      {process.env.SANDBOX ? (
+      {process.env.SANDBOX && process.env.SANDBOX !== 'sandbox-exec' ? (
        <Text color="green"> {process.env.SANDBOX} </Text>
+      ) : process.env.SANDBOX === 'sandbox-exec' ? (
+        <Text color={Colors.AccentYellow}>
+          using macos seatbelt ({process.env.SANDBOX_EXEC_PROFILE})
+        </Text>
      ) : (
-        <Text color={Colors.AccentRed}> WARNING: OUTSIDE SANDBOX </Text>
+        <Text color={Colors.AccentRed}> WARNING: SANDBOX NOT ENABLED </Text>
      )}
    </Box>