bx-mac 0.10.0 → 0.12.0

package/README.md

@@ -17,7 +17,7 @@ AI-powered coding tools like Claude Code, Copilot, or Cline run with **broad fil
 bx ~/work/my-project
 ```
 
-That's it. 🎉 VSCode opens with full access to `~/work/my-project` and nothing else.
+That's it. 🎉 VSCode opens with full access to `~/work/my-project` and nothing else. Read [the blog post](https://holtwick.de/blog/bx-sandbox) for more background on the motivation behind bx.
 
 Need multiple directories? No problem:
 
@@ -30,6 +30,7 @@ bx ~/work/my-project ~/work/shared-lib
 - 🔒 Blocks `~/Documents`, `~/Desktop`, `~/Downloads`, and all other personal folders
 - 🚧 Blocks sibling projects — only the directory you specify is accessible
 - 🛡️ Protects sensitive dotdirs like `~/.ssh`, `~/.gnupg`, `~/.docker`, `~/.cargo`
+- 🏛️ Opinionated protection for `~/Library` — blocks privacy-sensitive subdirectories (Mail, Messages, Photos, Safari, Contacts, …) and containers of password managers/finance apps, while keeping tooling-relevant paths accessible
 - ⚙️ Keeps VSCode, extensions, shell, Node.js, and other tooling fully functional
 - 🔍 Generates sandbox rules dynamically based on your actual `$HOME` contents
 - 📝 Supports `.bxignore` files (searched recursively) to hide secrets like `.env` files within a project
@@ -113,6 +114,9 @@ bx zed ~/work/my-project
 # ⚡ Run a script in a sandbox
 bx exec ~/work/my-project -- python train.py
 
+# 🔀 Run in the background (terminal stays free)
+bx --background code ~/work/my-project
+
 # 🔍 Preview what will be protected (no launch)
 bx --dry ~/work/my-project
 
@@ -126,6 +130,7 @@ bx --verbose ~/work/my-project
 | --- | --- |
 | `--dry` | Show a tree of all protected, read-only, and accessible paths — don't launch anything |
 | `--verbose` | Print the generated sandbox profile plus launch details (binary, arguments, cwd, focus command) |
+| `--background` | Run the app detached in the background (like `nohup &`), output goes to `/tmp/bx-<pid>.log` |
 | `--profile-sandbox` | Use an isolated VSCode profile (separate extensions/settings, `code` mode only) |
 
 On normal runs, bx also prints a short policy summary (number of workdirs, blocked directories, hidden paths, and read-only directories).
@@ -160,12 +165,13 @@ path = "/usr/local/bin/code"
 | `path` | Absolute path to the executable **or** `.app` bundle (highest priority, skips discovery) |
 | `fallback` | Absolute fallback path if `mdfind` discovery fails |
 | `args` | Extra arguments always passed to the app |
-| `passWorkdirs` | Whether `workdir...` is forwarded as app launch args (`true`/`false`) |
+| `passWorkdirs` | Whether `workdir...` is forwarded as app launch args (`true`/`false`/`"first"`) |
 | `workdirs` | Default working directories when none are given on the CLI (supports `~/` paths) |
+| `background` | Run the app detached in the background by default (`true`/`false`) |
 
 **Resolution order:** `path` → `mdfind` by `bundle` + `binary` → `fallback`
 
-`passWorkdirs` controls launch argument behavior and is independent of sandbox scope. Even with `passWorkdirs = false`, the provided `workdir...` still defines what the sandbox can access.
+`passWorkdirs` controls launch argument behavior and is independent of sandbox scope. Even with `passWorkdirs = false`, the provided `workdir...` still defines what the sandbox can access. Use `passWorkdirs = "first"` to pass only the first workdir as a launch argument — useful when the app should open one directory but the sandbox should grant access to multiple.
 
 **Workdir shortcuts with `mode`** let you create named entries that inherit everything from an existing app — just set `mode` and `workdirs`:
 
@@ -216,9 +222,11 @@ ro:reference/docs
 ro:shared/toolchain
 ```
 
-Deny rules are applied **in addition** to the built-in protected list:
+Deny rules are applied **in addition** to the built-in protected lists:
 
-> 🔒 `.Trash` `.ssh` `.gnupg` `.docker` `.zsh_sessions` `.cargo` `.gradle` `.gem`
+> 🔒 **Dotdirs:** `.ssh` `.gnupg` `.docker` `.zsh_sessions` `.cargo` `.gradle` `.gem`
+>
+> 🏛️ **Library (opinionated):** `Accounts` `Calendars` `Contacts` `Cookies` `Finance` `Mail` `Messages` `Mobile Documents` `Photos` `Safari` and [others (see full list)](src/profile.ts) — plus containers of password managers & finance apps
 
 ### `<project>/.bxignore`
 
@@ -288,9 +296,10 @@ bx generates a macOS sandbox profile at launch time:
 2. **Block** each one individually with `(deny file* (subpath ...))`
 3. **Skip** all working directories, `~/Library`, dotfiles, and `rw:`/`ro:` paths from `~/.bxignore`
 4. **Descend** into parent directories of allowed paths to block only siblings (because SBPL deny rules always override allow rules)
-5. **Append** deny rules for protected dotdirs, plain entries in `~/.bxignore`, and `.bxignore` files found recursively in each working directory
-6. **Apply** `(deny file-write*)` rules for `ro:` directories (read allowed, write blocked)
-7. **Write** the profile to `/tmp`, launch the app via `sandbox-exec`, clean up on exit
+5. **Protect** an opinionated set of `~/Library` subdirectories (Mail, Messages, Photos, Safari, Contacts, Calendars, …) and app containers matching known password managers and finance apps (1Password, Bitwarden, MoneyMoney, …)
+6. **Append** deny rules for protected dotdirs, plain entries in `~/.bxignore`, and `.bxignore` files found recursively in each working directory
+7. **Apply** `(deny file-write*)` rules for `ro:` directories (read allowed, write blocked)
+8. **Write** the profile to `/tmp`, launch the app via `sandbox-exec`, clean up on exit
 
 ### Why not a simple deny-all + allow?
 

package/dist/bx.js

@@ -1,5 +1,5 @@
 #!/usr/bin/env node
-import { accessSync, constants, cpSync, existsSync, globSync, mkdirSync, readFileSync, readdirSync, rmSync, statSync, writeFileSync } from "node:fs";
+import { accessSync, constants, cpSync, existsSync, globSync, mkdirSync, openSync, readFileSync, readdirSync, rmSync, statSync, writeFileSync } from "node:fs";
 import { basename, dirname, join, resolve } from "node:path";
 import { execFileSync, spawn } from "node:child_process";
 import { createInterface } from "node:readline";
@@ -814,8 +814,9 @@ function parseAppDef(def) {
 		path: typeof def.path === "string" ? def.path : void 0,
 		fallback: typeof def.fallback === "string" ? def.fallback : void 0,
 		args: Array.isArray(def.args) ? def.args.filter((a) => typeof a === "string") : void 0,
-		passWorkdirs: typeof def.passWorkdirs === "boolean" ? def.passWorkdirs : void 0,
-		workdirs: Array.isArray(def.workdirs) ? def.workdirs.filter((a) => typeof a === "string") : void 0
+		passWorkdirs: typeof def.passWorkdirs === "boolean" || def.passWorkdirs === "first" ? def.passWorkdirs : void 0,
+		workdirs: Array.isArray(def.workdirs) ? def.workdirs.filter((a) => typeof a === "string") : void 0,
+		background: typeof def.background === "boolean" ? def.background : void 0
 	};
 }
 /**
@@ -929,7 +930,6 @@ function resolveAppPath(app) {
 //#endregion
 //#region src/profile.ts
 const PROTECTED_DOTDIRS = [
-	".Trash",
 	".ssh",
 	".gnupg",
 	".docker",
@@ -1266,6 +1266,7 @@ function parseArgs(validModes) {
 	const verbose = rawArgs.includes("--verbose");
 	const dry = rawArgs.includes("--dry");
 	const profileSandbox = rawArgs.includes("--profile-sandbox");
+	const background = rawArgs.includes("--background");
 	const positional = rawArgs.filter((a) => !a.startsWith("--"));
 	const doubleDashIdx = rawArgs.indexOf("--");
 	const appArgs = doubleDashIdx >= 0 ? rawArgs.slice(doubleDashIdx + 1) : [];
@@ -1292,6 +1293,7 @@ function parseArgs(validModes) {
 		verbose,
 		dry,
 		profileSandbox,
+		background,
 		appArgs,
 		implicit: implicitWorkdirs
 	};
@@ -1301,8 +1303,10 @@ function parseArgs(validModes) {
 function isBuiltinMode(mode) {
 	return BUILTIN_MODES.includes(mode);
 }
-function shouldPassWorkdirs(app) {
-	return app.passWorkdirs !== false;
+function getWorkdirsToPass(app, workDirs) {
+	if (app.passWorkdirs === false) return [];
+	if (app.passWorkdirs === "first") return workDirs.slice(0, 1);
+	return workDirs;
 }
 function appBundleFromPath(path) {
 	if (path.endsWith(".app")) return path;
@@ -1373,7 +1377,7 @@ function buildAppCommand(mode, workDirs, home, profileSandbox, appArgs, apps) {
 	}
 	if (app.args) args.push(...app.args);
 	if (appArgs.length > 0) args.push(...appArgs);
-	if (shouldPassWorkdirs(app)) args.push(...workDirs);
+	args.push(...getWorkdirsToPass(app, workDirs));
 	return {
 		bin,
 		args
@@ -1463,6 +1467,7 @@ const OPTIONS_TEXT = `
 Options:
   --dry                show what will be protected, don't launch
   --verbose            print the generated sandbox profile
+  --background         run in background, log output to /tmp/bx-<pid>.log
   --profile-sandbox    use an isolated VSCode profile (code mode only)
   -v, --version        show version
   -h, --help           show this help
@@ -1475,7 +1480,8 @@ Configuration:
                          binary = "..."         relative path in .app bundle
                          path = "..."           explicit executable path
                          args = ["..."]         extra arguments
-                         passWorkdirs = true|false pass workdirs as launch args
+                         passWorkdirs = true|false|"first" pass workdirs as launch args
+                         background = true      run in background by default
                        built-in apps (code, xcode) can be overridden
   ~/.bxignore          sandbox rules (one per line):
                          path         block access (deny)
@@ -1555,9 +1561,12 @@ function printDryRunTree({ home, blockedDirs, ignoredPaths, readOnlyDirs, workDi
 	console.log(`\n${RED}✖${RESET} = denied  ${YELLOW}◉${RESET} = read-only  ${GREEN}✔${RESET} = read-write\n`);
 }
 //#endregion
+//#region package.json
+var version = "0.12.0";
+//#endregion
 //#region src/index.ts
 const __dirname = dirname(fileURLToPath(import.meta.url));
-const VERSION = typeof __VERSION__ !== "undefined" ? __VERSION__ : "dev";
+const VERSION = version;
 if (process$1.argv.includes("--version") || process$1.argv.includes("-v")) {
 	console.log(`bx ${VERSION}`);
 	process$1.exit(0);
@@ -1573,7 +1582,7 @@ if (!process$1.env.HOME) {
 const HOME = process$1.env.HOME;
 async function main() {
 	const apps = getAvailableApps(loadConfig(HOME));
-	const { mode, workArgs, verbose, dry, profileSandbox, appArgs, implicit } = parseArgs(getValidModes(apps));
+	const { mode, workArgs, verbose, dry, profileSandbox, background: backgroundFlag, appArgs, implicit } = parseArgs(getValidModes(apps));
 	const app = apps[mode];
 	const workDirs = (implicit && app?.workdirs?.length ? app.workdirs : workArgs).map((a) => resolve(a.replace(/^~\//, HOME + "/")));
 	if (implicit && !app?.workdirs?.length) {
@@ -1619,10 +1628,43 @@ async function main() {
 	const profilePath = join("/tmp", `bx-${process$1.pid}.sb`);
 	writeFileSync(profilePath, profile);
 	const cmd = buildCommand(mode, workDirs, HOME, profileSandbox, appArgs, apps);
+	const background = backgroundFlag || app?.background === true;
 	const nestedSandboxWarning = getNestedSandboxWarning(mode, apps);
 	if (nestedSandboxWarning) console.error(fmt.detail(nestedSandboxWarning));
 	if (verbose) printLaunchDetails(cmd, workDirs[0], getActivationCommand(mode, apps));
 	console.error("");
+	if (background) {
+		const logPath = join("/tmp", `bx-${process$1.pid}.log`);
+		const logFd = openSync(logPath, "a");
+		const child = spawn("sandbox-exec", [
+			"-f",
+			profilePath,
+			"-D",
+			`HOME=${HOME}`,
+			"-D",
+			`WORK=${workDirs[0]}`,
+			cmd.bin,
+			...cmd.args
+		], {
+			cwd: workDirs[0],
+			stdio: [
+				"ignore",
+				logFd,
+				logFd
+			],
+			detached: true,
+			env: {
+				...process$1.env,
+				CODEBOX_SANDBOX: "1"
+			}
+		});
+		child.unref();
+		bringAppToFront(mode, apps);
+		console.error(fmt.info(`running in background (pid ${child.pid})`));
+		console.error(fmt.detail(`log: ${logPath}`));
+		console.error(fmt.detail(`sandbox profile: ${profilePath} (kept until process exits)`));
+		process$1.exit(0);
+	}
 	const child = spawn("sandbox-exec", [
 		"-f",
 		profilePath,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "bx-mac",
-  "version": "0.10.0",
+  "version": "0.12.0",
   "description": "Sandbox any macOS app — only your project directory stays accessible",
   "type": "module",
   "bin": {