bx-mac 0.9.0 → 0.11.0

package/README.md

@@ -134,26 +134,27 @@ On normal runs, bx also prints a short policy summary (number of workdirs, block
 
 ### `~/.bxconfig.toml`
 
-App definitions in TOML format. Each `[apps.<name>]` section becomes a CLI mode — use it as `bx <name> [workdir...]`. Built-in apps (`code`, `xcode`) are always available and can be overridden.
+App definitions in TOML format. Each `[<name>]` section becomes a CLI mode — use it as `bx <name> [workdir...]`. Built-in apps (`code`, `xcode`) are always available and can be overridden.
 
 ```toml
 # Add Cursor (auto-discovered via macOS Spotlight)
-[apps.cursor]
+[cursor]
 bundle = "com.todesktop.230313mzl4w4u92"
 binary = "Contents/MacOS/Cursor"
 args = ["--no-sandbox"]
 
 # Add Zed (explicit path, no discovery)
-[apps.zed]
+[zed]
 path = "/Applications/Zed.app/Contents/MacOS/zed"
 
 # Override built-in VSCode path
-[apps.code]
+[code]
 path = "/usr/local/bin/code"
 ```
 
 | Field | Description |
 | --- | --- |
+| `mode` | Inherit from another app (e.g. `"code"`, `"cursor"`) — only `workdirs` / overrides needed |
 | `bundle` | macOS bundle identifier — used with `mdfind` to find the app automatically |
 | `binary` | Relative path to the executable inside the `.app` bundle |
 | `path` | Absolute path to the executable **or** `.app` bundle (highest priority, skips discovery) |
@@ -166,10 +167,26 @@ path = "/usr/local/bin/code"
 
 `passWorkdirs` controls launch argument behavior and is independent of sandbox scope. Even with `passWorkdirs = false`, the provided `workdir...` still defines what the sandbox can access.
 
-**Preconfigured workdirs** let you define your usual environment per app:
+**Workdir shortcuts with `mode`** let you create named entries that inherit everything from an existing app — just set `mode` and `workdirs`:
 
 ```toml
-[apps.code]
+# "bx myproject" opens VSCode with these directories
+[myproject]
+mode = "code"
+workdirs = ["~/work/my-project", "~/work/shared-lib"]
+
+# "bx ios" opens Xcode with this directory
+[ios]
+mode = "xcode"
+workdirs = ["~/work/my-ios-app"]
+```
+
+Running `bx myproject` inherits VSCode's bundle, binary, args, and everything else — no need to repeat the full app configuration. Own fields override inherited ones, so you can still customize specific settings. Chaining is supported (e.g. `myproject` → `cursor` → `code`).
+
+**Preconfigured workdirs** also work directly on app definitions:
+
+```toml
+[code]
 workdirs = ["~/work/my-project", "~/work/shared-lib"]
 ```
 
@@ -201,7 +218,7 @@ ro:shared/toolchain
 
 Deny rules are applied **in addition** to the built-in protected list:
 
-> 🔒 `.Trash` `.ssh` `.gnupg` `.docker` `.zsh_sessions` `.cargo` `.gradle` `.gem`
+> 🔒 `.ssh` `.gnupg` `.docker` `.zsh_sessions` `.cargo` `.gradle` `.gem`
 
 ### `<project>/.bxignore`
 
@@ -236,6 +253,33 @@ my-project/deploy/.bxignore         # deployment credentials
 
 Each `.bxignore` resolves its patterns relative to its own directory.
 
+### Self-protecting directories
+
+You can make any directory protect itself — no global configuration needed. There are two ways:
+
+**Option 1: `.bxignore` with `/` or `.`**
+
+Create a `.bxignore` file containing a bare `/` or `.`:
+
+```gitignore
+.
+```
+
+This blocks the entire directory and everything inside it. You can combine it with other patterns (they become redundant since the whole directory is blocked).
+
+**Option 2: `.bxprotect` marker file**
+
+Create an empty `.bxprotect` file:
+
+```bash
+touch ~/work/secret-project/.bxprotect
+```
+
+Both methods have the same effect:
+
+- **Inside a workdir:** If a subdirectory is self-protected, it is completely blocked (deny) and bx does not recurse into it.
+- **As a workdir:** If you try to open a self-protected directory with `bx`, it refuses to launch with a clear error message.
+
 ## 🔧 How it works
 
 bx generates a macOS sandbox profile at launch time:
@@ -285,7 +329,7 @@ bx code ~/work/project-a ~/work/project-b
 Or preconfigure them in `~/.bxconfig.toml`:
 
 ```toml
-[apps.code]
+[code]
 workdirs = ["~/work/project-a", "~/work/project-b"]
 ```
 
@@ -309,6 +353,16 @@ cat ./src/index.ts               # ✅ Works!
 - **SQLite warnings:** `state.vscdb` errors may appear in logs — extensions still work
 - **`sandbox-exec` is undocumented:** Apple could change behavior with OS updates
 
+## 🤖 Built-in sandboxing in AI tools
+
+Some AI coding tools ship with their own sandboxing. bx complements these by providing a **uniform, tool-independent** layer that works across all applications — including editors, shells, and custom commands:
+
+- [Claude Code](https://code.claude.com/docs/en/sandboxing) — built-in sandbox for file and command restrictions
+- [Gemini CLI](https://geminicli.com/docs/cli/sandbox/) — sandbox mode for file system access control
+- [OpenAI Codex](https://developers.openai.com/codex/concepts/sandboxing) — containerized sandboxing for code execution
+
+These are great when available, but they only protect within their own tool. bx wraps the entire process — so even if a tool's built-in sandbox is misconfigured, disabled, or absent, your files stay protected.
+
 ## 📄 License
 
 MIT — see [LICENSE](LICENSE).

package/dist/bx.js

@@ -796,7 +796,8 @@ const BUILTIN_APPS = {
 	xcode: {
 		bundle: "com.apple.dt.Xcode",
 		binary: "Contents/MacOS/Xcode",
-		fallback: "/Applications/Xcode.app/Contents/MacOS/Xcode"
+		fallback: "/Applications/Xcode.app/Contents/MacOS/Xcode",
+		passWorkdirs: false
 	}
 };
 /** Shell-only built-in modes that are not app definitions */
@@ -805,6 +806,18 @@ const BUILTIN_MODES = [
 	"claude",
 	"exec"
 ];
+function parseAppDef(def) {
+	return {
+		mode: typeof def.mode === "string" ? def.mode : void 0,
+		bundle: typeof def.bundle === "string" ? def.bundle : void 0,
+		binary: typeof def.binary === "string" ? def.binary : void 0,
+		path: typeof def.path === "string" ? def.path : void 0,
+		fallback: typeof def.fallback === "string" ? def.fallback : void 0,
+		args: Array.isArray(def.args) ? def.args.filter((a) => typeof a === "string") : void 0,
+		passWorkdirs: typeof def.passWorkdirs === "boolean" ? def.passWorkdirs : void 0,
+		workdirs: Array.isArray(def.workdirs) ? def.workdirs.filter((a) => typeof a === "string") : void 0
+	};
+}
 /**
 * Load and parse ~/.bxconfig.toml. Returns empty apps if file missing or invalid.
 */
@@ -814,15 +827,26 @@ function loadConfig(home) {
 	try {
 		const doc = parse(readFileSync(configPath, "utf-8"));
 		const apps = {};
-		if (doc.apps && typeof doc.apps === "object") for (const [name, def] of Object.entries(doc.apps)) apps[name] = {
-			bundle: typeof def.bundle === "string" ? def.bundle : void 0,
-			binary: typeof def.binary === "string" ? def.binary : void 0,
-			path: typeof def.path === "string" ? def.path : void 0,
-			fallback: typeof def.fallback === "string" ? def.fallback : void 0,
-			args: Array.isArray(def.args) ? def.args.filter((a) => typeof a === "string") : void 0,
-			passWorkdirs: typeof def.passWorkdirs === "boolean" ? def.passWorkdirs : void 0,
-			workdirs: Array.isArray(def.workdirs) ? def.workdirs.filter((a) => typeof a === "string") : void 0
-		};
+		const sections = {};
+		const APP_FIELDS = new Set([
+			"mode",
+			"bundle",
+			"binary",
+			"path",
+			"fallback",
+			"args",
+			"passWorkdirs",
+			"workdirs"
+		]);
+		for (const [key, val] of Object.entries(doc)) {
+			if (key === "apps") continue;
+			if (val && typeof val === "object" && !Array.isArray(val)) {
+				const obj = val;
+				if (Object.keys(obj).some((k) => APP_FIELDS.has(k))) sections[key] = obj;
+			}
+		}
+		if (doc.apps && typeof doc.apps === "object") Object.assign(sections, doc.apps);
+		for (const [name, def] of Object.entries(sections)) apps[name] = parseAppDef(def);
 		return { apps };
 	} catch (err) {
 		console.error(`\n${fmt.warn(`failed to parse ${configPath}: ${err instanceof Error ? err.message : err}`)}`);
@@ -831,6 +855,8 @@ function loadConfig(home) {
 }
 /**
 * Merge built-in apps with user config (config wins on conflict).
+* Resolves `mode` references: an app with `mode = "code"` inherits
+* all fields from the "code" definition, then overlays its own fields.
 */
 function getAvailableApps(config) {
 	const merged = {};
@@ -839,9 +865,34 @@ function getAvailableApps(config) {
 		...merged[name],
 		...stripUndefined(def)
 	};
-	else merged[name] = def;
+	else merged[name] = def.mode || def.bundle || def.path || def.fallback ? def : {
+		...def,
+		mode: "code"
+	};
+	for (const name of Object.keys(merged)) merged[name] = resolveModeChain(name, merged);
 	return merged;
 }
+function resolveModeChain(name, apps, seen = /* @__PURE__ */ new Set()) {
+	const def = apps[name];
+	if (!def.mode) return def;
+	if (seen.has(name)) {
+		console.error(`\n${fmt.warn(`circular mode reference: ${[...seen, name].join(" → ")}`)}`);
+		const { mode: _, ...rest } = def;
+		return rest;
+	}
+	seen.add(name);
+	if (!apps[def.mode]) {
+		console.error(`\n${fmt.warn(`mode "${def.mode}" not found for app "${name}"`)}`);
+		const { mode: _, ...rest } = def;
+		return rest;
+	}
+	const resolved = resolveModeChain(def.mode, apps, seen);
+	const { mode: _, ...ownFields } = def;
+	return {
+		...resolved,
+		...stripUndefined(ownFields)
+	};
+}
 function stripUndefined(obj) {
 	const result = {};
 	for (const [k, v] of Object.entries(obj)) if (v !== void 0) result[k] = v;
@@ -876,143 +927,8 @@ function resolveAppPath(app) {
 	return null;
 }
 //#endregion
-//#region src/guards.ts
-/**
-* Abort if we're already inside a bx sandbox (env var set by us).
-*/
-function checkOwnSandbox() {
-	if (process$1.env.CODEBOX_SANDBOX === "1") {
-		console.error(`\n${fmt.error("already running inside a bx sandbox")}`);
-		console.error(fmt.detail("nesting sandbox-exec causes silent failures\n"));
-		process$1.exit(1);
-	}
-}
-/**
-* Warn if launched from inside a VSCode terminal.
-*/
-function checkVSCodeTerminal() {
-	if (process$1.env.VSCODE_PID) {
-		console.error(`\n${fmt.warn("running from inside a VSCode terminal")}`);
-		console.error(fmt.detail("this will launch a *new* instance in a sandbox"));
-		console.error(fmt.detail("the current VSCode instance will NOT be sandboxed"));
-	}
-}
-/**
-* Abort if any workdir IS $HOME or is not inside $HOME.
-*/
-function checkWorkDirs(workDirs, home) {
-	for (const dir of workDirs) {
-		if (dir === home) {
-			console.error(`\n${fmt.error("working directory cannot be $HOME itself")}`);
-			console.error(fmt.detail("sandboxing your entire home directory is not supported\n"));
-			process$1.exit(1);
-		}
-		if (!dir.startsWith(home + "/")) {
-			console.error(`\n${fmt.error(`working directory is outside $HOME: ${dir}`)}`);
-			console.error(fmt.detail("only directories inside $HOME are supported\n"));
-			process$1.exit(1);
-		}
-	}
-}
-/**
-* Warn if the target app is already running — the new workspace will open
-* in the existing (unsandboxed) instance, bypassing our sandbox profile.
-*/
-async function checkAppAlreadyRunning(mode, apps) {
-	if (BUILTIN_MODES.includes(mode)) return;
-	const app = apps[mode];
-	if (!app?.bundle) return;
-	let running = false;
-	try {
-		running = execFileSync("lsappinfo", ["list"], {
-			encoding: "utf-8",
-			timeout: 3e3
-		}).includes(`bundleID="${app.bundle}"`);
-	} catch {
-		return;
-	}
-	if (!running) return;
-	console.error(`\n${fmt.warn(`"${mode}" is already running`)}`);
-	console.error(fmt.detail("the workspace will open in the EXISTING instance — sandbox will NOT apply"));
-	if (mode === "code") console.error(fmt.detail("quit the app first, or use --profile-sandbox for an isolated instance"));
-	else console.error(fmt.detail("quit the app first to ensure sandbox protection"));
-	const rl = createInterface({
-		input: process$1.stdin,
-		output: process$1.stderr
-	});
-	const answer = await new Promise((res) => {
-		rl.question(`   continue without sandbox? [y/N] `, res);
-	});
-	rl.close();
-	if (!answer.match(/^y(es)?$/i)) process$1.exit(0);
-}
-/**
-* Detect if we're inside an unknown sandbox by probing well-known
-* directories that exist on every Mac but would be blocked.
-*/
-function checkExternalSandbox() {
-	for (const dir of [
-		"Documents",
-		"Desktop",
-		"Downloads"
-	]) {
-		const target = join(process$1.env.HOME, dir);
-		try {
-			accessSync(target, constants.R_OK);
-		} catch (e) {
-			if (e.code === "EPERM") {
-				console.error(`\n${fmt.error("already running inside a sandbox")}`);
-				console.error(fmt.detail("nesting sandbox-exec may cause silent failures\n"));
-				process$1.exit(1);
-			}
-		}
-	}
-}
-//#endregion
-//#region src/args.ts
-/**
-* Parse CLI arguments. `validModes` is the list of recognized mode names
-* (builtin modes + app names from config).
-*/
-function parseArgs(validModes) {
-	const rawArgs = process$1.argv.slice(2);
-	const verbose = rawArgs.includes("--verbose");
-	const dry = rawArgs.includes("--dry");
-	const profileSandbox = rawArgs.includes("--profile-sandbox");
-	const positional = rawArgs.filter((a) => !a.startsWith("--"));
-	const doubleDashIdx = rawArgs.indexOf("--");
-	const appArgs = doubleDashIdx >= 0 ? rawArgs.slice(doubleDashIdx + 1) : [];
-	const beforeDash = doubleDashIdx >= 0 ? rawArgs.slice(0, doubleDashIdx).filter((a) => !a.startsWith("--")) : positional;
-	let mode = "code";
-	let workArgs;
-	let implicitWorkdirs = false;
-	if (beforeDash.length > 0 && validModes.includes(beforeDash[0])) {
-		mode = beforeDash[0];
-		workArgs = beforeDash.slice(1);
-	} else workArgs = beforeDash;
-	if (workArgs.length === 0) {
-		workArgs = ["."];
-		implicitWorkdirs = true;
-	}
-	if (mode === "exec" && appArgs.length === 0) {
-		console.error(`\n${fmt.error("exec mode requires a command after \"--\"")}`);
-		console.error(fmt.detail("usage: bx exec [workdir...] -- command [args...]\n"));
-		process$1.exit(1);
-	}
-	return {
-		mode,
-		workArgs,
-		verbose,
-		dry,
-		profileSandbox,
-		appArgs,
-		implicit: implicitWorkdirs
-	};
-}
-//#endregion
 //#region src/profile.ts
 const PROTECTED_DOTDIRS = [
-	".Trash",
 	".ssh",
 	".gnupg",
 	".docker",
@@ -1021,6 +937,40 @@ const PROTECTED_DOTDIRS = [
 	".gradle",
 	".gem"
 ];
+const PROTECTED_LIBRARY_DIRS = [
+	"Accounts",
+	"Calendars",
+	"CallServices",
+	"CloudStorage",
+	"Contacts",
+	"Cookies",
+	"Finance",
+	"FinanceBackup",
+	"Google",
+	"HomeKit",
+	"IdentityServices",
+	"Mail",
+	"Messages",
+	"Mobile Documents",
+	"News",
+	"Passes",
+	"PersonalizationPortrait",
+	"Photos",
+	"Safari",
+	"SafariSafeBrowsing",
+	"Sharing",
+	"Suggestions",
+	"Thunderbird",
+	"WebKit",
+	"com.apple.appleaccountd",
+	"com.apple.iTunesCloud"
+];
+const PROTECTED_CONTAINER_PATTERNS = [
+	"com.bitwarden.*",
+	"com.agilebits.*",
+	"com.1password.*",
+	"com.moneymoney-app.*"
+];
 function parseLines(filePath) {
 	if (!existsSync(filePath)) return [];
 	return readFileSync(filePath, "utf-8").split("\n").map((l) => l.trim()).filter((l) => l && !l.startsWith("#"));
@@ -1041,10 +991,27 @@ function toGlobPattern(line) {
 function resolveGlobMatches(pattern, baseDir) {
 	return globSync(toGlobPattern(pattern), { cwd: baseDir }).map((match) => resolve(baseDir, match));
 }
+/**
+* A directory is self-protected if it contains a `.bxprotect` file
+* or a `.bxignore` with a bare `/` entry.  Self-protected directories
+* are blocked entirely — they cannot be used as workdirs and are
+* denied inside workdir trees.
+*/
+function isSelfProtected(dir) {
+	if (existsSync(join(dir, ".bxprotect"))) return true;
+	return parseLines(join(dir, ".bxignore")).some((l) => l === "/" || l === ".");
+}
 function applyIgnoreFile(filePath, baseDir, ignored) {
-	for (const line of parseLines(filePath)) ignored.push(...resolveGlobMatches(line, baseDir));
+	for (const line of parseLines(filePath)) {
+		if (line === "/" || line === ".") continue;
+		ignored.push(...resolveGlobMatches(line, baseDir));
+	}
 }
 function collectIgnoreFilesRecursive(dir, ignored) {
+	if (isSelfProtected(dir)) {
+		ignored.push(dir);
+		return;
+	}
 	const ignoreFile = join(dir, ".bxignore");
 	if (existsSync(ignoreFile)) applyIgnoreFile(ignoreFile, dir, ignored);
 	let entries;
@@ -1117,8 +1084,22 @@ function collectBlockedDirs(parentDir, home, scriptDir, allowedDirs) {
 	}
 	return blocked;
 }
+function collectProtectedContainers(home) {
+	const containerDirs = ["Containers", "Group Containers"];
+	const matched = [];
+	for (const dir of containerDirs) {
+		const base = join(home, "Library", dir);
+		if (!existsSync(base)) continue;
+		for (const pattern of PROTECTED_CONTAINER_PATTERNS) matched.push(...globSync(pattern, { cwd: base }).map((m) => join(base, m)));
+	}
+	return matched;
+}
 function collectIgnoredPaths(home, workDirs) {
-	const ignored = PROTECTED_DOTDIRS.map((d) => join(home, d));
+	const ignored = [
+		...PROTECTED_DOTDIRS.map((d) => join(home, d)),
+		...PROTECTED_LIBRARY_DIRS.map((d) => join(home, "Library", d)),
+		...new Set(collectProtectedContainers(home))
+	];
 	const globalIgnore = join(home, ".bxignore");
 	if (existsSync(globalIgnore)) {
 		const denyLines = parseLines(globalIgnore).filter((l) => !ACCESS_PREFIX_RE.test(l));
@@ -1144,29 +1125,183 @@ function sbplPathRule(path) {
 	return isDir ? sbplSubpath(path) : sbplLiteral(path);
 }
 function sbplDenyBlock(comment, verb, rules) {
-	if (rules.length === 0) return "";
-	return `\n; ${comment}\n(deny ${verb}\n${rules.join("\n")}\n)\n`;
+	const unique = [...new Set(rules)];
+	if (unique.length === 0) return "";
+	return `\n; ${comment}\n(deny ${verb}\n${unique.join("\n")}\n)\n`;
 }
-function generateProfile(workDirs, blockedDirs, ignoredPaths, readOnlyDirs = []) {
+function collectSystemDenyPaths(home) {
+	const paths = [];
+	if (existsSync("/Volumes")) paths.push("/Volumes");
+	try {
+		for (const name of readdirSync("/Users")) {
+			const userDir = join("/Users", name);
+			if (userDir === home || name === "Shared") continue;
+			try {
+				if (statSync(userDir).isDirectory()) paths.push(userDir);
+			} catch {}
+		}
+	} catch {}
+	return paths;
+}
+function generateProfile(workDirs, blockedDirs, ignoredPaths, readOnlyDirs = [], home = "") {
 	const blockedRules = sbplDenyBlock("Blocked directories (auto-generated from $HOME contents)", "file*", blockedDirs.map(sbplSubpath));
 	const ignoredRules = sbplDenyBlock("Hidden paths from .bxignore", "file*", ignoredPaths.map(sbplPathRule));
 	const readOnlyRules = sbplDenyBlock("Read-only directories", "file-write*", readOnlyDirs.map(sbplSubpath));
+	const systemRules = home ? sbplDenyBlock("System-level restrictions", "file*", collectSystemDenyPaths(home).map(sbplSubpath)) : "";
 	return `; Auto-generated sandbox profile
 ; Working directories: ${workDirs.join(", ")}
 
 (version 1)
 (allow default)
-${blockedRules}${ignoredRules}${readOnlyRules}
+${blockedRules}${ignoredRules}${readOnlyRules}${systemRules}
 `;
 }
 //#endregion
+//#region src/guards.ts
+/**
+* Abort if we're already inside a bx sandbox (env var set by us).
+*/
+function checkOwnSandbox() {
+	if (process$1.env.CODEBOX_SANDBOX === "1") {
+		console.error(`\n${fmt.error("already running inside a bx sandbox")}`);
+		console.error(fmt.detail("nesting sandbox-exec causes silent failures\n"));
+		process$1.exit(1);
+	}
+}
+/**
+* Warn if launched from inside a VSCode terminal.
+*/
+function checkVSCodeTerminal() {
+	if (process$1.env.VSCODE_PID) {
+		console.error(`\n${fmt.warn("running from inside a VSCode terminal")}`);
+		console.error(fmt.detail("this will launch a *new* instance in a sandbox"));
+		console.error(fmt.detail("the current VSCode instance will NOT be sandboxed"));
+	}
+}
+/**
+* Abort if any workdir IS $HOME or is not inside $HOME.
+*/
+function checkWorkDirs(workDirs, home) {
+	for (const dir of workDirs) {
+		if (dir === home) {
+			console.error(`\n${fmt.error("working directory cannot be $HOME itself")}`);
+			console.error(fmt.detail("sandboxing your entire home directory is not supported\n"));
+			process$1.exit(1);
+		}
+		if (!dir.startsWith(home + "/")) {
+			console.error(`\n${fmt.error(`working directory is outside $HOME: ${dir}`)}`);
+			console.error(fmt.detail("only directories inside $HOME are supported\n"));
+			process$1.exit(1);
+		}
+		if (isSelfProtected(dir)) {
+			console.error(`\n${fmt.error(`working directory is self-protected: ${dir}`)}`);
+			console.error(fmt.detail("remove .bxprotect or '/' from .bxignore to allow access\n"));
+			process$1.exit(1);
+		}
+	}
+}
+/**
+* Warn if the target app is already running — the new workspace will open
+* in the existing (unsandboxed) instance, bypassing our sandbox profile.
+*/
+async function checkAppAlreadyRunning(mode, apps) {
+	if (BUILTIN_MODES.includes(mode)) return;
+	const app = apps[mode];
+	if (!app?.bundle) return;
+	let running = false;
+	try {
+		running = execFileSync("lsappinfo", ["list"], {
+			encoding: "utf-8",
+			timeout: 3e3
+		}).includes(`bundleID="${app.bundle}"`);
+	} catch {
+		return;
+	}
+	if (!running) return;
+	console.error(`\n${fmt.warn(`"${mode}" is already running`)}`);
+	console.error(fmt.detail("the workspace will open in the EXISTING instance — sandbox will NOT apply"));
+	if (mode === "code") console.error(fmt.detail("quit the app first, or use --profile-sandbox for an isolated instance"));
+	else console.error(fmt.detail("quit the app first to ensure sandbox protection"));
+	const rl = createInterface({
+		input: process$1.stdin,
+		output: process$1.stderr
+	});
+	const answer = await new Promise((res) => {
+		rl.question(`   continue without sandbox? [y/N] `, res);
+	});
+	rl.close();
+	if (!answer.match(/^y(es)?$/i)) process$1.exit(0);
+}
+/**
+* Detect if we're inside an unknown sandbox by probing well-known
+* directories that exist on every Mac but would be blocked.
+*/
+function checkExternalSandbox() {
+	for (const dir of [
+		"Documents",
+		"Desktop",
+		"Downloads"
+	]) {
+		const target = join(process$1.env.HOME, dir);
+		try {
+			accessSync(target, constants.R_OK);
+		} catch (e) {
+			if (e.code === "EPERM") {
+				console.error(`\n${fmt.error("already running inside a sandbox")}`);
+				console.error(fmt.detail("nesting sandbox-exec may cause silent failures\n"));
+				process$1.exit(1);
+			}
+		}
+	}
+}
+//#endregion
+//#region src/args.ts
+/**
+* Parse CLI arguments. `validModes` is the list of recognized mode names
+* (builtin modes + app names from config).
+*/
+function parseArgs(validModes) {
+	const rawArgs = process$1.argv.slice(2);
+	const verbose = rawArgs.includes("--verbose");
+	const dry = rawArgs.includes("--dry");
+	const profileSandbox = rawArgs.includes("--profile-sandbox");
+	const positional = rawArgs.filter((a) => !a.startsWith("--"));
+	const doubleDashIdx = rawArgs.indexOf("--");
+	const appArgs = doubleDashIdx >= 0 ? rawArgs.slice(doubleDashIdx + 1) : [];
+	const beforeDash = doubleDashIdx >= 0 ? rawArgs.slice(0, doubleDashIdx).filter((a) => !a.startsWith("--")) : positional;
+	let mode = "code";
+	let workArgs;
+	let implicitWorkdirs = false;
+	if (beforeDash.length > 0 && validModes.includes(beforeDash[0])) {
+		mode = beforeDash[0];
+		workArgs = beforeDash.slice(1);
+	} else workArgs = beforeDash;
+	if (workArgs.length === 0) {
+		workArgs = ["."];
+		implicitWorkdirs = true;
+	}
+	if (mode === "exec" && appArgs.length === 0) {
+		console.error(`\n${fmt.error("exec mode requires a command after \"--\"")}`);
+		console.error(fmt.detail("usage: bx exec [workdir...] -- command [args...]\n"));
+		process$1.exit(1);
+	}
+	return {
+		mode,
+		workArgs,
+		verbose,
+		dry,
+		profileSandbox,
+		appArgs,
+		implicit: implicitWorkdirs
+	};
+}
+//#endregion
 //#region src/modes.ts
 function isBuiltinMode(mode) {
 	return BUILTIN_MODES.includes(mode);
 }
-function shouldPassWorkdirs(app, mode) {
-	if (typeof app.passWorkdirs === "boolean") return app.passWorkdirs;
-	return mode !== "xcode";
+function shouldPassWorkdirs(app) {
+	return app.passWorkdirs !== false;
 }
 function appBundleFromPath(path) {
 	if (path.endsWith(".app")) return path;
@@ -1237,7 +1372,7 @@ function buildAppCommand(mode, workDirs, home, profileSandbox, appArgs, apps) {
 	}
 	if (app.args) args.push(...app.args);
 	if (appArgs.length > 0) args.push(...appArgs);
-	if (shouldPassWorkdirs(app, mode)) args.push(...workDirs);
+	if (shouldPassWorkdirs(app)) args.push(...workDirs);
 	return {
 		bin,
 		args
@@ -1333,7 +1468,8 @@ Options:
 
 Configuration:
   ~/.bxconfig.toml     app definitions (TOML):
-                         [apps.name]           add a new app
+                         [name]                add a new app
+                         mode = "..."           inherit from another app
                          bundle = "..."         macOS bundle ID (auto-discovery)
                          binary = "..."         relative path in .app bundle
                          path = "..."           explicit executable path
@@ -1345,6 +1481,8 @@ Configuration:
                          rw:path      allow read-write access
                          ro:path      allow read-only access
   <workdir>/.bxignore  blocked paths in project (.gitignore-style matching)
+                         / or .         self-protect: block entire directory
+  <dir>/.bxprotect     marker file: block the containing directory
 
 https://github.com/holtwick/bx-mac`;
 //#endregion
@@ -1362,16 +1500,25 @@ function kindIcon(kind) {
 		default: return `${RED}✖${RESET}`;
 	}
 }
-function insertPath(root, home, absPath, kind, isDir) {
-	const rel = absPath.startsWith(home + "/") ? absPath.slice(home.length + 1) : absPath;
+function insertPath(root, homeParts, absPath, kind, isDir) {
+	const parts = absPath.split("/").filter(Boolean);
 	let node = root;
-	for (const part of rel.split("/")) {
+	for (const part of parts) {
 		if (!node.children.has(part)) node.children.set(part, { children: /* @__PURE__ */ new Map() });
 		node = node.children.get(part);
 	}
 	node.kind = kind;
 	node.isDir = isDir;
 }
+/** Collapse the tree down to the interesting nodes, keeping only branches
+*  that contain a leaf with a kind (blocked/ignored/workdir/read-only).
+*  Intermediate directories on the home path are kept as navigation context. */
+function pruneTree(node, currentParts, homeParts, depth) {
+	if (node.kind) return true;
+	depth < homeParts.length && (currentParts[depth], homeParts[depth]);
+	for (const [name, child] of [...node.children]) if (!pruneTree(child, [...currentParts, name], homeParts, depth + 1)) node.children.delete(name);
+	return node.children.size > 0;
+}
 function isDirectory(path) {
 	try {
 		return statSync(path).isDirectory();
@@ -1393,20 +1540,26 @@ function printNode(node, prefix) {
 		if (child.children.size > 0) printNode(child, prefix + continuation);
 	}
 }
-function printDryRunTree({ home, blockedDirs, ignoredPaths, readOnlyDirs, workDirs }) {
+function printDryRunTree({ home, blockedDirs, ignoredPaths, readOnlyDirs, workDirs, systemDenyPaths = [] }) {
 	const root = { children: /* @__PURE__ */ new Map() };
-	for (const dir of blockedDirs) insertPath(root, home, dir, "blocked", true);
-	for (const path of ignoredPaths) insertPath(root, home, path, "ignored", isDirectory(path));
-	for (const dir of readOnlyDirs) insertPath(root, home, dir, "read-only", true);
-	for (const dir of workDirs) insertPath(root, home, dir, "workdir", true);
-	console.log(`\n${CYAN}~/${RESET}`);
+	const homeParts = home.split("/").filter(Boolean);
+	for (const dir of blockedDirs) insertPath(root, homeParts, dir, "blocked", true);
+	for (const path of ignoredPaths) insertPath(root, homeParts, path, "ignored", isDirectory(path));
+	for (const dir of readOnlyDirs) insertPath(root, homeParts, dir, "read-only", true);
+	for (const dir of workDirs) insertPath(root, homeParts, dir, "workdir", true);
+	for (const dir of systemDenyPaths) insertPath(root, homeParts, dir, "blocked", true);
+	pruneTree(root, [], homeParts, 0);
+	console.log(`\n${CYAN}/${RESET}`);
 	printNode(root, "");
 	console.log(`\n${RED}✖${RESET} = denied  ${YELLOW}◉${RESET} = read-only  ${GREEN}✔${RESET} = read-write\n`);
 }
 //#endregion
+//#region package.json
+var version = "0.11.0";
+//#endregion
 //#region src/index.ts
 const __dirname = dirname(fileURLToPath(import.meta.url));
-const VERSION = typeof __VERSION__ !== "undefined" ? __VERSION__ : "dev";
+const VERSION = version;
 if (process$1.argv.includes("--version") || process$1.argv.includes("-v")) {
 	console.log(`bx ${VERSION}`);
 	process$1.exit(0);
@@ -1430,7 +1583,7 @@ async function main() {
 			console.error(`\n${fmt.error("no working directory specified and current directory is $HOME")}\n`);
 			console.error(fmt.detail(`Usage:  bx ${mode} <workdir>`));
 			console.error(fmt.detail(`Config: set default workdirs in ~/.bxconfig.toml:\n`));
-			console.error(fmt.detail(`[apps.${mode}]`));
+			console.error(fmt.detail(`[${mode}]`));
 			console.error(fmt.detail(`workdirs = ["~/work/my-project"]\n`));
 			process$1.exit(1);
 		}
@@ -1448,7 +1601,7 @@ async function main() {
 	const blockedDirs = collectBlockedDirs(HOME, HOME, __dirname, new Set([...allowed, ...readOnly]));
 	const ignoredPaths = collectIgnoredPaths(HOME, workDirs);
 	printPolicySummary(mode, workDirs, blockedDirs, ignoredPaths, readOnly);
-	const profile = generateProfile(workDirs, blockedDirs, ignoredPaths, [...readOnly]);
+	const profile = generateProfile(workDirs, blockedDirs, ignoredPaths, [...readOnly], HOME);
 	if (verbose) {
 		console.error("\n--- Generated sandbox profile ---");
 		console.error(profile);
@@ -1460,7 +1613,8 @@ async function main() {
 			blockedDirs,
 			ignoredPaths,
 			readOnlyDirs: readOnly,
-			workDirs
+			workDirs,
+			systemDenyPaths: collectSystemDenyPaths(HOME)
 		});
 		process$1.exit(0);
 	}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "bx-mac",
-  "version": "0.9.0",
+  "version": "0.11.0",
   "description": "Sandbox any macOS app — only your project directory stays accessible",
   "type": "module",
   "bin": {