bx-mac 1.0.2 → 1.2.0

package/README.md

@@ -44,6 +44,7 @@ bx ~/work/my-project ~/work/shared-lib
 - **No protection against root/sudo** — the sandbox applies to the user-level process
 - **macOS only** — relies on `sandbox-exec` (Apple-specific)
 - **Not dynamic** — the sandbox profile is a snapshot of `$HOME` at launch time; directories or files created later are **not** automatically blocked
+- **File names visible** — blocked files cannot be read or written, but their names still appear in directory listings (a kernel-level `readdir` constraint, same as `chmod 000`)
 - **Not a vault** — `sandbox-exec` is undocumented; treat this as a safety net, not a guarantee
 
 ## 📥 Install
@@ -122,6 +123,9 @@ bx --dry ~/work/my-project
 
 # 🔍 See the generated sandbox profile
 bx --verbose ~/work/my-project
+
+# 🔄 Use an isolated app profile
+bx --vscode-user code ~/work/my-project
 ```
 
 ## ⚙️ Options
@@ -131,7 +135,7 @@ bx --verbose ~/work/my-project
 | `--dry` | Show a tree of all protected, read-only, and accessible paths — don't launch anything |
 | `--verbose` | Print the generated sandbox profile plus launch details (binary, arguments, cwd, focus command) |
 | `--background` | Run the app detached in the background (like `nohup &`), output goes to `/tmp/bx-<pid>.log` |
-| `--profile-sandbox` | Use an isolated VSCode profile (separate extensions/settings, `code` mode only) |
+| `--vscode-user [path]` | Use an isolated app profile (default: `~/.vscode-sandbox`, or specify a custom path) |
 
 On normal runs, bx also prints a short policy summary (number of workdirs, blocked directories, hidden paths, and read-only directories).
 
@@ -166,8 +170,9 @@ path = "/usr/local/bin/code"
 | `fallback` | Absolute fallback path if `mdfind` discovery fails |
 | `args` | Extra arguments always passed to the app |
 | `passPaths` | Paths passed as app launch args (`true`/`false`/`N`/`["~/p1", "~/p2"]`) |
-| `paths` | Default working directories when none are given on the CLI (supports `~/` paths) |
+| `paths` | Default working directories when none are given on the CLI (supports `~/` paths and `*` globs) |
 | `background` | Run the app detached in the background by default (`true`/`false`) |
+| `profile` | Use an isolated app profile (`true` = `~/.vscode-sandbox`, `"path"` = custom path) |
 
 **Resolution order:** `path` → `mdfind` by `bundle` + `binary` → `fallback`
 
@@ -342,7 +347,7 @@ Or preconfigure them in `~/.bxconfig.toml`:
 paths = ["~/work/project-a", "~/work/project-b"]
 ```
 
-For VSCode specifically, `--profile-sandbox` forces a separate Electron process via an isolated `--user-data-dir`, but this means separate extensions and settings.
+For VSCode specifically, `--vscode-user` forces a separate Electron process via an isolated `--user-data-dir`, but this means separate extensions and settings. You can specify a custom path (`--vscode-user ~/my-profile`) or use the default (`--vscode-user` alone uses `~/.vscode-sandbox`). This can also be configured per app in `~/.bxconfig.toml` via the `profile` field.
 
 ## 💡 Tips
 
@@ -369,12 +374,15 @@ Some AI coding tools ship with their own sandboxing. bx complements these by pro
 - [Claude Code](https://code.claude.com/docs/en/sandboxing) — built-in sandbox for file and command restrictions
 - [Gemini CLI](https://geminicli.com/docs/cli/sandbox/) — sandbox mode for file system access control
 - [OpenAI Codex](https://developers.openai.com/codex/concepts/sandboxing) — containerized sandboxing for code execution
+- [VS Code Copilot](https://code.visualstudio.com/docs/copilot/agents/agent-tools#_sandbox-agent-commands) — agent sandbox mode (preview) that restricts write access to the working directory and blocks network access for terminal commands (`chat.agent.sandbox` setting)
 
 These are great when available, but they only protect within their own tool. bx wraps the entire process — so even if a tool's built-in sandbox is misconfigured, disabled, or absent, your files stay protected.
 
 ## 🔗 Alternatives
 
 - [Agent Safehouse](https://agent-safehouse.dev/) — macOS kernel-level sandboxing for LLM coding agents via `sandbox-exec`. Deny-first model that blocks write access outside the project directory.
+- **Docker / VMs** — for stronger isolation, run AI tools in a virtualized environment (containers, VMs). Full process and network isolation at the cost of setup overhead.
+- **Web sandboxes** — browser-based approaches for running AI agents. See Simon Willison's [Living dangerously with Claude](https://simonwillison.net/2025/Oct/22/living-dangerously-with-claude/) for an overview.
 
 ## 💛 Sponsor
 

package/dist/bx.js

@@ -1,7 +1,7 @@
 #!/usr/bin/env node
-import { accessSync, constants, cpSync, existsSync, globSync, mkdirSync, mkdtempSync, openSync, readFileSync, readdirSync, realpathSync, rmSync, statSync, writeFileSync } from "node:fs";
+import { accessSync, closeSync, constants, cpSync, existsSync, globSync, mkdirSync, mkdtempSync, openSync, readFileSync, readdirSync, realpathSync, rmSync, statSync, writeFileSync } from "node:fs";
 import { basename, dirname, join, resolve } from "node:path";
-import { execFileSync, spawn } from "node:child_process";
+import { execFileSync, execSync, spawn } from "node:child_process";
 import { createInterface } from "node:readline";
 import process$1 from "node:process";
 import { fileURLToPath } from "node:url";
@@ -811,12 +811,15 @@ function parsePassPaths(val) {
 	if (typeof val === "number" && Number.isInteger(val) && val > 0) return val;
 	if (Array.isArray(val)) {
 		const paths = val.filter((a) => typeof a === "string");
+		if (val.length !== paths.length) console.error(fmt.warn("non-string items in array config were ignored"));
 		if (paths.length > 0) return paths;
+		return false;
 	}
 }
 function parseStringArray(val) {
 	if (Array.isArray(val)) {
 		const items = val.filter((a) => typeof a === "string");
+		if (val.length !== items.length) console.error(fmt.warn("non-string items in array config were ignored"));
 		if (items.length > 0) return items;
 	}
 }
@@ -830,7 +833,8 @@ function parseAppDef(def) {
 		args: parseStringArray(def.args),
 		passPaths: parsePassPaths(def.passPaths ?? def.passWorkPaths ?? def.passWorkdirs),
 		paths: parseStringArray(def.paths ?? def.workdirs),
-		background: typeof def.background === "boolean" ? def.background : void 0
+		background: typeof def.background === "boolean" ? def.background : void 0,
+		profile: typeof def.profile === "boolean" || typeof def.profile === "string" ? def.profile : void 0
 	};
 }
 /**
@@ -855,7 +859,8 @@ function loadConfig(home) {
 			"passWorkdirs",
 			"paths",
 			"workdirs",
-			"background"
+			"background",
+			"profile"
 		]);
 		for (const [key, val] of Object.entries(doc)) {
 			if (key === "apps") continue;
@@ -1082,9 +1087,12 @@ function collectBlockedDirs(parentDir, home, scriptDir, allowedDirs) {
 		} catch {
 			continue;
 		}
-		if (!isDir) continue;
 		if (parentDir === home && name === "Library") continue;
 		if (scriptDir.startsWith(fullPath + "/") || scriptDir === fullPath) continue;
+		if (!isDir) {
+			blocked.push(fullPath);
+			continue;
+		}
 		const status = isAllowedOrAncestor(fullPath, allowedDirs);
 		if (status === "allowed") continue;
 		if (status === "ancestor") {
@@ -1120,7 +1128,7 @@ function collectIgnoredPaths(home, workDirs) {
 	return ignored;
 }
 function sbplEscape(path) {
-	return path.replace(/\\/g, "\\\\").replace(/"/g, "\\\"");
+	return path.replace(/\\/g, "\\\\").replace(/"/g, "\\\"").replace(/\n/g, "\\n").replace(/\r/g, "\\r").replace(/\t/g, "\\t");
 }
 function sbplSubpath(path) {
 	return `  (subpath "${sbplEscape(path)}")`;
@@ -1155,7 +1163,7 @@ function collectSystemDenyPaths(home) {
 	return paths;
 }
 function generateProfile(workDirs, blockedDirs, ignoredPaths, readOnlyDirs = [], home = "") {
-	const blockedRules = sbplDenyBlock("Blocked directories (auto-generated from $HOME contents)", "file*", blockedDirs.map(sbplSubpath));
+	const blockedRules = sbplDenyBlock("Blocked paths (auto-generated from $HOME contents)", "file*", blockedDirs.map(sbplPathRule));
 	const ignoredRules = sbplDenyBlock("Hidden paths from .bxignore", "file*", ignoredPaths.map(sbplPathRule));
 	const readOnlyRules = sbplDenyBlock("Read-only directories", "file-write*", readOnlyDirs.map(sbplSubpath));
 	const systemRules = home ? sbplDenyBlock("System-level restrictions", "file*", collectSystemDenyPaths(home).map(sbplSubpath)) : "";
@@ -1236,7 +1244,7 @@ async function checkAppAlreadyRunning(mode, apps) {
 	}
 	console.error(`\n${fmt.warn(`"${appName}" is already running`)}`);
 	console.error(fmt.detail("the workspace will open in the EXISTING instance — sandbox will NOT apply"));
-	if (mode === "code") console.error(fmt.detail("quit the app first, or use --profile-sandbox for an isolated instance"));
+	if (mode === "code") console.error(fmt.detail("quit the app first, or use --vscode-user for an isolated instance"));
 	else console.error(fmt.detail("quit the app first to ensure sandbox protection"));
 	const rl = createInterface({
 		input: process$1.stdin,
@@ -1280,12 +1288,12 @@ function parseArgs(validModes) {
 	const rawArgs = process$1.argv.slice(2);
 	const verbose = rawArgs.includes("--verbose");
 	const dry = rawArgs.includes("--dry");
-	const profileSandbox = rawArgs.includes("--profile-sandbox");
+	const vscodeUser = parseVscodeUserFlag(rawArgs);
 	const background = rawArgs.includes("--background");
-	const positional = rawArgs.filter((a) => !a.startsWith("--"));
+	const positional = collectPositional(rawArgs);
 	const doubleDashIdx = rawArgs.indexOf("--");
 	const appArgs = doubleDashIdx >= 0 ? rawArgs.slice(doubleDashIdx + 1) : [];
-	const beforeDash = doubleDashIdx >= 0 ? rawArgs.slice(0, doubleDashIdx).filter((a) => !a.startsWith("--")) : positional;
+	const beforeDash = doubleDashIdx >= 0 ? collectPositional(rawArgs.slice(0, doubleDashIdx)) : positional;
 	let mode = "code";
 	let workArgs;
 	let implicitWorkdirs = false;
@@ -1307,12 +1315,42 @@ function parseArgs(validModes) {
 		workArgs,
 		verbose,
 		dry,
-		profileSandbox,
+		vscodeUser,
 		background,
 		appArgs,
 		implicit: implicitWorkdirs
 	};
 }
+function looksLikePath(val) {
+	return val.includes("/") || val.startsWith("~") || val.startsWith(".");
+}
+/** Filter positional args, skipping the path value after --vscode-user */
+function collectPositional(args) {
+	const result = [];
+	for (let i = 0; i < args.length; i++) {
+		if (args[i] === "--vscode-user" || args[i] === "--vscode-user-data") {
+			const next = args[i + 1];
+			if (next && looksLikePath(next)) i++;
+			continue;
+		}
+		if (args[i].startsWith("--")) continue;
+		result.push(args[i]);
+	}
+	return result;
+}
+function parseVscodeUserFlag(args) {
+	for (let i = 0; i < args.length; i++) {
+		if (args[i] === "--vscode-user" || args[i] === "--vscode-user-data") {
+			const next = args[i + 1];
+			if (next && looksLikePath(next)) return next;
+			return true;
+		}
+		if (args[i] === "--vscode-user=false" || args[i] === "--vscode-user-data=false") return false;
+		const eqMatch = args[i].match(/^--vscode-user=(.+)$/);
+		if (eqMatch) return eqMatch[1];
+	}
+	return false;
+}
 //#endregion
 //#region src/modes.ts
 function isBuiltinMode(mode) {
@@ -1342,15 +1380,30 @@ function hasAppSandboxEntitlement(entitlements) {
 	if (new RegExp(`<key>\\s*${SANDBOX_KEY.replace(/\./g, "\\.")}\\s*</key>\\s*<false\\s*/>`, "i").test(entitlements)) return false;
 	return new RegExp(`${SANDBOX_KEY.replace(/\./g, "\\.")}\\s*[=:]\\s*(1|true)`, "i").test(entitlements);
 }
-function setupVSCodeProfile(home) {
-	const dataDir = join(home, ".vscode-sandbox");
+function resolveProfileDir(home, profile) {
+	if (typeof profile === "string") return resolve(profile.replace(/^~\//, home + "/"));
+	return join(home, ".vscode-sandbox");
+}
+async function setupVSCodeProfile(home, profile) {
+	const dataDir = resolveProfileDir(home, profile);
 	const globalExt = join(home, ".vscode", "extensions");
 	const localExt = join(dataDir, "extensions");
 	mkdirSync(dataDir, { recursive: true });
 	if (!existsSync(localExt) && existsSync(globalExt)) {
-		console.error(fmt.detail("copying extensions from global install..."));
-		cpSync(globalExt, localExt, { recursive: true });
+		const rl = createInterface({
+			input: process$1.stdin,
+			output: process$1.stderr
+		});
+		const answer = await new Promise((res) => {
+			rl.question(`${fmt.info(`copy extensions to ${dataDir}?`)} [Y/n] `, res);
+		});
+		rl.close();
+		if (!answer || answer.match(/^y(es)?$/i)) {
+			console.error(fmt.detail("copying extensions from global install..."));
+			cpSync(globalExt, localExt, { recursive: true });
+		}
 	}
+	console.error(fmt.detail(`profile: ${dataDir}`));
 }
 function buildCommand(mode, workDirs, home, profileSandbox, appArgs, apps) {
 	if (isBuiltinMode(mode)) return buildBuiltinCommand(mode, appArgs);
@@ -1358,10 +1411,20 @@ function buildCommand(mode, workDirs, home, profileSandbox, appArgs, apps) {
 }
 function buildBuiltinCommand(mode, appArgs) {
 	switch (mode) {
-		case "term": return {
-			bin: process$1.env.SHELL ?? "/bin/zsh",
-			args: ["-l"]
-		};
+		case "term": {
+			const shell = process$1.env.SHELL ?? "/bin/zsh";
+			if (!existsSync(shell)) {
+				console.error(fmt.warn(`shell not found: ${shell}, falling back to /bin/zsh`));
+				return {
+					bin: "/bin/zsh",
+					args: ["-l"]
+				};
+			}
+			return {
+				bin: shell,
+				args: ["-l"]
+			};
+		}
 		case "claude": return {
 			bin: "claude",
 			args: []
@@ -1387,8 +1450,8 @@ function buildAppCommand(mode, workDirs, home, profileSandbox, appArgs, apps) {
 	}
 	const bin = executableFromBundle(resolvedPath, app);
 	const args = [];
-	if (mode === "code" && profileSandbox) {
-		const dataDir = join(home, ".vscode-sandbox");
+	if (profileSandbox) {
+		const dataDir = resolveProfileDir(home, profileSandbox);
 		args.push("--user-data-dir", join(dataDir, "data"));
 		args.push("--extensions-dir", join(dataDir, "extensions"));
 	}
@@ -1454,6 +1517,26 @@ function bringAppToFront(mode, apps) {
 	}, 250);
 }
 //#endregion
+//#region src/paths.ts
+/** Expand glob patterns (e.g. ~/work/*) in path lists. Only directories are matched. */
+function expandGlobs(paths, home) {
+	const result = [];
+	for (const p of paths) {
+		const resolved = p.replace(/^~(\/|$)/, home + "/");
+		if (!resolved.includes("*")) {
+			result.push(resolved);
+			continue;
+		}
+		const dir = dirname(resolved);
+		const pattern = basename(resolved);
+		const regex = new RegExp("^" + pattern.replace(/[.+^${}()|[\]\\]/g, "\\$&").replace(/\*/g, ".*") + "$");
+		try {
+			for (const entry of readdirSync(dir, { withFileTypes: true })) if (entry.isDirectory() && regex.test(entry.name)) result.push(join(dir, entry.name));
+		} catch {}
+	}
+	return result;
+}
+//#endregion
 //#region src/help.ts
 function printHelp(version) {
 	const HOME = process.env.HOME;
@@ -1485,9 +1568,10 @@ Options:
   --dry                show what will be protected, don't launch
   --verbose            print the generated sandbox profile
   --background         run in background, log output to /tmp/bx-<pid>.log
-  --profile-sandbox    use an isolated VSCode profile (code mode only)
+  --vscode-user [path] use an isolated app profile (default: ~/.vscode-sandbox)
   -v, --version        show version
   -h, --help           show this help
+  --docs               open documentation in browser
 
 Configuration:
   ~/.bxconfig.toml     app definitions (TOML):
@@ -1498,6 +1582,8 @@ Configuration:
                          path = "..."           explicit executable path
                          args = ["..."]         extra arguments
                          passPaths = true|false|N|[...]  paths passed as launch args
+                         profile = true|"path"  use an isolated app profile
+                         paths = ["~/work/*"]   default workdirs (globs supported)
                          background = true      run in background by default
                        built-in apps (code, xcode) can be overridden
   ~/.bxignore          sandbox rules (one per line):
@@ -1524,7 +1610,7 @@ function kindIcon(kind) {
 		default: return `${RED}✖${RESET}`;
 	}
 }
-function insertPath(root, homeParts, absPath, kind, isDir) {
+function insertPath(root, absPath, kind, isDir) {
 	const parts = absPath.split("/").filter(Boolean);
 	let node = root;
 	for (const part of parts) {
@@ -1539,7 +1625,6 @@ function insertPath(root, homeParts, absPath, kind, isDir) {
 *  Intermediate directories on the home path are kept as navigation context. */
 function pruneTree(node, currentParts, homeParts, depth) {
 	if (node.kind) return true;
-	depth < homeParts.length && (currentParts[depth], homeParts[depth]);
 	for (const [name, child] of [...node.children]) if (!pruneTree(child, [...currentParts, name], homeParts, depth + 1)) node.children.delete(name);
 	return node.children.size > 0;
 }
@@ -1547,7 +1632,7 @@ function isDirectory(path) {
 	try {
 		return statSync(path).isDirectory();
 	} catch {
-		return path.slice(path.lastIndexOf("/") + 1).startsWith(".");
+		return true;
 	}
 }
 function printNode(node, prefix) {
@@ -1567,11 +1652,11 @@ function printNode(node, prefix) {
 function printDryRunTree({ home, blockedDirs, ignoredPaths, readOnlyDirs, workDirs, systemDenyPaths = [] }) {
 	const root = { children: /* @__PURE__ */ new Map() };
 	const homeParts = home.split("/").filter(Boolean);
-	for (const dir of blockedDirs) insertPath(root, homeParts, dir, "blocked", true);
-	for (const path of ignoredPaths) insertPath(root, homeParts, path, "ignored", isDirectory(path));
-	for (const dir of readOnlyDirs) insertPath(root, homeParts, dir, "read-only", true);
-	for (const dir of workDirs) insertPath(root, homeParts, dir, "workdir", true);
-	for (const dir of systemDenyPaths) insertPath(root, homeParts, dir, "blocked", true);
+	for (const dir of blockedDirs) insertPath(root, dir, "blocked", isDirectory(dir));
+	for (const path of ignoredPaths) insertPath(root, path, "ignored", isDirectory(path));
+	for (const dir of readOnlyDirs) insertPath(root, dir, "read-only", true);
+	for (const dir of workDirs) insertPath(root, dir, "workdir", true);
+	for (const dir of systemDenyPaths) insertPath(root, dir, "blocked", true);
 	pruneTree(root, [], homeParts, 0);
 	console.log(`\n${CYAN}/${RESET}`);
 	printNode(root, "");
@@ -1579,7 +1664,7 @@ function printDryRunTree({ home, blockedDirs, ignoredPaths, readOnlyDirs, workDi
 }
 //#endregion
 //#region src/index.ts
-const VERSION = "1.0.2";
+const VERSION = "1.2.0";
 const __dirname = dirname(fileURLToPath(import.meta.url));
 if (process$1.argv.includes("--version") || process$1.argv.includes("-v")) {
 	console.log(`bx ${VERSION}`);
@@ -1589,6 +1674,10 @@ if (process$1.argv.includes("--help") || process$1.argv.includes("-h")) {
 	printHelp(VERSION);
 	process$1.exit(0);
 }
+if (process$1.argv.includes("--docs")) {
+	execSync("open https://github.com/holtwick/bx-mac");
+	process$1.exit(0);
+}
 if (!process$1.env.HOME) {
 	console.error(`\n${fmt.error("$HOME environment variable is not set")}\n`);
 	process$1.exit(1);
@@ -1598,9 +1687,13 @@ async function main() {
 	checkOwnSandbox();
 	checkExternalSandbox();
 	const apps = getAvailableApps(loadConfig(HOME));
-	const { mode, workArgs, verbose, dry, profileSandbox, background: backgroundFlag, appArgs, implicit } = parseArgs(getValidModes(apps));
+	const { mode, workArgs, verbose, dry, vscodeUser: vscodeUserFlag, background: backgroundFlag, appArgs, implicit } = parseArgs(getValidModes(apps));
 	const app = apps[mode];
-	const workDirs = (implicit && app?.paths?.length ? app.paths : workArgs).map((a) => realpathSync(resolve(a.replace(/^~\//, HOME + "/"))));
+	const workDirs = expandGlobs(implicit && app?.paths?.length ? app.paths : workArgs, HOME).map((a) => realpathSync(resolve(a)));
+	if (workDirs.length === 0) {
+		console.error(`\n${fmt.error("no matching working directories found")}\n`);
+		process$1.exit(1);
+	}
 	if (implicit && !app?.paths?.length) {
 		if (workDirs.some((d) => d === HOME)) {
 			console.error(`\n${fmt.error("no working directory specified and current directory is $HOME")}\n`);
@@ -1608,6 +1701,8 @@ async function main() {
 			console.error(fmt.detail(`Config: set default paths in ~/.bxconfig.toml:\n`));
 			console.error(fmt.detail(`[${mode}]`));
 			console.error(fmt.detail(`paths = ["~/work/my-project"]\n`));
+			console.error(fmt.detail(`Run bx --help for more info.`));
+			console.error(fmt.detail(`Docs: https://github.com/holtwick/bx-mac\n`));
 			process$1.exit(1);
 		}
 		if (!dry) await confirmLaunch(workDirs[0], mode);
@@ -1615,7 +1710,8 @@ async function main() {
 	if (!dry) checkVSCodeTerminal();
 	checkWorkDirs(workDirs, HOME);
 	await checkAppAlreadyRunning(mode, apps);
-	if (mode === "code" && profileSandbox) setupVSCodeProfile(HOME);
+	const profileSandbox = vscodeUserFlag !== false ? vscodeUserFlag : app?.profile ?? false;
+	if (profileSandbox) await setupVSCodeProfile(HOME, profileSandbox);
 	const { allowed, readOnly } = parseHomeConfig(HOME, workDirs);
 	const blockedDirs = collectBlockedDirs(HOME, HOME, __dirname, new Set([...allowed, ...readOnly]));
 	const ignoredPaths = collectIgnoredPaths(HOME, workDirs);
@@ -1678,7 +1774,12 @@ async function main() {
 				CODEBOX_SANDBOX: "1"
 			}
 		});
+		child.on("error", (err) => {
+			console.error(fmt.error(`failed to start sandbox: ${err.message}`));
+			process$1.exit(1);
+		});
 		child.unref();
+		closeSync(logFd);
 		bringAppToFront(mode, apps);
 		console.error(fmt.info(`running in background (pid ${child.pid})`));
 		console.error(fmt.detail(`log: ${logPath}`));
@@ -1702,7 +1803,6 @@ async function main() {
 			CODEBOX_SANDBOX: "1"
 		}
 	});
-	bringAppToFront(mode, apps);
 	const cleanup = () => {
 		try {
 			rmSync(tmpDir, {
@@ -1712,6 +1812,11 @@ async function main() {
 		} catch {}
 	};
 	process$1.on("exit", cleanup);
+	child.on("error", (err) => {
+		console.error(fmt.error(`failed to start sandbox: ${err.message}`));
+		process$1.exit(1);
+	});
+	bringAppToFront(mode, apps);
 	child.on("close", (code) => {
 		process$1.exit(code ?? 0);
 	});

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "bx-mac",
-  "version": "1.0.2",
+  "version": "1.2.0",
   "description": "Sandbox any macOS app — only your project directory stays accessible",
   "type": "module",
   "bin": {
@@ -48,7 +48,7 @@
   ],
   "devDependencies": {
     "@types/node": "^25.5.0",
-    "rolldown": "^1.0.0-rc.12",
+    "rolldown": "^1.0.0-rc.13",
     "smol-toml": "^1.6.1",
     "vitest": "^4.1.2"
   },