npm - bx-mac - Versions diffs - 1.1.0 → 1.2.0 - Mend

bx-mac 1.1.0 → 1.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/README.md CHANGED Viewed

@@ -44,6 +44,7 @@ bx ~/work/my-project ~/work/shared-lib
 - **No protection against root/sudo** — the sandbox applies to the user-level process
 - **macOS only** — relies on `sandbox-exec` (Apple-specific)
 - **Not dynamic** — the sandbox profile is a snapshot of `$HOME` at launch time; directories or files created later are **not** automatically blocked
+- **File names visible** — blocked files cannot be read or written, but their names still appear in directory listings (a kernel-level `readdir` constraint, same as `chmod 000`)
 - **Not a vault** — `sandbox-exec` is undocumented; treat this as a safety net, not a guarantee
 ## 📥 Install
@@ -380,6 +381,8 @@ These are great when available, but they only protect within their own tool. bx
 ## 🔗 Alternatives
 - [Agent Safehouse](https://agent-safehouse.dev/) — macOS kernel-level sandboxing for LLM coding agents via `sandbox-exec`. Deny-first model that blocks write access outside the project directory.
+- **Docker / VMs** — for stronger isolation, run AI tools in a virtualized environment (containers, VMs). Full process and network isolation at the cost of setup overhead.
+- **Web sandboxes** — browser-based approaches for running AI agents. See Simon Willison's [Living dangerously with Claude](https://simonwillison.net/2025/Oct/22/living-dangerously-with-claude/) for an overview.
 ## 💛 Sponsor

package/dist/bx.js CHANGED Viewed

@@ -1,5 +1,5 @@
 #!/usr/bin/env node
-import { accessSync, constants, cpSync, existsSync, globSync, mkdirSync, mkdtempSync, openSync, readFileSync, readdirSync, realpathSync, rmSync, statSync, writeFileSync } from "node:fs";
+import { accessSync, closeSync, constants, cpSync, existsSync, globSync, mkdirSync, mkdtempSync, openSync, readFileSync, readdirSync, realpathSync, rmSync, statSync, writeFileSync } from "node:fs";
 import { basename, dirname, join, resolve } from "node:path";
 import { execFileSync, execSync, spawn } from "node:child_process";
 import { createInterface } from "node:readline";
@@ -811,12 +811,15 @@ function parsePassPaths(val) {
 	if (typeof val === "number" && Number.isInteger(val) && val > 0) return val;
 	if (Array.isArray(val)) {
 		const paths = val.filter((a) => typeof a === "string");
+		if (val.length !== paths.length) console.error(fmt.warn("non-string items in array config were ignored"));
 		if (paths.length > 0) return paths;
+		return false;
 	}
 }
 function parseStringArray(val) {
 	if (Array.isArray(val)) {
 		const items = val.filter((a) => typeof a === "string");
+		if (val.length !== items.length) console.error(fmt.warn("non-string items in array config were ignored"));
 		if (items.length > 0) return items;
 	}
 }
@@ -1084,9 +1087,12 @@ function collectBlockedDirs(parentDir, home, scriptDir, allowedDirs) {
 		} catch {
 			continue;
 		}
-		if (!isDir) continue;
 		if (parentDir === home && name === "Library") continue;
 		if (scriptDir.startsWith(fullPath + "/") || scriptDir === fullPath) continue;
+		if (!isDir) {
+			blocked.push(fullPath);
+			continue;
+		}
 		const status = isAllowedOrAncestor(fullPath, allowedDirs);
 		if (status === "allowed") continue;
 		if (status === "ancestor") {
@@ -1122,7 +1128,7 @@ function collectIgnoredPaths(home, workDirs) {
 	return ignored;
 }
 function sbplEscape(path) {
-	return path.replace(/\\/g, "\\\\").replace(/"/g, "\\\"");
+	return path.replace(/\\/g, "\\\\").replace(/"/g, "\\\"").replace(/\n/g, "\\n").replace(/\r/g, "\\r").replace(/\t/g, "\\t");
 }
 function sbplSubpath(path) {
 	return `  (subpath "${sbplEscape(path)}")`;
@@ -1157,7 +1163,7 @@ function collectSystemDenyPaths(home) {
 	return paths;
 }
 function generateProfile(workDirs, blockedDirs, ignoredPaths, readOnlyDirs = [], home = "") {
-	const blockedRules = sbplDenyBlock("Blocked directories (auto-generated from $HOME contents)", "file*", blockedDirs.map(sbplSubpath));
+	const blockedRules = sbplDenyBlock("Blocked paths (auto-generated from $HOME contents)", "file*", blockedDirs.map(sbplPathRule));
 	const ignoredRules = sbplDenyBlock("Hidden paths from .bxignore", "file*", ignoredPaths.map(sbplPathRule));
 	const readOnlyRules = sbplDenyBlock("Read-only directories", "file-write*", readOnlyDirs.map(sbplSubpath));
 	const systemRules = home ? sbplDenyBlock("System-level restrictions", "file*", collectSystemDenyPaths(home).map(sbplSubpath)) : "";
@@ -1405,10 +1411,20 @@ function buildCommand(mode, workDirs, home, profileSandbox, appArgs, apps) {
 }
 function buildBuiltinCommand(mode, appArgs) {
 	switch (mode) {
-		case "term": return {
-			bin: process$1.env.SHELL ?? "/bin/zsh",
-			args: ["-l"]
-		};
+		case "term": {
+			const shell = process$1.env.SHELL ?? "/bin/zsh";
+			if (!existsSync(shell)) {
+				console.error(fmt.warn(`shell not found: ${shell}, falling back to /bin/zsh`));
+				return {
+					bin: "/bin/zsh",
+					args: ["-l"]
+				};
+			}
+			return {
+				bin: shell,
+				args: ["-l"]
+			};
+		}
 		case "claude": return {
 			bin: "claude",
 			args: []
@@ -1594,7 +1610,7 @@ function kindIcon(kind) {
 		default: return `${RED}✖${RESET}`;
 	}
 }
-function insertPath(root, homeParts, absPath, kind, isDir) {
+function insertPath(root, absPath, kind, isDir) {
 	const parts = absPath.split("/").filter(Boolean);
 	let node = root;
 	for (const part of parts) {
@@ -1609,7 +1625,6 @@ function insertPath(root, homeParts, absPath, kind, isDir) {
 *  Intermediate directories on the home path are kept as navigation context. */
 function pruneTree(node, currentParts, homeParts, depth) {
 	if (node.kind) return true;
-	depth < homeParts.length && (currentParts[depth], homeParts[depth]);
 	for (const [name, child] of [...node.children]) if (!pruneTree(child, [...currentParts, name], homeParts, depth + 1)) node.children.delete(name);
 	return node.children.size > 0;
 }
@@ -1617,7 +1632,7 @@ function isDirectory(path) {
 	try {
 		return statSync(path).isDirectory();
 	} catch {
-		return path.slice(path.lastIndexOf("/") + 1).startsWith(".");
+		return true;
 	}
 }
 function printNode(node, prefix) {
@@ -1637,11 +1652,11 @@ function printNode(node, prefix) {
 function printDryRunTree({ home, blockedDirs, ignoredPaths, readOnlyDirs, workDirs, systemDenyPaths = [] }) {
 	const root = { children: /* @__PURE__ */ new Map() };
 	const homeParts = home.split("/").filter(Boolean);
-	for (const dir of blockedDirs) insertPath(root, homeParts, dir, "blocked", true);
-	for (const path of ignoredPaths) insertPath(root, homeParts, path, "ignored", isDirectory(path));
-	for (const dir of readOnlyDirs) insertPath(root, homeParts, dir, "read-only", true);
-	for (const dir of workDirs) insertPath(root, homeParts, dir, "workdir", true);
-	for (const dir of systemDenyPaths) insertPath(root, homeParts, dir, "blocked", true);
+	for (const dir of blockedDirs) insertPath(root, dir, "blocked", isDirectory(dir));
+	for (const path of ignoredPaths) insertPath(root, path, "ignored", isDirectory(path));
+	for (const dir of readOnlyDirs) insertPath(root, dir, "read-only", true);
+	for (const dir of workDirs) insertPath(root, dir, "workdir", true);
+	for (const dir of systemDenyPaths) insertPath(root, dir, "blocked", true);
 	pruneTree(root, [], homeParts, 0);
 	console.log(`\n${CYAN}/${RESET}`);
 	printNode(root, "");
@@ -1649,7 +1664,7 @@ function printDryRunTree({ home, blockedDirs, ignoredPaths, readOnlyDirs, workDi
 }
 //#endregion
 //#region src/index.ts
-const VERSION = "1.1.0";
+const VERSION = "1.2.0";
 const __dirname = dirname(fileURLToPath(import.meta.url));
 if (process$1.argv.includes("--version") || process$1.argv.includes("-v")) {
 	console.log(`bx ${VERSION}`);
@@ -1675,6 +1690,10 @@ async function main() {
 	const { mode, workArgs, verbose, dry, vscodeUser: vscodeUserFlag, background: backgroundFlag, appArgs, implicit } = parseArgs(getValidModes(apps));
 	const app = apps[mode];
 	const workDirs = expandGlobs(implicit && app?.paths?.length ? app.paths : workArgs, HOME).map((a) => realpathSync(resolve(a)));
+	if (workDirs.length === 0) {
+		console.error(`\n${fmt.error("no matching working directories found")}\n`);
+		process$1.exit(1);
+	}
 	if (implicit && !app?.paths?.length) {
 		if (workDirs.some((d) => d === HOME)) {
 			console.error(`\n${fmt.error("no working directory specified and current directory is $HOME")}\n`);
@@ -1755,7 +1774,12 @@ async function main() {
 				CODEBOX_SANDBOX: "1"
 			}
 		});
+		child.on("error", (err) => {
+			console.error(fmt.error(`failed to start sandbox: ${err.message}`));
+			process$1.exit(1);
+		});
 		child.unref();
+		closeSync(logFd);
 		bringAppToFront(mode, apps);
 		console.error(fmt.info(`running in background (pid ${child.pid})`));
 		console.error(fmt.detail(`log: ${logPath}`));
@@ -1779,7 +1803,6 @@ async function main() {
 			CODEBOX_SANDBOX: "1"
 		}
 	});
-	bringAppToFront(mode, apps);
 	const cleanup = () => {
 		try {
 			rmSync(tmpDir, {
@@ -1789,6 +1812,11 @@ async function main() {
 		} catch {}
 	};
 	process$1.on("exit", cleanup);
+	child.on("error", (err) => {
+		console.error(fmt.error(`failed to start sandbox: ${err.message}`));
+		process$1.exit(1);
+	});
+	bringAppToFront(mode, apps);
 	child.on("close", (code) => {
 		process$1.exit(code ?? 0);
 	});

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "bx-mac",
-  "version": "1.1.0",
+  "version": "1.2.0",
   "description": "Sandbox any macOS app — only your project directory stays accessible",
   "type": "module",
   "bin": {