npm - bx-mac - Versions diffs - 1.3.0 → 1.5.1 - Mend

bx-mac 1.3.0 → 1.5.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/README.md CHANGED Viewed

@@ -234,21 +234,32 @@ Unified sandbox rules for your home directory. Paths relative to `$HOME`. Each l
 .kube
 .config/gcloud
-# Allow read-write access to extra directories
+# Allow read-write access to extra paths
 rw:work/bin
 rw:shared/libs
+rw:~/projects/*       # globs supported, ~ is expanded
 # Allow read-only access (can read but not modify)
 ro:reference/docs
 ro:shared/toolchain
+ro:.npmrc             # files work too; overrides built-in block
 ```
-Deny rules are applied **in addition** to the built-in protected lists:
+Plain deny rules have two scopes:
+- **At `$HOME` top level only** (no recursive `**` walk). `secrets/` matches `~/secrets`, not `~/nested/secrets`; `.config/gcloud` matches as a literal.
+- **Recursively inside each workdir** - same semantics as a project-level `.bxignore`, so `secrets/` and `*.pem` apply across every project you open. The recursive scan skips `node_modules`, `.git`, caches, `DerivedData`, `Pods`, and similar subtrees for speed.
+Deny rules are applied **in addition** to the built-in protected lists. `rw:` and `ro:` entries however **override** them - `ro:.npmrc` exposes the otherwise-blocked `~/.npmrc` read-only, `rw:.aws` opens the AWS credentials directory completely. Files (not just directories) are accepted, `~/...` is expanded, and globs (`*`, `**`) are matched against `$HOME`. Use override entries deliberately - you are weakening the default protection. `bx` prints a warning on stderr when an override exposes a built-in protected path.
+Built-in protected lists:
 > 🔒 **Dotdirs:** `.ssh` `.gnupg` `.docker` `.zsh_sessions` `.cargo` `.gradle` `.gem`
 >
 > 🏛️ **Library (opinionated):** `Accounts` `Calendars` `Contacts` `Cookies` `Finance` `Mail` `Messages` `Mobile Documents` `Photos` `Safari` and [others (see full list)](src/profile.ts) — plus containers of password managers & finance apps
+**Limitation:** Overrides only work on whole protected paths. `rw:.aws/profile.json` does not selectively unblock a file inside `~/.aws` - the parent deny still wins (Apple SBPL: deny beats allow). Use `rw:.aws` to open the entire directory.
 ### `<project>/.bxignore`
 Block paths within the working directory. Uses [`.gitignore`-style pattern matching](https://git-scm.com/docs/gitignore#_pattern_format):
@@ -282,6 +293,13 @@ my-project/deploy/.bxignore         # deployment credentials
 Each `.bxignore` resolves its patterns relative to its own directory.
+Project `.bxignore` also accepts `ro:` entries to make paths within the workdir read-only (write-protect generated files, vendored libraries, etc.). `rw:` is silently ignored here - the workdir is already read-write by default.
+```gitignore
+ro:vendor/
+ro:generated/schema.ts
+```
 ### Self-protecting directories
 You can make any directory protect itself — no global configuration needed. There are two ways:
@@ -397,6 +415,7 @@ These are great when available, but they only protect within their own tool. bx
 ## 🔗 Alternatives
 - [Agent Safehouse](https://agent-safehouse.dev/) — macOS kernel-level sandboxing for LLM coding agents via `sandbox-exec`. Uses a **deny-first model**: everything is blocked by default and only explicitly listed paths are opened up. This gives you theoretically stricter control (e.g. `~/Library` is fully blocked and only specific subdirs are allowed), but requires more configuration — tools and runtimes that need paths you haven't whitelisted will break silently. If you need that level of precision and are willing to tune profiles per tool, Agent Safehouse may be the better fit. bx uses the opposite **allow-first model** (only sensitive paths are blocked), which works out of the box for VSCode, shells, Claude Code, and other tools without any per-tool configuration.
+- [Docker AI Sandboxes](https://docs.docker.com/ai/sandboxes/) — Docker's built-in sandbox environment for AI coding agents. Runs tools in isolated containers with controlled filesystem and network access. Stronger isolation than kernel-level sandboxing, but requires Docker Desktop and adds container overhead.
 - **Docker / VMs** — for stronger isolation, run AI tools in a virtualized environment (containers, VMs). Full process and network isolation at the cost of setup overhead.
 - **Web sandboxes** — browser-based approaches for running AI agents. See Simon Willison's [Living dangerously with Claude](https://simonwillison.net/2025/Oct/22/living-dangerously-with-claude/) for an overview.

package/dist/bx.js CHANGED Viewed

@@ -1045,6 +1045,50 @@ function toGlobPattern(line) {
 function resolveGlobMatches(pattern, baseDir) {
 	return globSync(toGlobPattern(pattern), { cwd: baseDir }).map((match) => resolve(baseDir, match));
 }
+const SCAN_EXCLUDE_NAMES = new Set([
+	"Library",
+	"Applications",
+	"node_modules",
+	".git",
+	".Trash",
+	".cache",
+	".npm",
+	".pnpm-store",
+	".yarn",
+	".cargo",
+	".rustup",
+	".gradle",
+	".gem",
+	".m2",
+	".nvm",
+	".bun",
+	".deno",
+	"DerivedData",
+	"Pods"
+]);
+function scanExcludeFilter(entry) {
+	const name = typeof entry === "string" ? entry.split("/").pop() ?? "" : entry?.name ?? "";
+	return SCAN_EXCLUDE_NAMES.has(name);
+}
+function resolveGlobMatchesBatch(patterns, baseDir) {
+	if (patterns.length === 0) return [];
+	return globSync(patterns.map(toGlobPattern), {
+		cwd: baseDir,
+		exclude: scanExcludeFilter
+	}).map((match) => resolve(baseDir, match));
+}
+/**
+* Resolve patterns against `baseDir` at top level only (no recursive `**`
+* expansion).  Trailing slashes are stripped; leading slashes are stripped
+* (already anchored).  Used for `~/.bxignore` in $HOME to keep the lookup
+* cheap while still matching literal/glob paths at the home root.
+*/
+function resolveTopLevelMatches(patterns, baseDir) {
+	if (patterns.length === 0) return [];
+	const cleaned = patterns.map((p) => p.startsWith("/") ? p.slice(1) : p).map((p) => p.endsWith("/") ? p.slice(0, -1) : p).filter((p) => p.length > 0);
+	if (cleaned.length === 0) return [];
+	return globSync(cleaned, { cwd: baseDir }).map((m) => resolve(baseDir, m));
+}
 /**
 * A directory is self-protected if it contains a `.bxprotect` file
 * or a `.bxignore` with a bare `/` entry.  Self-protected directories
@@ -1055,19 +1099,27 @@ function isSelfProtected(dir) {
 	if (existsSync(join(dir, ".bxprotect"))) return true;
 	return parseLines(join(dir, ".bxignore")).some((l) => l === "/" || l === ".");
 }
-function applyIgnoreFile(filePath, baseDir, ignored) {
+function applyIgnoreFile(filePath, baseDir, ignored, readOnly) {
 	for (const line of parseLines(filePath)) {
 		if (line === "/" || line === ".") continue;
+		const accessMatch = line.match(ACCESS_PREFIX_RE);
+		if (accessMatch) {
+			if (!readOnly) continue;
+			const [, prefix, rawPath] = accessMatch;
+			if (prefix.toUpperCase() !== "RO") continue;
+			for (const m of resolveGlobMatches(rawPath.trim(), baseDir)) readOnly.add(realpathSafe(m));
+			continue;
+		}
 		ignored.push(...resolveGlobMatches(line, baseDir));
 	}
 }
-function collectIgnoreFilesRecursive(dir, ignored) {
+function collectIgnoreFilesRecursive(dir, ignored, readOnly) {
 	if (isSelfProtected(dir)) {
 		ignored.push(dir);
 		return;
 	}
 	const ignoreFile = join(dir, ".bxignore");
-	if (existsSync(ignoreFile)) applyIgnoreFile(ignoreFile, dir, ignored);
+	if (existsSync(ignoreFile)) applyIgnoreFile(ignoreFile, dir, ignored, readOnly);
 	let entries;
 	try {
 		entries = readdirSync(dir);
@@ -1078,11 +1130,29 @@ function collectIgnoreFilesRecursive(dir, ignored) {
 		if (name.startsWith(".") || name === "node_modules") continue;
 		const fullPath = join(dir, name);
 		try {
-			if (statSync(fullPath).isDirectory()) collectIgnoreFilesRecursive(fullPath, ignored);
+			if (statSync(fullPath).isDirectory()) collectIgnoreFilesRecursive(fullPath, ignored, readOnly);
 		} catch {}
 	}
 }
 const ACCESS_PREFIX_RE = /^(RW|RO):(.+)$/i;
+function expandHomePath(home, raw) {
+	const trimmed = raw.trim();
+	if (trimmed === "~") return home;
+	if (trimmed.startsWith("~/")) return join(home, trimmed.slice(2));
+	return resolve(home, trimmed);
+}
+function realpathSafe(p) {
+	try {
+		return realpathSync(p);
+	} catch {
+		return p;
+	}
+}
+function resolveAccessTargets(home, raw) {
+	const expanded = expandHomePath(home, raw);
+	if (existsSync(expanded)) return [realpathSafe(expanded)];
+	return globSync(raw.trim().replace(/^~\//, ""), { cwd: home }).map((m) => realpathSafe(join(home, m))).filter((p) => existsSync(p));
+}
 function parseHomeConfig(home, workDirs) {
 	const allowed = new Set(workDirs);
 	const readOnly = /* @__PURE__ */ new Set();
@@ -1090,10 +1160,10 @@ function parseHomeConfig(home, workDirs) {
 		const match = line.match(ACCESS_PREFIX_RE);
 		if (!match) continue;
 		const [, prefix, rawPath] = match;
-		const absolute = resolve(home, rawPath.trim());
-		if (!existsSync(absolute) || !statSync(absolute).isDirectory()) continue;
-		if (prefix.toUpperCase() === "RW") allowed.add(absolute);
-		else readOnly.add(absolute);
+		const targets = resolveAccessTargets(home, rawPath);
+		if (targets.length === 0) continue;
+		const target = prefix.toUpperCase() === "RW" ? allowed : readOnly;
+		for (const t of targets) target.add(t);
 	}
 	return {
 		allowed,
@@ -1143,22 +1213,26 @@ function collectProtectedContainers(home) {
 	}
 	return matched;
 }
-function collectReadOnlyDotfiles(home) {
-	return PROTECTED_HOME_DOTFILES_RO.map((f) => join(home, f));
+function isOverridden(path, overrides) {
+	return overrides.has(path) || overrides.has(realpathSafe(path));
 }
-function collectIgnoredPaths(home, workDirs) {
+function collectReadOnlyDotfiles(home, overrides = /* @__PURE__ */ new Set()) {
+	return PROTECTED_HOME_DOTFILES_RO.map((f) => join(home, f)).filter((p) => !isOverridden(p, overrides));
+}
+function collectIgnoredPaths(home, workDirs, overrides = /* @__PURE__ */ new Set(), readOnly) {
 	const ignored = [
 		...PROTECTED_DOTDIRS.map((d) => join(home, d)),
 		...PROTECTED_HOME_DOTFILES.map((f) => join(home, f)),
 		...PROTECTED_LIBRARY_DIRS.map((d) => join(home, "Library", d)),
 		...new Set(collectProtectedContainers(home))
-	];
+	].filter((p) => !isOverridden(p, overrides));
 	const globalIgnore = join(home, ".bxignore");
-	if (existsSync(globalIgnore)) {
-		const denyLines = parseLines(globalIgnore).filter((l) => !ACCESS_PREFIX_RE.test(l));
-		for (const line of denyLines) ignored.push(...resolveGlobMatches(line, home));
+	const globalDenyLines = existsSync(globalIgnore) ? parseLines(globalIgnore).filter((l) => !ACCESS_PREFIX_RE.test(l)) : [];
+	for (const m of resolveTopLevelMatches(globalDenyLines, home)) if (!isOverridden(m, overrides)) ignored.push(m);
+	for (const workDir of workDirs) {
+		for (const m of resolveGlobMatchesBatch(globalDenyLines, workDir)) if (!isOverridden(m, overrides)) ignored.push(m);
+		collectIgnoreFilesRecursive(workDir, ignored, readOnly);
 	}
-	for (const workDir of workDirs) collectIgnoreFilesRecursive(workDir, ignored);
 	return ignored;
 }
 function sbplEscape(path) {
@@ -1199,7 +1273,7 @@ function collectSystemDenyPaths(home) {
 function generateProfile(workDirs, blockedDirs, ignoredPaths, readOnlyDirs = [], home = "", readOnlyFiles = []) {
 	const blockedRules = sbplDenyBlock("Blocked paths (auto-generated from $HOME contents)", "file*", blockedDirs.map(sbplPathRule));
 	const ignoredRules = sbplDenyBlock("Hidden paths from .bxignore", "file*", ignoredPaths.map(sbplPathRule));
-	const readOnlyRules = sbplDenyBlock("Read-only directories", "file-write*", readOnlyDirs.map(sbplSubpath));
+	const readOnlyRules = sbplDenyBlock("Read-only paths", "file-write*", readOnlyDirs.map(sbplPathRule));
 	const readOnlyFileRules = sbplDenyBlock("Read-only home dotfiles (shell init - write-protected against injection)", "file-write*", readOnlyFiles.map(sbplLiteral));
 	const systemRules = home ? sbplDenyBlock("System-level restrictions", "file*", collectSystemDenyPaths(home).map(sbplSubpath)) : "";
 	return `; Auto-generated sandbox profile
@@ -1623,8 +1697,8 @@ Configuration:
                        built-in apps (code, xcode) can be overridden
   ~/.bxignore          sandbox rules (one per line):
                          path         block access (deny)
-                         rw:path      allow read-write access
-                         ro:path      allow read-only access
+                         rw:path      allow read-write access (overrides built-in protection)
+                         ro:path      allow read-only access (overrides built-in protection)
   <workdir>/.bxignore  blocked paths in project (.gitignore-style matching)
                          / or .         self-protect: block entire directory
   <dir>/.bxprotect     marker file: block the containing directory
@@ -1699,7 +1773,7 @@ function printDryRunTree({ home, blockedDirs, ignoredPaths, readOnlyDirs, workDi
 }
 //#endregion
 //#region src/index.ts
-const VERSION = "1.3.0";
+const VERSION = "1.5.1";
 const __dirname = dirname(fileURLToPath(import.meta.url));
 if (process$1.argv.includes("--version") || process$1.argv.includes("-v")) {
 	console.log(`bx ${VERSION}`);
@@ -1748,9 +1822,11 @@ async function main() {
 	const profileSandbox = vscodeUserFlag !== false ? vscodeUserFlag : app?.profile ?? false;
 	if (profileSandbox) await setupVSCodeProfile(HOME, profileSandbox);
 	const { allowed, readOnly } = parseHomeConfig(HOME, workDirs);
-	const blockedDirs = collectBlockedDirs(HOME, HOME, __dirname, new Set([...allowed, ...readOnly]));
-	const ignoredPaths = collectIgnoredPaths(HOME, workDirs);
-	const readOnlyDotfiles = collectReadOnlyDotfiles(HOME);
+	const allAccessible = new Set([...allowed, ...readOnly]);
+	warnDangerousOverrides(HOME, allAccessible);
+	const blockedDirs = collectBlockedDirs(HOME, HOME, __dirname, allAccessible);
+	const ignoredPaths = collectIgnoredPaths(HOME, workDirs, allAccessible, readOnly);
+	const readOnlyDotfiles = collectReadOnlyDotfiles(HOME, allAccessible);
 	printPolicySummary(mode, workDirs, blockedDirs, ignoredPaths, readOnly);
 	const profile = generateProfile(workDirs, blockedDirs, ignoredPaths, [...readOnly], HOME, readOnlyDotfiles);
 	if (verbose) {
@@ -1877,6 +1953,14 @@ function printPolicySummary(mode, workDirs, blockedDirs, ignoredPaths, readOnly)
 	if (extraIgnored > 0) parts.push(`${extraIgnored} from .bxignore`);
 	console.error(fmt.detail(parts.join(" · ")));
 }
+function warnDangerousOverrides(home, accessible) {
+	const hits = [
+		...PROTECTED_DOTDIRS.map((d) => join(home, d)),
+		...PROTECTED_HOME_DOTFILES.map((f) => join(home, f)),
+		...PROTECTED_LIBRARY_DIRS.map((d) => join(home, "Library", d))
+	].filter((p) => accessible.has(p));
+	for (const p of hits) console.error(fmt.detail(`warning: ~/.bxignore override exposes built-in protected path ${p}`));
+}
 function printLaunchDetails(cmd, cwd) {
 	const quote = (a) => JSON.stringify(a);
 	console.error(fmt.detail(`bin:  ${cmd.bin}`));

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "bx-mac",
-  "version": "1.3.0",
+  "version": "1.5.1",
   "description": "Sandbox any macOS app — only your project directory stays accessible",
   "type": "module",
   "bin": {
@@ -47,10 +47,10 @@
     "darwin"
   ],
   "devDependencies": {
-    "@types/node": "^25.5.2",
-    "rolldown": "^1.0.0-rc.13",
+    "@types/node": "^25.6.0",
+    "rolldown": "^1.0.0-rc.16",
     "smol-toml": "^1.6.1",
-    "vitest": "^4.1.2"
+    "vitest": "^4.1.4"
   },
   "engines": {
     "node": ">=22"