bx-mac 1.4.0 → 1.6.1

package/README.md

@@ -166,7 +166,6 @@ App definitions in TOML format. Each `[<name>]` section becomes a CLI mode — u
 [cursor]
 bundle = "com.todesktop.230313mzl4w4u92"
 binary = "Contents/MacOS/Cursor"
-args = ["--no-sandbox"]
 
 # Add Zed (explicit path, no discovery)
 [zed]
@@ -177,6 +176,8 @@ path = "/Applications/Zed.app/Contents/MacOS/zed"
 path = "/usr/local/bin/code"
 ```
 
+**Electron apps:** bx automatically detects Electron-based apps (by checking for `Electron Framework.framework` inside the `.app` bundle) and adds `--no-sandbox` to disable Chromium's internal sandbox, which conflicts with `sandbox-exec`. No manual `args = ["--no-sandbox"]` needed.
+
 | Field | Description |
 | --- | --- |
 | `mode` | Inherit from another app (e.g. `"code"`, `"cursor"`) — only `paths` / overrides needed |
@@ -234,23 +235,32 @@ Unified sandbox rules for your home directory. Paths relative to `$HOME`. Each l
 .kube
 .config/gcloud
 
-# Allow read-write access to extra directories
+# Allow read-write access to extra paths
 rw:work/bin
 rw:shared/libs
+rw:~/projects/*       # globs supported, ~ is expanded
 
 # Allow read-only access (can read but not modify)
 ro:reference/docs
 ro:shared/toolchain
+ro:.npmrc             # files work too; overrides built-in block
 ```
 
-`rw:` and `ro:` entries also **override** the built-in protected lists - e.g. `ro:.npmrc` makes the otherwise-blocked `~/.npmrc` readable, `rw:.aws` opens the AWS credentials directory. Files (not just directories) are accepted as targets. Use this with care - you are explicitly weakening the default protection.
+Plain deny rules have two scopes:
+
+- **At `$HOME` top level only** (no recursive `**` walk). `secrets/` matches `~/secrets`, not `~/nested/secrets`; `.config/gcloud` matches as a literal.
+- **Recursively inside each workdir** - same semantics as a project-level `.bxignore`, so `secrets/` and `*.pem` apply across every project you open. The recursive scan skips `node_modules`, `.git`, caches, `DerivedData`, `Pods`, and similar subtrees for speed.
+
+Deny rules are applied **in addition** to the built-in protected lists. `rw:` and `ro:` entries however **override** them - `ro:.npmrc` exposes the otherwise-blocked `~/.npmrc` read-only, `rw:.aws` opens the AWS credentials directory completely. Files (not just directories) are accepted, `~/...` is expanded, and globs (`*`, `**`) are matched against `$HOME`. Use override entries deliberately - you are weakening the default protection. `bx` prints a warning on stderr when an override exposes a built-in protected path.
 
-Deny rules are applied **in addition** to the built-in protected lists:
+Built-in protected lists:
 
 > 🔒 **Dotdirs:** `.ssh` `.gnupg` `.docker` `.zsh_sessions` `.cargo` `.gradle` `.gem`
 >
 > 🏛️ **Library (opinionated):** `Accounts` `Calendars` `Contacts` `Cookies` `Finance` `Mail` `Messages` `Mobile Documents` `Photos` `Safari` and [others (see full list)](src/profile.ts) — plus containers of password managers & finance apps
 
+**Limitation:** Overrides only work on whole protected paths. `rw:.aws/profile.json` does not selectively unblock a file inside `~/.aws` - the parent deny still wins (Apple SBPL: deny beats allow). Use `rw:.aws` to open the entire directory.
+
 ### `<project>/.bxignore`
 
 Block paths within the working directory. Uses [`.gitignore`-style pattern matching](https://git-scm.com/docs/gitignore#_pattern_format):
@@ -284,6 +294,13 @@ my-project/deploy/.bxignore         # deployment credentials
 
 Each `.bxignore` resolves its patterns relative to its own directory.
 
+Project `.bxignore` also accepts `ro:` entries to make paths within the workdir read-only (write-protect generated files, vendored libraries, etc.). `rw:` is silently ignored here - the workdir is already read-write by default.
+
+```gitignore
+ro:vendor/
+ro:generated/schema.ts
+```
+
 ### Self-protecting directories
 
 You can make any directory protect itself — no global configuration needed. There are two ways:
@@ -345,7 +362,8 @@ bx detects and prevents problematic scenarios:
 - **🔄 Sandbox nesting:** If `CODEBOX_SANDBOX=1` is set (auto-propagated), bx refuses to start — nested sandboxes cause silent failures.
 - **🔍 Unknown sandbox:** On startup, bx probes `~/Documents`, `~/Desktop`, `~/Downloads`. If any return `EPERM`, another sandbox is active — bx aborts.
 - **⚠️ VSCode terminal:** If `VSCODE_PID` is set, bx warns that it will launch a *new* instance, not sandbox the current one.
-- **🧩 App already sandboxed:** For GUI app modes, bx inspects app entitlements (best effort) and warns if Apple App Sandbox is enabled, since nested sandboxing can cause startup/access issues.
+- **🧩 App already sandboxed:** For GUI app modes, bx inspects app entitlements (best effort) and warns if Apple App Sandbox is enabled, since bx's `sandbox-exec` wrapper may not apply correctly when the app is already sandboxed by macOS.
+- **⚡ Electron auto-detection:** bx detects Electron-based apps (by checking for `Electron Framework.framework` in the `.app` bundle) and automatically adds `--no-sandbox` to disable Chromium's internal sandbox, which conflicts with `sandbox-exec`. This works for VSCode, Cursor, Windsurf, and any other Electron app.
 - **🔁 App already running:** If the target app is already running, bx warns that the new workspace would open in the existing (unsandboxed) instance and asks for confirmation. This is important because Electron apps like VSCode, Cursor, etc. always reuse the running process — `sandbox-exec` has no effect on the already-running instance.
 
 ### Single-instance apps
@@ -378,6 +396,22 @@ ls ~/work/other-project/         # ❌ Operation not permitted
 cat ./src/index.ts               # ✅ Works!
 ```
 
+**Drag and drop from `~/Downloads` (or other blocked dirs)** — if dragging files from Finder into a sandboxed app fails silently, the source folder is blocked. Grant read-only access by adding it to `~/.bxignore`:
+
+```gitignore
+ro:Downloads
+```
+
+The app can then read (and copy) the dragged file, but not modify the original. Same trick works for `ro:Desktop`, `ro:Documents`, etc.
+
+**`npm install` fails with auth or registry errors** — `.npmrc` is blocked by default (may contain tokens). If your install needs the registry config but not write access, expose it read-only:
+
+```gitignore
+ro:.npmrc
+```
+
+Same pattern applies to other tools whose config dotfiles are on the protected list (`.pypirc`, ...).
+
 ## ⚠️ Known limitations
 
 - **⚠️ Sandbox profile is static:** The sandbox rules are generated **once at launch** by scanning the current state of `$HOME`. Directories or files created **after** the sandbox starts are **not protected** — for example, if a tool creates `~/new-project/` while the sandbox is running, that directory will be fully accessible. Similarly, project-level `.bxignore` patterns only match files that exist at launch time; files matching a blocked pattern (e.g. `.env`) that are created later will **not** be denied. Re-run `bx` to pick up changes.

package/dist/bx.js

@@ -1045,6 +1045,50 @@ function toGlobPattern(line) {
 function resolveGlobMatches(pattern, baseDir) {
 	return globSync(toGlobPattern(pattern), { cwd: baseDir }).map((match) => resolve(baseDir, match));
 }
+const SCAN_EXCLUDE_NAMES = new Set([
+	"Library",
+	"Applications",
+	"node_modules",
+	".git",
+	".Trash",
+	".cache",
+	".npm",
+	".pnpm-store",
+	".yarn",
+	".cargo",
+	".rustup",
+	".gradle",
+	".gem",
+	".m2",
+	".nvm",
+	".bun",
+	".deno",
+	"DerivedData",
+	"Pods"
+]);
+function scanExcludeFilter(entry) {
+	const name = typeof entry === "string" ? entry.split("/").pop() ?? "" : entry?.name ?? "";
+	return SCAN_EXCLUDE_NAMES.has(name);
+}
+function resolveGlobMatchesBatch(patterns, baseDir) {
+	if (patterns.length === 0) return [];
+	return globSync(patterns.map(toGlobPattern), {
+		cwd: baseDir,
+		exclude: scanExcludeFilter
+	}).map((match) => resolve(baseDir, match));
+}
+/**
+* Resolve patterns against `baseDir` at top level only (no recursive `**`
+* expansion).  Trailing slashes are stripped; leading slashes are stripped
+* (already anchored).  Used for `~/.bxignore` in $HOME to keep the lookup
+* cheap while still matching literal/glob paths at the home root.
+*/
+function resolveTopLevelMatches(patterns, baseDir) {
+	if (patterns.length === 0) return [];
+	const cleaned = patterns.map((p) => p.startsWith("/") ? p.slice(1) : p).map((p) => p.endsWith("/") ? p.slice(0, -1) : p).filter((p) => p.length > 0);
+	if (cleaned.length === 0) return [];
+	return globSync(cleaned, { cwd: baseDir }).map((m) => resolve(baseDir, m));
+}
 /**
 * A directory is self-protected if it contains a `.bxprotect` file
 * or a `.bxignore` with a bare `/` entry.  Self-protected directories
@@ -1055,19 +1099,27 @@ function isSelfProtected(dir) {
 	if (existsSync(join(dir, ".bxprotect"))) return true;
 	return parseLines(join(dir, ".bxignore")).some((l) => l === "/" || l === ".");
 }
-function applyIgnoreFile(filePath, baseDir, ignored) {
+function applyIgnoreFile(filePath, baseDir, ignored, readOnly) {
 	for (const line of parseLines(filePath)) {
 		if (line === "/" || line === ".") continue;
+		const accessMatch = line.match(ACCESS_PREFIX_RE);
+		if (accessMatch) {
+			if (!readOnly) continue;
+			const [, prefix, rawPath] = accessMatch;
+			if (prefix.toUpperCase() !== "RO") continue;
+			for (const m of resolveGlobMatches(rawPath.trim(), baseDir)) readOnly.add(realpathSafe(m));
+			continue;
+		}
 		ignored.push(...resolveGlobMatches(line, baseDir));
 	}
 }
-function collectIgnoreFilesRecursive(dir, ignored) {
+function collectIgnoreFilesRecursive(dir, ignored, readOnly) {
 	if (isSelfProtected(dir)) {
 		ignored.push(dir);
 		return;
 	}
 	const ignoreFile = join(dir, ".bxignore");
-	if (existsSync(ignoreFile)) applyIgnoreFile(ignoreFile, dir, ignored);
+	if (existsSync(ignoreFile)) applyIgnoreFile(ignoreFile, dir, ignored, readOnly);
 	let entries;
 	try {
 		entries = readdirSync(dir);
@@ -1078,11 +1130,29 @@ function collectIgnoreFilesRecursive(dir, ignored) {
 		if (name.startsWith(".") || name === "node_modules") continue;
 		const fullPath = join(dir, name);
 		try {
-			if (statSync(fullPath).isDirectory()) collectIgnoreFilesRecursive(fullPath, ignored);
+			if (statSync(fullPath).isDirectory()) collectIgnoreFilesRecursive(fullPath, ignored, readOnly);
 		} catch {}
 	}
 }
 const ACCESS_PREFIX_RE = /^(RW|RO):(.+)$/i;
+function expandHomePath(home, raw) {
+	const trimmed = raw.trim();
+	if (trimmed === "~") return home;
+	if (trimmed.startsWith("~/")) return join(home, trimmed.slice(2));
+	return resolve(home, trimmed);
+}
+function realpathSafe(p) {
+	try {
+		return realpathSync(p);
+	} catch {
+		return p;
+	}
+}
+function resolveAccessTargets(home, raw) {
+	const expanded = expandHomePath(home, raw);
+	if (existsSync(expanded)) return [realpathSafe(expanded)];
+	return globSync(raw.trim().replace(/^~\//, ""), { cwd: home }).map((m) => realpathSafe(join(home, m))).filter((p) => existsSync(p));
+}
 function parseHomeConfig(home, workDirs) {
 	const allowed = new Set(workDirs);
 	const readOnly = /* @__PURE__ */ new Set();
@@ -1090,10 +1160,10 @@ function parseHomeConfig(home, workDirs) {
 		const match = line.match(ACCESS_PREFIX_RE);
 		if (!match) continue;
 		const [, prefix, rawPath] = match;
-		const absolute = resolve(home, rawPath.trim());
-		if (!existsSync(absolute)) continue;
-		if (prefix.toUpperCase() === "RW") allowed.add(absolute);
-		else readOnly.add(absolute);
+		const targets = resolveAccessTargets(home, rawPath);
+		if (targets.length === 0) continue;
+		const target = prefix.toUpperCase() === "RW" ? allowed : readOnly;
+		for (const t of targets) target.add(t);
 	}
 	return {
 		allowed,
@@ -1143,22 +1213,26 @@ function collectProtectedContainers(home) {
 	}
 	return matched;
 }
+function isOverridden(path, overrides) {
+	return overrides.has(path) || overrides.has(realpathSafe(path));
+}
 function collectReadOnlyDotfiles(home, overrides = /* @__PURE__ */ new Set()) {
-	return PROTECTED_HOME_DOTFILES_RO.map((f) => join(home, f)).filter((p) => !overrides.has(p));
+	return PROTECTED_HOME_DOTFILES_RO.map((f) => join(home, f)).filter((p) => !isOverridden(p, overrides));
 }
-function collectIgnoredPaths(home, workDirs, overrides = /* @__PURE__ */ new Set()) {
+function collectIgnoredPaths(home, workDirs, overrides = /* @__PURE__ */ new Set(), readOnly) {
 	const ignored = [
 		...PROTECTED_DOTDIRS.map((d) => join(home, d)),
 		...PROTECTED_HOME_DOTFILES.map((f) => join(home, f)),
 		...PROTECTED_LIBRARY_DIRS.map((d) => join(home, "Library", d)),
 		...new Set(collectProtectedContainers(home))
-	].filter((p) => !overrides.has(p));
+	].filter((p) => !isOverridden(p, overrides));
 	const globalIgnore = join(home, ".bxignore");
-	if (existsSync(globalIgnore)) {
-		const denyLines = parseLines(globalIgnore).filter((l) => !ACCESS_PREFIX_RE.test(l));
-		for (const line of denyLines) for (const m of resolveGlobMatches(line, home)) if (!overrides.has(m)) ignored.push(m);
+	const globalDenyLines = existsSync(globalIgnore) ? parseLines(globalIgnore).filter((l) => !ACCESS_PREFIX_RE.test(l)) : [];
+	for (const m of resolveTopLevelMatches(globalDenyLines, home)) if (!isOverridden(m, overrides)) ignored.push(m);
+	for (const workDir of workDirs) {
+		for (const m of resolveGlobMatchesBatch(globalDenyLines, workDir)) if (!isOverridden(m, overrides)) ignored.push(m);
+		collectIgnoreFilesRecursive(workDir, ignored, readOnly);
 	}
-	for (const workDir of workDirs) collectIgnoreFilesRecursive(workDir, ignored);
 	return ignored;
 }
 function sbplEscape(path) {
@@ -1409,6 +1483,11 @@ function executableFromBundle(bundlePath, app) {
 	if (app.binary) return join(bundlePath, app.binary);
 	return join(bundlePath, "Contents", "MacOS", basename(bundlePath, ".app"));
 }
+function isElectronApp(resolvedPath) {
+	const bundle = appBundleFromPath(resolvedPath);
+	if (!bundle) return false;
+	return existsSync(join(bundle, "Contents", "Frameworks", "Electron Framework.framework"));
+}
 const SANDBOX_KEY = "com.apple.security.app-sandbox";
 function hasAppSandboxEntitlement(entitlements) {
 	if (new RegExp(`<key>\\s*${SANDBOX_KEY.replace(/\./g, "\\.")}\\s*</key>\\s*<true\\s*/>`, "i").test(entitlements)) return true;
@@ -1491,6 +1570,7 @@ function buildAppCommand(mode, workDirs, home, profileSandbox, appArgs, apps) {
 		args.push("--extensions-dir", join(dataDir, "extensions"));
 	}
 	if (app.args) args.push(...app.args);
+	if (!args.includes("--no-sandbox") && isElectronApp(resolvedPath)) args.push("--no-sandbox");
 	if (appArgs.length > 0) args.push(...appArgs);
 	args.push(...getPassPaths(app, workDirs, home));
 	return {
@@ -1535,7 +1615,7 @@ function getNestedSandboxWarning(mode, apps) {
 				"pipe",
 				"pipe"
 			]
-		}))) return `⚠️  "${mode}" has Apple App Sandbox enabled — nested sandboxing may cause issues`;
+		}))) return `"${mode}" has Apple App Sandbox enabled — bx sandbox may not apply correctly`;
 	} catch {}
 	return null;
 }
@@ -1699,7 +1779,7 @@ function printDryRunTree({ home, blockedDirs, ignoredPaths, readOnlyDirs, workDi
 }
 //#endregion
 //#region src/index.ts
-const VERSION = "1.4.0";
+const VERSION = "1.6.1";
 const __dirname = dirname(fileURLToPath(import.meta.url));
 if (process$1.argv.includes("--version") || process$1.argv.includes("-v")) {
 	console.log(`bx ${VERSION}`);
@@ -1749,8 +1829,9 @@ async function main() {
 	if (profileSandbox) await setupVSCodeProfile(HOME, profileSandbox);
 	const { allowed, readOnly } = parseHomeConfig(HOME, workDirs);
 	const allAccessible = new Set([...allowed, ...readOnly]);
+	warnDangerousOverrides(HOME, allAccessible);
 	const blockedDirs = collectBlockedDirs(HOME, HOME, __dirname, allAccessible);
-	const ignoredPaths = collectIgnoredPaths(HOME, workDirs, allAccessible);
+	const ignoredPaths = collectIgnoredPaths(HOME, workDirs, allAccessible, readOnly);
 	const readOnlyDotfiles = collectReadOnlyDotfiles(HOME, allAccessible);
 	printPolicySummary(mode, workDirs, blockedDirs, ignoredPaths, readOnly);
 	const profile = generateProfile(workDirs, blockedDirs, ignoredPaths, [...readOnly], HOME, readOnlyDotfiles);
@@ -1878,6 +1959,14 @@ function printPolicySummary(mode, workDirs, blockedDirs, ignoredPaths, readOnly)
 	if (extraIgnored > 0) parts.push(`${extraIgnored} from .bxignore`);
 	console.error(fmt.detail(parts.join(" · ")));
 }
+function warnDangerousOverrides(home, accessible) {
+	const hits = [
+		...PROTECTED_DOTDIRS.map((d) => join(home, d)),
+		...PROTECTED_HOME_DOTFILES.map((f) => join(home, f)),
+		...PROTECTED_LIBRARY_DIRS.map((d) => join(home, "Library", d))
+	].filter((p) => accessible.has(p));
+	for (const p of hits) console.error(fmt.detail(`warning: ~/.bxignore override exposes built-in protected path ${p}`));
+}
 function printLaunchDetails(cmd, cwd) {
 	const quote = (a) => JSON.stringify(a);
 	console.error(fmt.detail(`bin:  ${cmd.bin}`));

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "bx-mac",
-  "version": "1.4.0",
+  "version": "1.6.1",
   "description": "Sandbox any macOS app — only your project directory stays accessible",
   "type": "module",
   "bin": {
@@ -47,10 +47,10 @@
     "darwin"
   ],
   "devDependencies": {
-    "@types/node": "^25.5.2",
-    "rolldown": "^1.0.0-rc.13",
+    "@types/node": "^25.6.0",
+    "rolldown": "^1.0.0-rc.16",
     "smol-toml": "^1.6.1",
-    "vitest": "^4.1.2"
+    "vitest": "^4.1.4"
   },
   "engines": {
     "node": ">=22"