Richard Feldman 5ec1ce7cd0 Add sandbox crate with macOS Seatbelt integration (#57429) ... Adds a new `sandbox` crate that wraps shell invocations under macOS's `sandbox-exec(1)` with a Seatbelt policy built from per-command permissions: - Reads are unrestricted. - Writes are restricted to a caller-provided list of directories (plus the standard `/dev/*` write targets). - Network access and unrestricted filesystem writes must be opted into per command. `wrap_invocation(program, args, writable_dirs, permissions)` returns the new program/args plus a `SeatbeltConfigFile` RAII handle that deletes the on-disk policy file when dropped — callers hold it for the lifetime of the spawned command. No callers yet — this is the first of three stacked PRs. The second wires the sandbox state into the agent's system prompt behind a feature flag; the third wires the actual wrapping into the agent terminal tool. The macOS-only dependencies (`tempfile`, `anyhow`) are gated by `target.'cfg(target_os = "macos")'` so the crate is empty on other platforms. Includes 14 tests covering both the generated Seatbelt policy text and end-to-end behavior (actually invoking `sandbox-exec` and asserting reads/writes succeed or fail per policy). Release Notes: - N/A		2026-05-27 20:35:32 +00:00
..
src
Cargo.toml
LICENSE-GPL