default=deny sandbox too difficult to get working — needs better defaults and diagnostics

[eliothedeman]

Problem

Getting a default=deny sandbox working for even basic commands (like cargo check) required extensive debugging through multiple landmines:

1. Ancestor directory traversal: Seatbelt requires stat() permission on every parent directory for realpath(). Adding subpath "/Users/eliot/.cargo" does NOT implicitly allow stat("/Users") or stat("/Users/eliot"). Fixed in Use "brush" to provide a bash compatible shell with full policy enforcement #262 by auto-adding ancestor literal reads.

2. DNS resolution: system-socket permission is needed for mDNSResponder. Not obvious from errors (just "Could not resolve host"). Fixed in Use "brush" to provide a bash compatible shell with full policy enforcement #262.

3. Firmlinks vs symlinks: std::fs::canonicalize resolves macOS firmlinks (/Users -> /System/Volumes/Data/Users) which breaks Seatbelt matching. Fixed in Use "brush" to provide a bash compatible shell with full policy enforcement #262 with symlink-only resolution.

4. Trailing slashes: $TMPDIR ends with / and Seatbelt subpath does not match paths with trailing separators. Fixed in Use "brush" to provide a bash compatible shell with full policy enforcement #262.

5. No actionable errors: When Seatbelt denies access, the user just sees "Operation not permitted" with no indication which sandbox rule is missing.

The result: most users give up on default=deny and use a permissive sandbox, defeating the purpose.

Suggestions

• Add a clash sandbox debug command that captures Seatbelt denial logs and suggests missing rules
• Better documentation of macOS Seatbelt quirks
• Consider making the auto-injected system paths more comprehensive so basic commands just work

[eliothedeman]

fixed by #291