(version 1)
(deny default)

; =============================================================================
; Mach IPC - Minimal services required for process execution
; =============================================================================
; Core system services for process execution and basic operations
(allow mach-lookup (global-name "com.apple.system.opendirectoryd.libinfo"))  ; User/group lookups
(allow mach-lookup (global-name "com.apple.system.logger"))                   ; Unified logging
(allow mach-lookup (global-name "com.apple.system.notification_center"))      ; Notifications

; Security and code signing
(allow mach-lookup (global-name "com.apple.SecurityServer"))                  ; Code signing verification
(allow mach-lookup (global-name "com.apple.trustd"))                          ; Certificate validation
(allow mach-lookup (global-name "com.apple.trustd.agent"))                    ; Trust agent

; Launch Services and Core Services
(allow mach-lookup (global-name "com.apple.lsd.mapdb"))                       ; Launch Services database
(allow mach-lookup (global-name "com.apple.coreservices.launchservicesd"))    ; Launch Services daemon
(allow mach-lookup (global-name "com.apple.CoreServices.coreservicesd"))      ; Core Services
(allow mach-lookup (global-name "com.apple.coreservices.quarantine-resolver")) ; Quarantine handling

; Process lifecycle and preferences
(allow mach-lookup (global-name "com.apple.runningboard"))                    ; Process management
(allow mach-lookup (global-name "com.apple.cfprefsd.daemon"))                 ; System preferences
(allow mach-lookup (global-name "com.apple.cfprefsd.agent"))                  ; User preferences

; Dynamic linker
(allow mach-lookup (global-name "com.apple.dyld.closured"))                   ; dyld closure daemon

; XPC and launchd services (pattern match for essential XPC)

; Distributed notifications (various versions)
(allow mach-lookup (global-name "com.apple.distributed_notifications@1v3"))
(allow mach-lookup (global-name "com.apple.distributed_notifications@Vv3"))

; Network configuration (required for proxy)
(allow mach-lookup (global-name "com.apple.SystemConfiguration.configd"))     ; Network config
(allow mach-lookup (global-name "com.apple.networkd"))                        ; Network daemon
(allow mach-lookup (global-name "com.apple.symptomsd"))                       ; Network diagnostics
(allow mach-lookup (global-name "com.apple.dnssd.service"))                   ; DNS service discovery

; File system events (needed by many tools)
(allow mach-lookup (global-name "com.apple.FSEvents"))                        ; FS event notifications

; Font services (needed by many applications)
(allow mach-lookup (global-name "com.apple.fonts"))
(allow mach-lookup (global-name "com.apple.FontObjectsServer"))

; Sysctl for system information
(allow sysctl-read)

; =============================================================================
; Hardware access configuration
; =============================================================================
{% if allow_gpu %}
; GPU access - Metal, OpenGL, OpenCL
(allow iokit-open (iokit-user-client-class "IOAccelerator"))
(allow iokit-open (iokit-user-client-class "IOAccelerationUserClient"))
(allow iokit-open (iokit-user-client-class "AGXDeviceUserClient"))
(allow iokit-open (iokit-user-client-class "IOSurfaceRootUserClient"))
(allow iokit-open (iokit-user-client-class "IOSurfaceSendRight"))
; GPU-related Mach services
(allow mach-lookup (global-name "com.apple.gpumemd.source"))
(allow mach-lookup (global-name "com.apple.MTLCompilerService"))
{% endif %}
{% if allow_npu %}
; NPU/Neural Engine access - CoreML, ANE (Apple Neural Engine)
(allow iokit-open (iokit-user-client-class "H11ANEInDirectPathClient"))
(allow iokit-open (iokit-user-client-class "AppleNeuralEngineUserClient"))
; NPU-related Mach services
(allow mach-lookup (global-name "com.apple.coreml.modelcompiler"))
(allow mach-lookup (global-name "com.apple.coreml.mlmodelc"))
{% endif %}
{% if allow_hardware %}
; General hardware access - USB, Bluetooth, cameras, etc.
(allow iokit-open)
{% endif %}

; =============================================================================
; Process operations
; =============================================================================
(allow process-fork)
(allow process-exec)
(allow signal)
(allow ipc-posix*)
(allow file-lock)
(allow process-info-setcontrol)

; =============================================================================
; File system access
; =============================================================================
; Allow file reads broadly on macOS.
; Modern macOS runtime dependencies are not stably enumerable across releases
; because dyld, cryptexes, and other system resources move between sealed roots.
; Sensitive paths are denied below with explicit rules, while writes stay scoped.
(allow file-read*)

    {% if writable_file_system %}
    ; Permissive mode: Allow global write access
    (allow file-write*)
    {% endif %}

; Process execution - restricted to known safe paths
(allow process-exec (subpath "/bin"))
(allow process-exec (subpath "/sbin"))
(allow process-exec (subpath "/usr/bin"))
(allow process-exec (subpath "/usr/sbin"))
(allow process-exec (subpath "/usr/libexec"))
(allow process-exec (subpath "/opt/homebrew"))
(allow process-exec (subpath "/usr/local"))
(allow process-exec (subpath "/Applications"))

; =============================================================================
; Temp directories (full read + write)
; =============================================================================
(allow file-read* (subpath "/private/tmp"))
(allow file-read* (subpath "/tmp"))
(allow file-read* (subpath "/var/folders"))
(allow file-read* (subpath "/private/var/folders"))
(allow file-write* (subpath "/private/tmp"))
(allow file-write* (subpath "/tmp"))
(allow file-write* (subpath "/var/folders"))
(allow file-write* (subpath "/private/var/folders"))
(allow file-write-create (subpath "/private/tmp"))
(allow file-write-create (subpath "/tmp"))
(allow file-write-create (subpath "/var/folders"))
(allow file-write-create (subpath "/private/var/folders"))
(allow file-write-unlink (subpath "/private/tmp"))
(allow file-write-unlink (subpath "/tmp"))
(allow file-write-unlink (subpath "/var/folders"))
(allow file-write-unlink (subpath "/private/var/folders"))

; =============================================================================
; Device access - minimal set for stdio and randomness
; =============================================================================
(allow file-read* (literal "/dev/null"))
(allow file-read* (literal "/dev/zero"))
(allow file-read* (literal "/dev/random"))
(allow file-read* (literal "/dev/urandom"))
(allow file-read* (subpath "/dev/fd"))
(allow file-read* (literal "/dev/tty"))
(allow file-read* (regex #"^/dev/ttys[0-9]+$"))
(allow file-read* (regex #"^/dev/pty[pq][0-9a-f]+$"))
(allow file-write* (literal "/dev/null"))
(allow file-write* (literal "/dev/zero"))
(allow file-write* (subpath "/dev/fd"))
{% if allow_tty_write %}
; TTY write access enabled (for interactive sessions)
(allow file-write* (literal "/dev/tty"))
(allow file-write* (regex #"^/dev/ttys[0-9]+$"))
(allow file-write* (regex #"^/dev/pty[pq][0-9a-f]+$"))
(allow file-ioctl (literal "/dev/tty"))
(allow file-ioctl (regex #"^/dev/ttys[0-9]+$"))
(allow file-ioctl (regex #"^/dev/pty[pq][0-9a-f]+$"))
{% endif %}

; =============================================================================
; User-configured paths
; =============================================================================
; Configured readable paths
{% for path in readable_paths %}
(allow file-read* (subpath "{{ path }}"))
{% endfor %}
; Configured writable paths (includes all write operations)
{% for path in writable_paths %}
(allow file-read* (subpath "{{ path }}"))
(allow file-write* (subpath "{{ path }}"))
(allow file-write-create (subpath "{{ path }}"))
(allow file-write-unlink (subpath "{{ path }}"))
{% endfor %}
; Configured executable paths
{% for path in executable_paths %}
(allow file-read* (literal "{{ path }}"))
(allow process-exec (literal "{{ path }}"))
{% endfor %}

; Working directory (full read + write)
(allow file-read* (subpath "{{ working_dir }}"))
(allow file-write* (subpath "{{ working_dir }}"))
(allow file-write-create (subpath "{{ working_dir }}"))
(allow file-write-unlink (subpath "{{ working_dir }}"))

{% if let Some(venv_path) = python_venv_path %}
; Python venv (full access)
(allow file-read* (subpath "{{ venv_path }}"))
(allow file-write* (subpath "{{ venv_path }}"))
(allow file-write-create (subpath "{{ venv_path }}"))
(allow file-write-unlink (subpath "{{ venv_path }}"))
(allow process-exec (subpath "{{ venv_path }}"))
{% endif %}

; =============================================================================
; Network: deny by default; optionally allow proxy port
; =============================================================================
(deny network*)
{% if let Some(ipc_port) = ipc_port %}
; Allow IPC endpoint only (sandbox-local heel IPC server)
(allow network-outbound (remote ip "localhost:{{ ipc_port }}"))
{% endif %}
{% if !network_deny_all %}
; Allow outbound network through proxy when network mode is enabled
(allow network-outbound (remote ip "localhost:{{ proxy_port }}"))
{% endif %}

; =============================================================================
; Security rules - DENY sensitive paths
; Patterns are anchored to match directory/file boundaries to avoid false matches
; e.g., "/\.ssh(/|$)" matches "/.ssh/" or "/.ssh" at end, not "not.ssh.txt"
; =============================================================================
{% if protect_user_home %}
; Protect user home directories
{% if allow_tcc_prompts %}
; TCC prompts enabled - only block ~/Library (not TCC-protected)
; TCC-protected folders (Desktop, Documents, Downloads, Pictures, Movies, Music)
; are handled by macOS TCC, which will prompt the user for access
(deny file-read* (regex #"/Users/[^/]+/Library(/|$)") (with no-log))
{% else %}
; TCC prompts disabled (strict mode) - block all sensitive home subdirectories
(deny file-read* (regex #"/Users/[^/]+/Documents(/|$)") (with no-log))
(deny file-read* (regex #"/Users/[^/]+/Desktop(/|$)") (with no-log))
(deny file-read* (regex #"/Users/[^/]+/Downloads(/|$)") (with no-log))
(deny file-read* (regex #"/Users/[^/]+/Library(/|$)") (with no-log))
(deny file-read* (regex #"/Users/[^/]+/Pictures(/|$)") (with no-log))
(deny file-read* (regex #"/Users/[^/]+/Movies(/|$)") (with no-log))
(deny file-read* (regex #"/Users/[^/]+/Music(/|$)") (with no-log))
{% endif %}
{% endif %}
{% if protect_credentials %}
; Protect SSH/GPG credentials - anchored to directory boundaries
(deny file-read* (regex #"/\.ssh(/|$)") (with no-log))
(deny file-read* (regex #"/\.gnupg(/|$)") (with no-log))
{% endif %}
{% if protect_cloud_config %}
; Protect cloud provider configurations - anchored to directory boundaries
(deny file-read* (regex #"/\.aws(/|$)") (with no-log))
(deny file-read* (regex #"/\.kube(/|$)") (with no-log))
(deny file-read* (regex #"/\.docker(/|$)") (with no-log))
(deny file-read* (regex #"/\.gcloud(/|$)") (with no-log))
(deny file-read* (regex #"/\.azure(/|$)") (with no-log))
{% endif %}
{% if protect_browser_data %}
; Protect browser data (cookies, history, passwords) - anchored patterns
(deny file-read* (regex #"/Library/Application Support/Google/Chrome(/|$)") (with no-log))
(deny file-read* (regex #"/Library/Application Support/Firefox(/|$)") (with no-log))
(deny file-read* (regex #"/Library/Application Support/Microsoft Edge(/|$)") (with no-log))
(deny file-read* (regex #"/Library/Safari(/|$)") (with no-log))
(deny file-read* (regex #"/Library/Cookies(/|$)") (with no-log))
{% endif %}
{% if protect_keychain %}
; Protect system keychain - anchored pattern
(deny file-read* (regex #"/Library/Keychains(/|$)") (with no-log))
{% endif %}
{% if protect_shell_history %}
; Protect shell history files - anchored to match specific filenames
(deny file-read* (regex #"/\.(bash_history|zsh_history|fish_history)$") (with no-log))
(deny file-read* (regex #"/\.local/share/fish/fish_history$") (with no-log))
{% endif %}
{% if protect_package_credentials %}
; Protect package manager credentials - anchored to file boundaries
(deny file-read* (regex #"/\.netrc$") (with no-log))
(deny file-read* (regex #"/\.npmrc$") (with no-log))
(deny file-read* (regex #"/\.pypirc$") (with no-log))
(deny file-read* (regex #"/\.cargo/credentials(\.toml)?$") (with no-log))
(deny file-read* (regex #"/\.gem/credentials$") (with no-log))
{% endif %}
