#!/bin/bash # Unified sandbox wrapper for macOS Seatbelt # Usage: sandbox-wrapper.sh [--allow-network] [args...] set -euo pipefail # Parse network flag ALLOW_NETWORK=false if [ "${1:-}" = "--allow-network" ]; then ALLOW_NETWORK=true shift fi # Validate environment if [ -z "${SANDBOX_WORK_DIR:-}" ]; then echo "Error: SANDBOX_WORK_DIR must be set" >&2 exit 1 fi WORK_DIR="$SANDBOX_WORK_DIR" TEMP_PROFILE=$(mktemp) TEMP_STDERR=$(mktemp) trap 'rm -f "$TEMP_PROFILE" "$TEMP_STDERR"' EXIT # Generate base sandbox profile cat >"$TEMP_PROFILE" <>"$TEMP_PROFILE" <>"$TEMP_PROFILE" <>"$TEMP_PROFILE" } # Process ignore files process_ignore_file "$WORK_DIR/.gitignore" "$WORK_DIR" process_ignore_file "$WORK_DIR/.agyignore" "$WORK_DIR" # Run command [ $# -eq 0 ] && { echo "Usage: $0 [--allow-network] [args...]" >&2 exit 1 } # Run command, capturing stderr for analysis sandbox-exec -f "$TEMP_PROFILE" "$@" 2> >(tee "$TEMP_STDERR" >&2) EXIT_CODE=$? # Detect sandbox violations and provide helpful message # TODO: Update the URL to the actual documentation when ready. if [ $EXIT_CODE -ne 0 ] && grep -q "Operation not permitted" "$TEMP_STDERR"; then echo "" >&2 echo "Your command might have failed due to sandbox restrictions. See https://antigravity.google/docs/sandbox-mode for more details. You can disable sandbox permanently in settings, or for a single run by checking the 'No Sandbox' box on the next terminal command." >&2 fi exit $EXIT_CODE