[Feature Request] macOS sandbox: auto-manage allowMachLookup for TLS/system services
Bug Description
Title: Sandbox: auto-manage allowMachLookup entries needed for TLS / common macOS services
Body:
On macOS with sandbox.enabled: true, common tools fail under Seatbelt until the user manually adds XPC service names to sandbox.network.allowMachLookup. For example, TLS certificate validation via trustd is blocked by default, so I had to add:
"sandbox": {
"network": {
"allowMachLookup": ["com.apple.trustd.agent"]
}
}
…to ~/.claude/settings.json before normal tooling would work. The setting is documented (sandboxing docs) but ships with no defaults and no discovery aid — users find the right entries by reading sandbox denial logs.
Expected: Either (a) a curated default allowlist for well-known, low-risk Mach services (TLS validation via trustd in particular, since it's a prerequisite for basically any HTTPS-using tool), or (b) a runtime denial → "Allow this Mach service?" prompt analogous to how new network domains are handled today.
Actual: Silent denials and manual hand-editing of settings.json. The failure mode (TLS errors) doesn't obviously point at Mach lookup as the cause.
Environment Info
- Platform: darwin
- Terminal: xterm-256color
- Version: 2.1.150
- Feedback ID: e1a29cb2-5d8d-4258-9531-57b499abed6a
Errors
[]This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗