(version 1)
(deny default)
(allow network-outbound (remote ip "localhost:9123"))
(allow network-outbound (literal "/private/var/run/mDNSResponder"))
(allow file-read-metadata)
(allow sysctl-read
  (sysctl-name-prefix "hw.")
  (sysctl-name "kern.bootargs")
  (sysctl-name "kern.argmax")
  (sysctl-name "kern.ngroups")
  (sysctl-name "kern.willshutdown")
  (sysctl-name "kern.hostname")
  (sysctl-name "kern.osproductversion")
  (sysctl-name "kern.ostype")
  (sysctl-name "kern.osrelease")
  (sysctl-name "kern.version")
  (sysctl-name "kern.osvariant_status")
  (sysctl-name "kern.secure_kernel")
  (sysctl-name "machdep.ptrauth_enabled")
  (sysctl-name "security.mac.lockdown_mode_state")
  (sysctl-name-prefix "net.routetable")
)
;; mise
(allow file-read-data
  (path "/")
  (path (string-append (param "HOME") "/.config/mise/config.toml"))
  (path (string-append (param "HOME") "/.tool-versions"))
  (subpath (string-append (param "HOME") "/.local/share/mise/installs"))
  (subpath (string-append (param "HOME") "/.local/share/mise/plugins"))
  (subpath (string-append (param "HOME") "/Library/Caches/mise"))
)
;; yarn
(allow file*
  (subpath (string-append (param "HOME") "/Library/Caches/Yarn"))
  (subpath (string-append (param "HOME") "/Library/Caches/node-gyp"))
  (regex (string-append "^" (param "HOME") "/.local/share/mise/installs/node/[^/]+/lib/node_modules/"))
  (subpath (string-append (param "HOME") "/src/" (param "PROJECT") "/public"))
  (subpath (string-append (param "HOME") "/src/" (param "PROJECT") "/node_modules"))
)
(allow file-read-data
  (path "/private/etc/passwd")
  (path (string-append (param "HOME") "/.npmrc"))
  (path (string-append (param "HOME") "/.yarnrc"))
  (path (string-append (param "HOME") "/.yarnrc.yml"))
  (path (string-append (param "HOME") "/src"))
  (path (string-append (param "HOME") "/src/" (param "PROJECT")))
  (path (string-append (param "HOME") "/src/" (param "PROJECT") "/.tool-versions"))
  (path (string-append (param "HOME") "/src/" (param "PROJECT") "/Gemfile"))
  (path (string-append (param "HOME") "/src/" (param "PROJECT") "/.ruby-version"))
  (path (string-append (param "HOME") "/src/" (param "PROJECT") "/package.json"))
  (path (string-append (param "HOME") "/src/" (param "PROJECT") "/yarn.lock"))
  (path (string-append (param "HOME") "/src/" (param "PROJECT") "/README.md"))
  (path (string-append (param "HOME") "/src/" (param "PROJECT") "/.npmrc"))
)
;; compile
(allow file-read-data
  (subpath "/Applications/Xcode.app")
  (subpath "/Library/Developer/CommandLineTools/SDKs")
  (subpath "/usr/share/icu")
)
;; general
(allow file-read-data
  (subpath (string-append (param "HOME") "/Library/Preferences"))
  (subpath "/Library/Preferences/Logging")
  (subpath "/private/var/db/timezone")
  (path "/private/var/run/resolv.conf")
  (path "/private/etc/ssl/openssl.cnf")
  (path "/dev")
  (path "/bin")
  (path "/usr/bin")
  (path "/private/etc/hosts")
  (subpath "/usr/share/locale")
  (path "/System/Volumes/Preboot/Cryptexes/OS")
  (subpath "/System/Library")
  (subpath "/Library/Preferences")
)
(allow file*
  (path "/dev/null")
  (path "/dev/tty")
  (path "/dev/fd")
  (path "/dev/dtracehelper")
  (regex "^/nix/store/[^/]+/")
  (subpath "/tmp")
  (subpath "/private/tmp")
  (subpath (param "TMPDIR"))
  (subpath (string-append "/private" (param "TMPDIR")))
  (regex "^/dev/ttys.*$")
)
(allow mach-lookup
  (global-name "com.apple.analyticsd")
  (global-name "com.apple.bsd.dirhelper")
  (global-name "com.apple.coreservices.launchservicesd")
  (global-name "com.apple.diagnosticd")
  (global-name "com.apple.dnssd.service")
  (global-name "com.apple.logd")
  (global-name "com.apple.system.notification_center")
  (global-name "com.apple.system.opendirectoryd.libinfo")
  (global-name "com.apple.system.opendirectoryd.membership")
)
(allow ipc-posix-shm
	(ipc-posix-name "apple.shm.notification_center"))
(allow system-socket)
(allow process-exec (with no-sandbox)
  (regex "^/nix/store/[^/]+/bin/git")
)
(allow process-exec* file-read-data
  (regex "^/nix/store/[^/]+/bin/mise")
  (path "/bin/sh")
  (path "/bin/bash")
  (path "/bin/rm")
  (path "/usr/bin/sed")
  (path "/usr/bin/env")
  (path "/usr/bin/uname")
  (path "/usr/bin/xcrun")
  (path "/usr/bin/dirname")
  (path "/usr/bin/readlink")
  (path "/usr/bin/printf")
  (path "/usr/bin/c++")
  (path "/usr/bin/grep")
  (path "/usr/bin/touch")
  (path "/bin/mkdir")
  (regex (string-append "^" (param "HOME") "/.local/share/mise/installs/node/[^/]+/bin/node"))
  (regex (string-append "^" (param "HOME") "/.local/share/mise/installs/node/[^/]+/lib/node_modules"))
  (regex (string-append "^" (param "HOME") "/.local/share/mise/installs/python/[^/]+/bin/python3.*"))
  (regex (string-append "^" (param "HOME") "/.local/share/mise/installs/yarn/[^/]+/bin/yarn"))
  (path "/System/Volumes/Preboot/Cryptexes/OS/System/Library/dyld")
  (regex (string-append "^" (param "TMPDIR") "yarn-[^/]+/yarn"))
  (regex (string-append "^/private" (param "TMPDIR") "yarn-[^/]+/yarn"))
  (regex (string-append "^/private" (param "TMPDIR") "yarn-[^/]+/node"))
  (regex "^/nix/store/[^/]+/bin/bash")
  (path "/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/clang")
  (path "/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/ld")
)
;;(allow (with report) process-exec*)
(allow process-fork)