fix: make xdg_runtime_dir writable for desktop application

Remove stale references from the pre-GreyHaven era: `-t code` template
flag, `import --claude` subcommand, `allowedDomains` config, `bpftrace`
dependency, and HTTP 403 error messaging.

Update to reflect current features: tun2socks transparent proxying,
learning mode with strace-based template generation, port forwarding,
deny-by-default filesystem reads, environment hardening, shell
completions, and GreyHaven proxy/DNS defaults.

.gitea/workflows/benchmark.yml

@@ -0,0 +1,101 @@
+name: Benchmarks
+
+on:
+  workflow_dispatch:
+    inputs:
+      min_runs:
+        description: "Minimum benchmark runs"
+        required: false
+        default: "30"
+      quick:
+        description: "Quick mode (fewer runs)"
+        required: false
+        default: "false"
+        type: boolean
+
+jobs:
+  benchmark-linux:
+    name: Benchmark (Linux)
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: go.mod
+          cache: true
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+
+      - name: Set up Node
+        uses: actions/setup-node@v4
+        with:
+          node-version: "20"
+
+      - name: Download dependencies
+        run: go mod download
+
+      - name: Install dependencies
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y \
+            bubblewrap \
+            socat \
+            uidmap \
+            curl \
+            netcat-openbsd \
+            ripgrep \
+            hyperfine \
+            jq \
+            bc
+          # Configure subuid/subgid
+          echo "$(whoami):100000:65536" | sudo tee -a /etc/subuid
+          echo "$(whoami):100000:65536" | sudo tee -a /etc/subgid
+          sudo chmod u+s $(which bwrap)
+
+      - name: Install benchstat
+        run: go install golang.org/x/perf/cmd/benchstat@latest
+
+      - name: Build greywall
+        run: make build-ci
+
+      - name: Run Go microbenchmarks
+        run: |
+          mkdir -p benchmarks
+          go test -run=^$ -bench=. -benchmem -count=10 ./internal/sandbox/... | tee benchmarks/go-bench-linux.txt
+
+      - name: Run CLI benchmarks
+        run: |
+          MIN_RUNS="${{ github.event.inputs.min_runs || '30' }}"
+          QUICK="${{ github.event.inputs.quick || 'false' }}"
+
+          if [[ "$QUICK" == "true" ]]; then
+            ./scripts/benchmark.sh -q -o benchmarks
+          else
+            ./scripts/benchmark.sh -n "$MIN_RUNS" -o benchmarks
+          fi
+
+      - name: Upload benchmark results
+        uses: actions/upload-artifact@v4
+        with:
+          name: benchmark-results-linux
+          path: benchmarks/
+          retention-days: 30
+
+      - name: Display results
+        run: |
+          echo "=== Linux Benchmark Results ==="
+          echo ""
+
+          for f in benchmarks/*.md; do
+            [[ -f "$f" ]] && cat "$f"
+          done
+
+          echo ""
+          echo "=== Go Microbenchmarks ==="
+          grep -E '^Benchmark|^ok|^PASS' benchmarks/go-bench-linux.txt | head -50 || true

.gitea/workflows/main.yml

@@ -0,0 +1,115 @@
+name: Build and test
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+jobs:
+  build:
+    name: Build
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: go.mod
+          cache: true
+
+      - name: Download dependencies
+        run: go mod download
+
+      - name: Build
+        run: make build-ci
+
+  lint:
+    name: Lint
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: go.mod
+          cache: true
+
+      - name: Download dependencies
+        run: go mod download
+
+      - name: Lint
+        uses: golangci/golangci-lint-action@v6
+        with:
+          install-mode: goinstall
+          version: v1.64.8
+
+  test-linux:
+    name: Test (Linux)
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: go.mod
+          cache: true
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+
+      - name: Set up Node
+        uses: actions/setup-node@v4
+        with:
+          node-version: "20"
+
+      - name: Download dependencies
+        run: go mod download
+
+      - name: Install Linux sandbox dependencies
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y \
+            bubblewrap \
+            socat \
+            uidmap \
+            curl \
+            netcat-openbsd \
+            ripgrep
+          # Configure subuid/subgid for the runner user (required for unprivileged user namespaces)
+          echo "$(whoami):100000:65536" | sudo tee -a /etc/subuid
+          echo "$(whoami):100000:65536" | sudo tee -a /etc/subgid
+          # Make bwrap setuid so it can create namespaces as non-root user
+          sudo chmod u+s $(which bwrap)
+
+      - name: Verify sandbox dependencies
+        run: |
+          echo "=== Checking sandbox dependencies ==="
+          bwrap --version
+          socat -V | head -1
+          echo "User namespaces enabled: $(cat /proc/sys/kernel/unprivileged_userns_clone 2>/dev/null || echo 'check not available')"
+          echo "Kernel version: $(uname -r)"
+          echo "uidmap installed: $(which newuidmap 2>/dev/null && echo yes || echo no)"
+          echo "subuid configured: $(grep $(whoami) /etc/subuid 2>/dev/null || echo 'not configured')"
+          echo "bwrap setuid: $(ls -la $(which bwrap) | grep -q '^-rws' && echo yes || echo no)"
+          echo "=== Testing bwrap basic functionality ==="
+          bwrap --ro-bind / / -- /bin/echo "bwrap works!"
+          echo "=== Testing bwrap with user namespace ==="
+          bwrap --ro-bind / / --unshare-user --uid 0 --gid 0 -- /bin/echo "bwrap user namespace works!"
+
+      - name: Run unit and integration tests
+        run: make test-ci
+
+      - name: Build binary for smoke tests
+        run: make build-ci
+
+      - name: Run smoke tests
+        run: GREYWALL_TEST_NETWORK=1 ./scripts/smoke_test.sh ./greywall

.gitea/workflows/release.yml

@@ -0,0 +1,62 @@
+name: Release
+
+on:
+  push:
+    tags:
+      - "v*"
+
+run-name: "Release ${{ github.ref_name }}"
+
+jobs:
+  goreleaser:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: go.mod
+          cache: true
+
+      - name: Run GoReleaser
+        uses: goreleaser/goreleaser-action@v6
+        with:
+          distribution: goreleaser
+          version: "~> v2"
+          args: release --clean
+        env:
+          GITEA_TOKEN: ${{ secrets.GITEA_TOKEN }}
+          GORELEASER_FORCE_TOKEN: gitea
+
+  publish-version:
+    needs: [goreleaser]
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout gh-pages
+        uses: actions/checkout@v4
+        with:
+          ref: gh-pages
+
+      - name: Update latest version
+        run: |
+          echo "${{ github.ref_name }}" > latest.txt
+
+          cat > latest.json << EOF
+          {
+            "version": "${{ github.ref_name }}",
+            "published_at": "$(date -u +%Y-%m-%dT%H:%M:%SZ)",
+            "url": "https://gitea.app.monadical.io/monadical/greywall/releases/tag/${{ github.ref_name }}"
+          }
+          EOF
+
+      - name: Commit and push to gh-pages
+        run: |
+          git config user.name "gitea-actions[bot]"
+          git config user.email "gitea-actions[bot]@noreply.gitea.app.monadical.io"
+          git add latest.txt latest.json
+          git commit -m "Update latest version to ${{ github.ref_name }}" || echo "No changes to commit"
+          git push origin gh-pages

.golangci.yml

@@ -1,8 +1,36 @@
+version: "2"
 run:
-  timeout: 5m
   modules-download-mode: readonly
-
+linters:
-linters-settings:
+  default: none
+  enable:
+    - errcheck
+    - gocritic
+    - gosec
+    - govet
+    - ineffassign
+    - misspell
+    - revive
+    - staticcheck
+    - unused
+  settings:
+    gocritic:
+      disabled-checks:
+        - singleCaseSwitch
+    revive:
+      rules:
+        - name: exported
+          disabled: true
+  exclusions:
+    generated: lax
+    paths:
+      - third_party$
+      - builtin$
+      - examples$
+formatters:
+  enable:
+    - gofumpt
+  settings:
     gci:
       sections:
         - standard
@@ -11,30 +39,11 @@ linters-settings:
     gofmt:
       simplify: true
     goimports:
-    local-prefixes: gitea.app.monadical.io/monadical/greywall
+      local-prefixes:
-  gocritic:
+        - gitea.app.monadical.io/monadical/greywall
-    disabled-checks:
+  exclusions:
-      - singleCaseSwitch
+    generated: lax
-  revive:
+    paths:
-    rules:
+      - third_party$
-      - name: exported
+      - builtin$
-        disabled: true
+      - examples$
-
-linters:
-  enable-all: false
-  disable-all: true
-  enable:
-    - staticcheck
-    - errcheck
-    - gosimple
-    - govet
-    - unused
-    - ineffassign
-    - gosec
-    - gocritic
-    - revive
-    - gofumpt
-    - misspell
-
-issues:
-  exclude-use-default: false

.goreleaser.yaml

@@ -1,5 +1,10 @@
 version: 2
 
+gitea_urls:
+  api: https://gitea.app.monadical.io/api/v1
+  download: https://gitea.app.monadical.io
+  skip_tls_verify: false
+
 before:
   hooks:
     - go mod tidy
@@ -42,7 +47,7 @@ checksum:
 
 changelog:
   sort: asc
-  use: github
+  use: gitea
   format: "{{ .SHA }}: {{ .Message }}{{ with .AuthorUsername }} (@{{ . }}){{ end }}"
   filters:
     exclude:
@@ -76,7 +81,7 @@ changelog:
       order: 9999
 
 release:
-  github:
+  gitea:
     owner: monadical
     name: greywall
   draft: false

CLAUDE.md

@@ -54,7 +54,7 @@ scripts/               Smoke tests, benchmarks, release
 
 - **Language:** Go 1.25+
 - **Formatter:** `gofumpt` (enforced in CI)
-- **Linter:** `golangci-lint` v1.64.8 (config in `.golangci.yml`)
+- **Linter:** `golangci-lint` v2 (config in `.golangci.yml`)
 - **Import order:** stdlib, third-party, local (`gitea.app.monadical.io/monadical/greywall`)
 - **Platform code:** build tags (`//go:build linux`, `//go:build darwin`) with `*_stub.go` for unsupported platforms
 - **Error handling:** custom error types (e.g., `CommandBlockedError`)

Makefile

@@ -70,7 +70,7 @@ build-darwin:
 install-lint-tools:
 	@echo "Installing linting tools..."
 	go install mvdan.cc/gofumpt@latest
-	go install github.com/golangci/golangci-lint/cmd/golangci-lint@latest
+	go install github.com/golangci/golangci-lint/v2/cmd/golangci-lint@latest
 	@echo "Linting tools installed"
 
 setup: deps install-lint-tools

README.md

@@ -2,20 +2,20 @@
 
 **The sandboxing layer of the GreyHaven platform.**
 
-Greywall wraps commands in a sandbox that blocks network access by default and restricts filesystem operations. It is the core sandboxing component of the GreyHaven platform, providing defense-in-depth for running untrusted code.
+Greywall wraps commands in a sandbox that blocks network access by default and restricts filesystem operations. On Linux, it uses tun2socks for truly transparent proxying: all TCP/UDP traffic is captured at the kernel level via a TUN device and forwarded through an external SOCKS5 proxy. No application awareness needed.
 
 ```bash
-# Block all network access (default)
+# Block all network access (default — no proxy running = no connectivity)
-greywall curl https://example.com  # → 403 Forbidden
+greywall -- curl https://example.com
 
-# Allow specific domains
+# Route traffic through an external SOCKS5 proxy
-greywall -t code npm install  # → uses 'code' template with npm/pypi/etc allowed
+greywall --proxy socks5://localhost:1080 -- curl https://example.com
 
 # Block dangerous commands
 greywall -c "rm -rf /"  # → blocked by command deny rules
 ```
 
-Greywall also works as a permission manager for CLI agents. **Greywall works with popular coding agents like Claude Code, Codex, Gemini CLI, Cursor Agent, OpenCode, Factory (Droid) CLI, etc.** See [agents.md](./docs/agents.md) for more details.
+Greywall also works as a permission manager for CLI agents. See [agents.md](./docs/agents.md) for integration with Claude Code, Codex, Gemini CLI, OpenCode, and others.
 
 ## Install
 
@@ -39,83 +39,123 @@ go install gitea.app.monadical.io/monadical/greywall/cmd/greywall@latest
 ```bash
 git clone https://gitea.app.monadical.io/monadical/greywall
 cd greywall
-go build -o greywall ./cmd/greywall
+make setup && make build
 ```
 
 </details>
 
-**Additional requirements for Linux:**
+**Linux dependencies:**
 
-- `bubblewrap` (for sandboxing)
+- `bubblewrap` — container-free sandboxing (required)
-- `socat` (for network bridging)
+- `socat` — network bridging (required)
-- `bpftrace` (optional, for filesystem violation visibility when monitoring with `-m`)
+
+Check dependency status with `greywall --version`.
 
 ## Usage
 
-### Basic
+### Basic commands
 
 ```bash
-# Run command with all network blocked (no domains allowed by default)
+# Run with all network blocked (default)
-greywall curl https://example.com
+greywall -- curl https://example.com
 
 # Run with shell expansion
 greywall -c "echo hello && ls"
 
+# Route through a SOCKS5 proxy
+greywall --proxy socks5://localhost:1080 -- npm install
+
+# Expose a port for inbound connections (e.g., dev servers)
+greywall -p 3000 -c "npm run dev"
+
 # Enable debug logging
-greywall -d curl https://example.com
+greywall -d -- curl https://example.com
 
-# Use a template
+# Monitor sandbox violations
-greywall -t code -- claude  # Runs Claude Code using `code` template config
+greywall -m -- npm install
 
-# Monitor mode (shows violations)
+# Show available Linux security features
-greywall -m npm install
+greywall --linux-features
 
-# Show all commands and options
+# Show version and dependency status
-greywall --help
+greywall --version
+```
+
+### Learning mode
+
+Greywall can trace a command's filesystem access and generate a config template automatically:
+
+```bash
+# Run in learning mode — traces file access via strace
+greywall --learning -- opencode
+
+# List generated templates
+greywall templates list
+
+# Show a template's content
+greywall templates show opencode
+
+# Next run auto-loads the learned template
+greywall -- opencode
 ```
 
 ### Configuration
 
 Greywall reads from `~/.config/greywall/greywall.json` by default (or `~/Library/Application Support/greywall/greywall.json` on macOS).
 
-```json
+```jsonc
 {
-  "extends": "code",
+  // Route traffic through an external SOCKS5 proxy
-  "network": { "allowedDomains": ["private.company.com"] },
+  "network": {
-  "filesystem": { "allowWrite": ["."] },
+    "proxyUrl": "socks5://localhost:1080",
-  "command": { "deny": ["git push", "npm publish"] }
+    "dnsAddr": "localhost:5353"
+  },
+  // Control filesystem access
+  "filesystem": {
+    "defaultDenyRead": true,
+    "allowRead": ["~/.config/myapp"],
+    "allowWrite": ["."],
+    "denyWrite": ["~/.ssh/**"],
+    "denyRead": ["~/.ssh/id_*", ".env"]
+  },
+  // Block dangerous commands
+  "command": {
+    "deny": ["git push", "npm publish"]
+  }
 }
 ```
 
-Use `greywall --settings ./custom.json` to specify a different config.
+Use `greywall --settings ./custom.json` to specify a different config file.
 
-### Import from Claude Code
+By default (when connected to GreyHaven), traffic routes through the GreyHaven SOCKS5 proxy at `localhost:42052` with DNS via `localhost:42053`.
-
-```bash
-greywall import --claude --save
-```
 
 ## Features
 
-- **Network isolation** - All outbound blocked by default; allowlist domains via config
+- **Transparent proxy** — All TCP/UDP traffic captured at the kernel level via tun2socks and routed through an external SOCKS5 proxy (Linux)
-- **Filesystem restrictions** - Control read/write access paths
+- **Network isolation** — All outbound blocked by default; traffic only flows when a proxy is available
-- **Command blocking** - Deny dangerous commands like `rm -rf /`, `git push`
+- **Filesystem restrictions** — Deny-by-default read mode, controlled write paths, sensitive file protection
-- **SSH Command Filtering** - Control which hosts and commands are allowed over SSH
+- **Learning mode** — Trace filesystem access with strace and auto-generate config templates
-- **Built-in templates** - Pre-configured rulesets for common workflows
+- **Command blocking** — Deny dangerous commands (`rm -rf /`, `git push`, `shutdown`, etc.)
-- **Violation monitoring** - Real-time logging of blocked requests (`-m`)
+- **SSH filtering** — Control which hosts and commands are allowed over SSH
-- **Cross-platform** - macOS (sandbox-exec) + Linux (bubblewrap)
+- **Environment hardening** — Strips dangerous env vars (`LD_PRELOAD`, `DYLD_*`, etc.)
+- **Violation monitoring** — Real-time logging of sandbox violations (`-m`)
+- **Shell completions** — `greywall completion bash|zsh|fish|powershell`
+- **Cross-platform** — Linux (bubblewrap + seccomp + Landlock + eBPF) and macOS (sandbox-exec)
 
-Greywall can be used as a Go package or CLI tool.
+Greywall can also be used as a [Go package](docs/library.md).
 
 ## Documentation
 
-- [Index](/docs/README.md)
+- [Documentation Index](docs/README.md)
 - [Quickstart Guide](docs/quickstart.md)
+- [Why Greywall](docs/why-greywall.md)
 - [Configuration Reference](docs/configuration.md)
 - [Security Model](docs/security-model.md)
 - [Architecture](ARCHITECTURE.md)
+- [Linux Security Features](docs/linux-security-features.md)
+- [AI Agent Integration](docs/agents.md)
 - [Library Usage (Go)](docs/library.md)
-- [Examples](examples/)
+- [Troubleshooting](docs/troubleshooting.md)
 
 ## Attribution
 

cmd/greywall/main.go

@@ -203,19 +203,20 @@ func runCommand(cmd *cobra.Command, args []string) error {
 
 		if templatePath != "" {
 			learnedCfg, loadErr := config.Load(templatePath)
-			if loadErr != nil {
+			switch {
+			case loadErr != nil:
 				if debug {
 					fmt.Fprintf(os.Stderr, "[greywall] Warning: failed to load learned template: %v\n", loadErr)
 				}
-			} else if learnedCfg != nil {
+			case learnedCfg != nil:
 				cfg = config.Merge(cfg, learnedCfg)
 				if debug {
 					fmt.Fprintf(os.Stderr, "[greywall] Auto-loaded learned template for %q\n", templateLabel)
 				}
-			} else if templateName != "" {
+			case templateName != "":
 				// Explicit --template but file doesn't exist
 				return fmt.Errorf("learned template %q not found at %s\nRun: greywall templates list", templateName, templatePath)
-			} else if cmdName != "" {
+			case cmdName != "":
 				// No template found for this command - suggest creating one
 				fmt.Fprintf(os.Stderr, "[greywall] No learned template for %q. Run with --learning to create one.\n", cmdName)
 			}
@@ -503,7 +504,7 @@ Examples:
 		RunE: func(cmd *cobra.Command, args []string) error {
 			name := args[0]
 			templatePath := sandbox.LearnedTemplatePath(name)
-			data, err := os.ReadFile(templatePath)
+			data, err := os.ReadFile(templatePath) //nolint:gosec // user-specified template path - intentional
 			if err != nil {
 				if os.IsNotExist(err) {
 					return fmt.Errorf("template %q not found\nRun: greywall templates list", name)

docs/experience.md

@@ -93,3 +93,29 @@ echo 'kernel.apparmor_restrict_unprivileged_userns=0' | sudo tee /etc/sysctl.d/9
 ```
 
 **Alternative:** Accept the limitation — greywall still works for filesystem sandboxing, seccomp, and Landlock. Network access is blocked outright rather than redirected through a proxy.
+
+---
+
+## Linux: symlinked system dirs invisible after `--tmpfs /`
+
+**Problem:** On merged-usr distros (Arch, Fedora, modern Ubuntu), `/bin`, `/sbin`, `/lib`, `/lib64` are symlinks (e.g., `/bin -> usr/bin`). When switching from `--ro-bind / /` to `--tmpfs /` for deny-by-default isolation, these symlinks don't exist in the empty root. The `canMountOver()` helper explicitly rejects symlinks, so `--ro-bind /bin /bin` was silently skipped. Result: `execvp /usr/bin/bash: No such file or directory` — bash exists at `/usr/bin/bash` but the dynamic linker at `/lib64/ld-linux-x86-64.so.2` can't be found because `/lib64` is missing.
+
+**Diagnosis:** The error message is misleading. `execvp` reports "No such file or directory" both when the binary is missing and when the ELF interpreter (dynamic linker) is missing. The actual binary `/usr/bin/bash` existed via the `/usr` bind-mount, but the symlink `/lib64 -> usr/lib` was gone.
+
+**Fix:** Check each system path with `isSymlink()` before mounting. Symlinks get `--symlink <target> <path>` (bwrap recreates the symlink inside the sandbox); real directories get `--ro-bind`. On Arch: `--symlink usr/bin /bin`, `--symlink usr/bin /sbin`, `--symlink usr/lib /lib`, `--symlink usr/lib /lib64`.
+
+---
+
+## Linux: Landlock denies reads on bind-mounted /dev/null
+
+**Problem:** To mask `.env` files inside CWD, the initial approach used `--ro-bind /dev/null <cwd>/.env`. Inside the sandbox, `.env` appeared as a character device (bind mounts preserve file type). Landlock's `LANDLOCK_ACCESS_FS_READ_FILE` right only covers regular files, not character devices. Result: `cat .env` returned "Permission denied" instead of empty content.
+
+**Fix:** Use an empty regular file (`/tmp/greywall/empty`, 0 bytes, mode 0444) as the mask source instead of `/dev/null`. Landlock sees a regular file and allows the read. The file is created once in a fixed location under the greywall temp dir.
+
+---
+
+## Linux: mandatory deny paths override sensitive file masks
+
+**Problem:** In deny-by-default mode, `buildDenyByDefaultMounts()` correctly masked `.env` with `--ro-bind /tmp/greywall/empty <cwd>/.env`. But later in `WrapCommandLinuxWithOptions()`, the mandatory deny paths section called `getMandatoryDenyPaths()` which included `.env` files (added for write protection). It then applied `--ro-bind <cwd>/.env <cwd>/.env`, binding the real file over the empty mask. bwrap applies mounts in order, so the later ro-bind undid the masking.
+
+**Fix:** Track paths already masked by `buildDenyByDefaultMounts()` in a set. Skip those paths in the mandatory deny section to preserve the empty-file overlay.

internal/config/config.go

@@ -36,7 +36,7 @@ type NetworkConfig struct {
 
 // FilesystemConfig defines filesystem restrictions.
 type FilesystemConfig struct {
-	DefaultDenyRead bool     `json:"defaultDenyRead,omitempty"` // If true, deny reads by default except system paths and AllowRead
+	DefaultDenyRead *bool    `json:"defaultDenyRead,omitempty"` // If nil or true, deny reads by default except system paths, CWD, and AllowRead
 	AllowRead       []string `json:"allowRead"`                 // Paths to allow reading (used when DefaultDenyRead is true)
 	DenyRead        []string `json:"denyRead"`
 	AllowWrite      []string `json:"allowWrite"`
@@ -44,6 +44,12 @@ type FilesystemConfig struct {
 	AllowGitConfig  bool     `json:"allowGitConfig,omitempty"`
 }
 
+// IsDefaultDenyRead returns whether deny-by-default read mode is enabled.
+// Defaults to true when not explicitly set (nil).
+func (f *FilesystemConfig) IsDefaultDenyRead() bool {
+	return f.DefaultDenyRead == nil || *f.DefaultDenyRead
+}
+
 // CommandConfig defines command restrictions.
 type CommandConfig struct {
 	Deny        []string `json:"deny"`
@@ -417,8 +423,8 @@ func Merge(base, override *Config) *Config {
 		},
 
 		Filesystem: FilesystemConfig{
-			// Boolean fields: true if either enables it
+			// Pointer field: override wins if set, otherwise base (nil = deny-by-default)
-			DefaultDenyRead: base.Filesystem.DefaultDenyRead || override.Filesystem.DefaultDenyRead,
+			DefaultDenyRead: mergeOptionalBool(base.Filesystem.DefaultDenyRead, override.Filesystem.DefaultDenyRead),
 
 			// Append slices
 			AllowRead:  mergeStrings(base.Filesystem.AllowRead, override.Filesystem.AllowRead),

internal/config/config_test.go

@@ -410,7 +410,7 @@ func TestMerge(t *testing.T) {
 	t.Run("merge defaultDenyRead and allowRead", func(t *testing.T) {
 		base := &Config{
 			Filesystem: FilesystemConfig{
-				DefaultDenyRead: true,
+				DefaultDenyRead: boolPtr(true),
 				AllowRead:       []string{"/home/user/project"},
 			},
 		}
@@ -421,13 +421,40 @@ func TestMerge(t *testing.T) {
 		}
 		result := Merge(base, override)
 
-		if !result.Filesystem.DefaultDenyRead {
+		if !result.Filesystem.IsDefaultDenyRead() {
-			t.Error("expected DefaultDenyRead to be true (from base)")
+			t.Error("expected IsDefaultDenyRead() to be true (from base)")
 		}
 		if len(result.Filesystem.AllowRead) != 2 {
 			t.Errorf("expected 2 allowRead paths, got %d: %v", len(result.Filesystem.AllowRead), result.Filesystem.AllowRead)
 		}
 	})
+
+	t.Run("defaultDenyRead nil defaults to true", func(t *testing.T) {
+		base := &Config{
+			Filesystem: FilesystemConfig{},
+		}
+		result := Merge(base, nil)
+		if !result.Filesystem.IsDefaultDenyRead() {
+			t.Error("expected IsDefaultDenyRead() to be true when nil (deny-by-default)")
+		}
+	})
+
+	t.Run("defaultDenyRead explicit false overrides", func(t *testing.T) {
+		base := &Config{
+			Filesystem: FilesystemConfig{
+				DefaultDenyRead: boolPtr(true),
+			},
+		}
+		override := &Config{
+			Filesystem: FilesystemConfig{
+				DefaultDenyRead: boolPtr(false),
+			},
+		}
+		result := Merge(base, override)
+		if result.Filesystem.IsDefaultDenyRead() {
+			t.Error("expected IsDefaultDenyRead() to be false (override explicit false)")
+		}
+	})
 }
 
 func boolPtr(b bool) *bool {

internal/sandbox/dangerous.go

@@ -28,6 +28,30 @@ var DangerousDirectories = []string{
 	".claude/agents",
 }
 
+// SensitiveProjectFiles lists files within the project directory that should be
+// denied for both read and write access. These commonly contain secrets.
+var SensitiveProjectFiles = []string{
+	".env",
+	".env.local",
+	".env.development",
+	".env.production",
+	".env.staging",
+	".env.test",
+}
+
+// GetSensitiveProjectPaths returns concrete paths for sensitive files within the
+// given directory. Only returns paths for files that actually exist.
+func GetSensitiveProjectPaths(cwd string) []string {
+	var paths []string
+	for _, f := range SensitiveProjectFiles {
+		p := filepath.Join(cwd, f)
+		if _, err := os.Stat(p); err == nil {
+			paths = append(paths, p)
+		}
+	}
+	return paths
+}
+
 // GetDefaultWritePaths returns system paths that should be writable for commands to work.
 func GetDefaultWritePaths() []string {
 	home, _ := os.UserHomeDir()

internal/sandbox/integration_test.go

@@ -123,10 +123,14 @@ func assertContains(t *testing.T, haystack, needle string) {
 // ============================================================================
 
 // testConfig creates a test configuration with sensible defaults.
+// Uses legacy mode (defaultDenyRead=false) for predictable testing of
+// existing integration tests. Use testConfigDenyByDefault() for tests
+// that specifically test deny-by-default behavior.
 func testConfig() *config.Config {
 	return &config.Config{
 		Network: config.NetworkConfig{},
 		Filesystem: config.FilesystemConfig{
+			DefaultDenyRead: boolPtr(false), // Legacy mode for existing tests
 			DenyRead:        []string{},
 			AllowWrite:      []string{},
 			DenyWrite:       []string{},

internal/sandbox/learning.go

@@ -87,6 +87,43 @@ func GenerateLearnedTemplate(straceLogPath, cmdName string, debug bool) (string,
 		allowWrite = append(allowWrite, toTildePath(p, home))
 	}
 
+	// Filter read paths: remove system defaults, CWD subtree, and sensitive paths
+	cwd, _ := os.Getwd()
+	var filteredReads []string
+	defaultReadable := GetDefaultReadablePaths()
+	for _, p := range result.ReadPaths {
+		// Skip system defaults
+		isDefault := false
+		for _, dp := range defaultReadable {
+			if p == dp || strings.HasPrefix(p, dp+"/") {
+				isDefault = true
+				break
+			}
+		}
+		if isDefault {
+			continue
+		}
+		// Skip CWD subtree (auto-included)
+		if cwd != "" && (p == cwd || strings.HasPrefix(p, cwd+"/")) {
+			continue
+		}
+		// Skip sensitive paths
+		if isSensitivePath(p, home) {
+			if debug {
+				fmt.Fprintf(os.Stderr, "[greywall] Skipping sensitive read path: %s\n", p)
+			}
+			continue
+		}
+		filteredReads = append(filteredReads, p)
+	}
+
+	// Collapse read paths and convert to tilde-relative
+	collapsedReads := CollapsePaths(filteredReads)
+	var allowRead []string
+	for _, p := range collapsedReads {
+		allowRead = append(allowRead, toTildePath(p, home))
+	}
+
 	// Convert read paths to tilde-relative for display
 	var readDisplay []string
 	for _, p := range result.ReadPaths {
@@ -103,6 +140,13 @@ func GenerateLearnedTemplate(straceLogPath, cmdName string, debug bool) (string,
 		}
 	}
 
+	if len(allowRead) > 0 {
+		fmt.Fprintf(os.Stderr, "[greywall] Additional read paths (beyond system + CWD):\n")
+		for _, p := range allowRead {
+			fmt.Fprintf(os.Stderr, "[greywall]   %s\n", p)
+		}
+	}
+
 	if len(allowWrite) > 1 { // >1 because "." is always included
 		fmt.Fprintf(os.Stderr, "[greywall] Discovered write paths (collapsed):\n")
 		for _, p := range allowWrite {
@@ -118,15 +162,15 @@ func GenerateLearnedTemplate(straceLogPath, cmdName string, debug bool) (string,
 	fmt.Fprintf(os.Stderr, "\n")
 
 	// Build template
-	template := buildTemplate(cmdName, allowWrite)
+	template := buildTemplate(cmdName, allowRead, allowWrite)
 
 	// Save template
 	templatePath := LearnedTemplatePath(cmdName)
-	if err := os.MkdirAll(filepath.Dir(templatePath), 0o755); err != nil {
+	if err := os.MkdirAll(filepath.Dir(templatePath), 0o750); err != nil {
 		return "", fmt.Errorf("failed to create template directory: %w", err)
 	}
 
-	if err := os.WriteFile(templatePath, []byte(template), 0o644); err != nil {
+	if err := os.WriteFile(templatePath, []byte(template), 0o600); err != nil {
 		return "", fmt.Errorf("failed to write template: %w", err)
 	}
 
@@ -176,9 +220,15 @@ func CollapsePaths(paths []string) []string {
 		}
 	}
 
-	// For standalone paths, use their parent directory
+	// For standalone paths, use their parent directory — but never collapse to $HOME
 	for _, p := range standalone {
-		result = append(result, filepath.Dir(p))
+		parent := filepath.Dir(p)
+		if parent == home {
+			// Keep exact file path to avoid opening entire home directory
+			result = append(result, p)
+		} else {
+			result = append(result, parent)
+		}
 	}
 
 	// Sort and deduplicate (remove sub-paths of other paths)
@@ -255,11 +305,7 @@ func isSensitivePath(path, home string) bool {
 
 	// Check GPG
 	gnupgDir := filepath.Join(home, ".gnupg")
-	if strings.HasPrefix(path, gnupgDir+"/") {
+	return strings.HasPrefix(path, gnupgDir+"/")
-		return true
-	}
-
-	return false
 }
 
 // getDangerousFilePatterns returns denyWrite entries for DangerousFiles.
@@ -345,9 +391,18 @@ func deduplicateSubPaths(paths []string) []string {
 	return result
 }
 
+// getSensitiveProjectDenyPatterns returns denyRead entries for sensitive project files.
+func getSensitiveProjectDenyPatterns() []string {
+	return []string{
+		".env",
+		".env.*",
+	}
+}
+
 // buildTemplate generates the JSONC template content for a learned config.
-func buildTemplate(cmdName string, allowWrite []string) string {
+func buildTemplate(cmdName string, allowRead, allowWrite []string) string {
 	type fsConfig struct {
+		AllowRead  []string `json:"allowRead,omitempty"`
 		AllowWrite []string `json:"allowWrite"`
 		DenyWrite  []string `json:"denyWrite"`
 		DenyRead   []string `json:"denyRead"`
@@ -356,11 +411,15 @@ func buildTemplate(cmdName string, allowWrite []string) string {
 		Filesystem fsConfig `json:"filesystem"`
 	}
 
+	// Combine sensitive read patterns with .env project patterns
+	denyRead := append(getSensitiveReadPatterns(), getSensitiveProjectDenyPatterns()...)
+
 	cfg := templateConfig{
 		Filesystem: fsConfig{
+			AllowRead:  allowRead,
 			AllowWrite: allowWrite,
 			DenyWrite:  getDangerousFilePatterns(),
-			DenyRead:   getSensitiveReadPatterns(),
+			DenyRead:   denyRead,
 		},
 	}
 

internal/sandbox/learning_linux.go

@@ -41,7 +41,7 @@ func ParseStraceLog(logPath string, debug bool) (*StraceResult, error) {
 	if err != nil {
 		return nil, fmt.Errorf("failed to open strace log: %w", err)
 	}
-	defer f.Close()
+	defer func() { _ = f.Close() }()
 
 	home, _ := os.UserHomeDir()
 	seenWrite := make(map[string]bool)

internal/sandbox/learning_linux_test.go

@@ -127,7 +127,7 @@ func TestParseStraceLog(t *testing.T) {
 	}, "\n")
 
 	logFile := filepath.Join(t.TempDir(), "strace.log")
-	if err := os.WriteFile(logFile, []byte(logContent), 0o644); err != nil {
+	if err := os.WriteFile(logFile, []byte(logContent), 0o600); err != nil {
 		t.Fatal(err)
 	}
 

internal/sandbox/learning_test.go

@@ -70,14 +70,13 @@ func TestFindApplicationDirectory(t *testing.T) {
 
 func TestCollapsePaths(t *testing.T) {
 	// Temporarily override home for testing
-	origHome := os.Getenv("HOME")
+	t.Setenv("HOME", "/home/testuser")
-	os.Setenv("HOME", "/home/testuser")
-	defer os.Setenv("HOME", origHome)
 
 	tests := []struct {
 		name        string
 		paths       []string
 		contains    []string // paths that should be in the result
+		notContains []string // paths that must NOT be in the result
 	}{
 		{
 			name: "multiple paths under same app dir",
@@ -111,6 +110,33 @@ func TestCollapsePaths(t *testing.T) {
 				"/home/testuser/.config/opencode",
 			},
 		},
+		{
+			name: "files directly under home stay as exact paths",
+			paths: []string{
+				"/home/testuser/.gitignore",
+				"/home/testuser/.npmrc",
+			},
+			contains: []string{
+				"/home/testuser/.gitignore",
+				"/home/testuser/.npmrc",
+			},
+			notContains: []string{"/home/testuser"},
+		},
+		{
+			name: "mix of home files and app dir paths",
+			paths: []string{
+				"/home/testuser/.gitignore",
+				"/home/testuser/.cache/opencode/db/main.sqlite",
+				"/home/testuser/.cache/opencode/version",
+				"/home/testuser/.npmrc",
+			},
+			contains: []string{
+				"/home/testuser/.gitignore",
+				"/home/testuser/.npmrc",
+				"/home/testuser/.cache/opencode",
+			},
+			notContains: []string{"/home/testuser"},
+		},
 	}
 
 	for _, tt := range tests {
@@ -134,6 +160,13 @@ func TestCollapsePaths(t *testing.T) {
 					t.Errorf("CollapsePaths() = %v, missing expected path %q", got, want)
 				}
 			}
+			for _, bad := range tt.notContains {
+				for _, g := range got {
+					if g == bad {
+						t.Errorf("CollapsePaths() = %v, should NOT contain %q", got, bad)
+					}
+				}
+			}
 		})
 	}
 }
@@ -284,9 +317,7 @@ func TestToTildePath(t *testing.T) {
 func TestListLearnedTemplates(t *testing.T) {
 	// Use a temp dir to isolate from real user config
 	tmpDir := t.TempDir()
-	origConfigDir := os.Getenv("XDG_CONFIG_HOME")
+	t.Setenv("XDG_CONFIG_HOME", tmpDir)
-	os.Setenv("XDG_CONFIG_HOME", tmpDir)
-	defer os.Setenv("XDG_CONFIG_HOME", origConfigDir)
 
 	// Initially empty
 	templates, err := ListLearnedTemplates()
@@ -299,10 +330,18 @@ func TestListLearnedTemplates(t *testing.T) {
 
 	// Create some templates
 	dir := LearnedTemplateDir()
-	os.MkdirAll(dir, 0o755)
+	if err := os.MkdirAll(dir, 0o750); err != nil {
-	os.WriteFile(filepath.Join(dir, "opencode.json"), []byte("{}"), 0o644)
+		t.Fatal(err)
-	os.WriteFile(filepath.Join(dir, "myapp.json"), []byte("{}"), 0o644)
+	}
-	os.WriteFile(filepath.Join(dir, "notjson.txt"), []byte(""), 0o644) // should be ignored
+	if err := os.WriteFile(filepath.Join(dir, "opencode.json"), []byte("{}"), 0o600); err != nil {
+		t.Fatal(err)
+	}
+	if err := os.WriteFile(filepath.Join(dir, "myapp.json"), []byte("{}"), 0o600); err != nil {
+		t.Fatal(err)
+	}
+	if err := os.WriteFile(filepath.Join(dir, "notjson.txt"), []byte(""), 0o600); err != nil {
+		t.Fatal(err)
+	}
 
 	templates, err = ListLearnedTemplates()
 	if err != nil {
@@ -325,8 +364,9 @@ func TestListLearnedTemplates(t *testing.T) {
 }
 
 func TestBuildTemplate(t *testing.T) {
+	allowRead := []string{"~/external-data"}
 	allowWrite := []string{".", "~/.cache/opencode", "~/.config/opencode"}
-	result := buildTemplate("opencode", allowWrite)
+	result := buildTemplate("opencode", allowRead, allowWrite)
 
 	// Check header comments
 	if !strings.Contains(result, `Learned template for "opencode"`) {
@@ -340,6 +380,12 @@ func TestBuildTemplate(t *testing.T) {
 	}
 
 	// Check content
+	if !strings.Contains(result, `"allowRead"`) {
+		t.Error("template missing allowRead field")
+	}
+	if !strings.Contains(result, `"~/external-data"`) {
+		t.Error("template missing expected allowRead path")
+	}
 	if !strings.Contains(result, `"allowWrite"`) {
 		t.Error("template missing allowWrite field")
 	}
@@ -352,14 +398,28 @@ func TestBuildTemplate(t *testing.T) {
 	if !strings.Contains(result, `"denyRead"`) {
 		t.Error("template missing denyRead field")
 	}
+	// Check .env patterns are included in denyRead
+	if !strings.Contains(result, `".env"`) {
+		t.Error("template missing .env in denyRead")
+	}
+	if !strings.Contains(result, `".env.*"`) {
+		t.Error("template missing .env.* in denyRead")
+	}
+}
+
+func TestBuildTemplateNoAllowRead(t *testing.T) {
+	result := buildTemplate("simple-cmd", nil, []string{"."})
+
+	// When allowRead is nil, it should be omitted from JSON
+	if strings.Contains(result, `"allowRead"`) {
+		t.Error("template should omit allowRead when nil")
+	}
 }
 
 func TestGenerateLearnedTemplate(t *testing.T) {
 	// Create a temp dir for templates
 	tmpDir := t.TempDir()
-	origConfigDir := os.Getenv("XDG_CONFIG_HOME")
+	t.Setenv("XDG_CONFIG_HOME", tmpDir)
-	os.Setenv("XDG_CONFIG_HOME", tmpDir)
-	defer os.Setenv("XDG_CONFIG_HOME", origConfigDir)
 
 	// Create a fake strace log
 	home, _ := os.UserHomeDir()
@@ -372,7 +432,7 @@ func TestGenerateLearnedTemplate(t *testing.T) {
 	}, "\n")
 
 	logFile := filepath.Join(tmpDir, "strace.log")
-	if err := os.WriteFile(logFile, []byte(logContent), 0o644); err != nil {
+	if err := os.WriteFile(logFile, []byte(logContent), 0o600); err != nil {
 		t.Fatal(err)
 	}
 
@@ -386,7 +446,7 @@ func TestGenerateLearnedTemplate(t *testing.T) {
 	}
 
 	// Read and verify template
-	data, err := os.ReadFile(templatePath)
+	data, err := os.ReadFile(templatePath) //nolint:gosec // reading test-generated template file
 	if err != nil {
 		t.Fatalf("failed to read template: %v", err)
 	}

internal/sandbox/linux.go

@@ -371,6 +371,12 @@ func getMandatoryDenyPaths(cwd string) []string {
 		paths = append(paths, p)
 	}
 
+	// Sensitive project files (e.g. .env) in cwd
+	for _, f := range SensitiveProjectFiles {
+		p := filepath.Join(cwd, f)
+		paths = append(paths, p)
+	}
+
 	// Git hooks in cwd
 	paths = append(paths, filepath.Join(cwd, ".git/hooks"))
 
@@ -389,6 +395,203 @@ func getMandatoryDenyPaths(cwd string) []string {
 	return paths
 }
 
+// buildDenyByDefaultMounts builds bwrap arguments for deny-by-default filesystem isolation.
+// Starts with --tmpfs / (empty root), then selectively mounts system paths read-only,
+// CWD read-write, and user tooling paths read-only. Sensitive files within CWD are masked.
+func buildDenyByDefaultMounts(cfg *config.Config, cwd string, debug bool) []string {
+	var args []string
+	home, _ := os.UserHomeDir()
+
+	// Start with empty root
+	args = append(args, "--tmpfs", "/")
+
+	// System paths (read-only) - on modern distros (Arch, Fedora, etc.),
+	// /bin, /sbin, /lib, /lib64 are often symlinks to /usr/*. We must
+	// recreate these as symlinks via --symlink so the dynamic linker
+	// and shell can be found. Real directories get bind-mounted.
+	systemPaths := []string{"/usr", "/bin", "/sbin", "/lib", "/lib64", "/etc", "/opt", "/run"}
+	for _, p := range systemPaths {
+		if !fileExists(p) {
+			continue
+		}
+		if isSymlink(p) {
+			// Recreate the symlink inside the sandbox (e.g., /bin -> usr/bin)
+			target, err := os.Readlink(p)
+			if err == nil {
+				args = append(args, "--symlink", target, p)
+			}
+		} else {
+			args = append(args, "--ro-bind", p, p)
+		}
+	}
+
+	// /sys needs to be accessible for system info
+	if fileExists("/sys") && canMountOver("/sys") {
+		args = append(args, "--ro-bind", "/sys", "/sys")
+	}
+
+	// CWD: create intermediary dirs and bind read-write
+	if cwd != "" && fileExists(cwd) {
+		for _, dir := range intermediaryDirs("/", cwd) {
+			// Skip dirs that are already mounted as system paths
+			if isSystemMountPoint(dir) {
+				continue
+			}
+			args = append(args, "--dir", dir)
+		}
+		args = append(args, "--bind", cwd, cwd)
+	}
+
+	// User tooling paths from GetDefaultReadablePaths() (read-only)
+	// Filter out paths already mounted (system dirs, /dev, /proc, /tmp, macOS-specific)
+	if home != "" {
+		boundDirs := make(map[string]bool)
+		for _, p := range GetDefaultReadablePaths() {
+			// Skip system paths (already bound above), special mounts, and macOS paths
+			if isSystemMountPoint(p) || p == "/dev" || p == "/proc" || p == "/sys" ||
+				p == "/tmp" || p == "/private/tmp" ||
+				strings.HasPrefix(p, "/System") || strings.HasPrefix(p, "/Library") ||
+				strings.HasPrefix(p, "/Applications") || strings.HasPrefix(p, "/private/") ||
+				strings.HasPrefix(p, "/nix") || strings.HasPrefix(p, "/snap") ||
+				p == "/usr/local" || p == "/opt/homebrew" {
+				continue
+			}
+			if !strings.HasPrefix(p, home) {
+				continue // Only user tooling paths need intermediary dirs
+			}
+			if !fileExists(p) || !canMountOver(p) {
+				continue
+			}
+			// Create intermediary dirs between root and this path
+			for _, dir := range intermediaryDirs("/", p) {
+				if !boundDirs[dir] && !isSystemMountPoint(dir) && dir != cwd {
+					boundDirs[dir] = true
+					args = append(args, "--dir", dir)
+				}
+			}
+			args = append(args, "--ro-bind", p, p)
+		}
+
+		// Shell config files in home (read-only, literal files)
+		shellConfigs := []string{".bashrc", ".bash_profile", ".profile", ".zshrc", ".zprofile", ".zshenv", ".inputrc"}
+		homeIntermedaryAdded := boundDirs[home]
+		for _, f := range shellConfigs {
+			p := filepath.Join(home, f)
+			if fileExists(p) && canMountOver(p) {
+				if !homeIntermedaryAdded {
+					for _, dir := range intermediaryDirs("/", home) {
+						if !boundDirs[dir] && !isSystemMountPoint(dir) {
+							boundDirs[dir] = true
+							args = append(args, "--dir", dir)
+						}
+					}
+					homeIntermedaryAdded = true
+				}
+				args = append(args, "--ro-bind", p, p)
+			}
+		}
+
+		// Home tool caches (read-only, for package managers/configs)
+		homeCaches := []string{".cache", ".npm", ".cargo", ".rustup", ".local", ".config"}
+		for _, d := range homeCaches {
+			p := filepath.Join(home, d)
+			if fileExists(p) && canMountOver(p) {
+				if !homeIntermedaryAdded {
+					for _, dir := range intermediaryDirs("/", home) {
+						if !boundDirs[dir] && !isSystemMountPoint(dir) {
+							boundDirs[dir] = true
+							args = append(args, "--dir", dir)
+						}
+					}
+					homeIntermedaryAdded = true
+				}
+				args = append(args, "--ro-bind", p, p)
+			}
+		}
+	}
+
+	// User-specified allowRead paths (read-only)
+	if cfg != nil && cfg.Filesystem.AllowRead != nil {
+		boundPaths := make(map[string]bool)
+
+		expandedPaths := ExpandGlobPatterns(cfg.Filesystem.AllowRead)
+		for _, p := range expandedPaths {
+			if fileExists(p) && canMountOver(p) &&
+				!strings.HasPrefix(p, "/dev/") && !strings.HasPrefix(p, "/proc/") && !boundPaths[p] {
+				boundPaths[p] = true
+				// Create intermediary dirs if needed.
+				// For files, only create dirs up to the parent to avoid
+				// creating a directory at the file's path.
+				dirTarget := p
+				if !isDirectory(p) {
+					dirTarget = filepath.Dir(p)
+				}
+				for _, dir := range intermediaryDirs("/", dirTarget) {
+					if !isSystemMountPoint(dir) {
+						args = append(args, "--dir", dir)
+					}
+				}
+				args = append(args, "--ro-bind", p, p)
+			}
+		}
+		for _, p := range cfg.Filesystem.AllowRead {
+			normalized := NormalizePath(p)
+			if !ContainsGlobChars(normalized) && fileExists(normalized) && canMountOver(normalized) &&
+				!strings.HasPrefix(normalized, "/dev/") && !strings.HasPrefix(normalized, "/proc/") && !boundPaths[normalized] {
+				boundPaths[normalized] = true
+				dirTarget := normalized
+				if !isDirectory(normalized) {
+					dirTarget = filepath.Dir(normalized)
+				}
+				for _, dir := range intermediaryDirs("/", dirTarget) {
+					if !isSystemMountPoint(dir) {
+						args = append(args, "--dir", dir)
+					}
+				}
+				args = append(args, "--ro-bind", normalized, normalized)
+			}
+		}
+	}
+
+	// Mask sensitive project files within CWD by overlaying an empty regular file.
+	// We use an empty file instead of /dev/null because Landlock's READ_FILE right
+	// doesn't cover character devices, causing "Permission denied" on /dev/null mounts.
+	if cwd != "" {
+		var emptyFile string
+		for _, f := range SensitiveProjectFiles {
+			p := filepath.Join(cwd, f)
+			if fileExists(p) {
+				if emptyFile == "" {
+					emptyFile = filepath.Join(os.TempDir(), "greywall", "empty")
+					_ = os.MkdirAll(filepath.Dir(emptyFile), 0o750)
+					_ = os.WriteFile(emptyFile, nil, 0o444) //nolint:gosec // intentionally world-readable empty file for bind-mount masking
+				}
+				args = append(args, "--ro-bind", emptyFile, p)
+				if debug {
+					fmt.Fprintf(os.Stderr, "[greywall:linux] Masking sensitive file: %s\n", p)
+				}
+			}
+		}
+	}
+
+	return args
+}
+
+// isSystemMountPoint returns true if the path is a top-level system directory
+// that gets mounted directly under --tmpfs / (bwrap auto-creates these).
+func isSystemMountPoint(path string) bool {
+	switch path {
+	case "/usr", "/bin", "/sbin", "/lib", "/lib64", "/etc", "/opt", "/run", "/sys",
+		"/dev", "/proc", "/tmp",
+		// macOS
+		"/System", "/Library", "/Applications", "/private",
+		// Package managers
+		"/nix", "/snap", "/usr/local", "/opt/homebrew":
+		return true
+	}
+	return false
+}
+
 // WrapCommandLinux wraps a command with Linux bubblewrap sandbox.
 // It uses available security features (Landlock, seccomp) with graceful fallback.
 func WrapCommandLinux(cfg *config.Config, command string, proxyBridge *ProxyBridge, dnsBridge *DnsBridge, reverseBridge *ReverseBridge, tun2socksPath string, debug bool) (string, error) {
@@ -478,54 +681,29 @@ func WrapCommandLinuxWithOptions(cfg *config.Config, command string, proxyBridge
 			bwrapArgs = append(bwrapArgs, "--bind", cwd, cwd)
 		}
 
+		// Make XDG_RUNTIME_DIR writable so dconf and other runtime services
+		// (Wayland, PulseAudio, D-Bus) work inside the sandbox.
+		// Writes to /run/ are already filtered out by the learning parser.
+		xdgRuntime := os.Getenv("XDG_RUNTIME_DIR")
+		if xdgRuntime != "" && fileExists(xdgRuntime) {
+			bwrapArgs = append(bwrapArgs, "--bind", xdgRuntime, xdgRuntime)
 		}
 
-	defaultDenyRead := cfg != nil && cfg.Filesystem.DefaultDenyRead
+	}
 
-	if opts.Learning {
+	defaultDenyRead := cfg != nil && cfg.Filesystem.IsDefaultDenyRead()
+
+	switch {
+	case opts.Learning:
 		// Skip defaultDenyRead logic in learning mode (already set up above)
-	} else if defaultDenyRead {
+	case defaultDenyRead:
-		// In defaultDenyRead mode, we only bind essential system paths read-only
+		// Deny-by-default mode: start with empty root, then whitelist system paths + CWD
-		// and user-specified allowRead paths. Everything else is inaccessible.
 		if opts.Debug {
-			fmt.Fprintf(os.Stderr, "[greywall:linux] DefaultDenyRead mode enabled - binding only essential system paths\n")
+			fmt.Fprintf(os.Stderr, "[greywall:linux] DefaultDenyRead mode enabled - tmpfs root with selective mounts\n")
 		}
-
+		bwrapArgs = append(bwrapArgs, buildDenyByDefaultMounts(cfg, cwd, opts.Debug)...)
-		// Bind essential system paths read-only
+	default:
-		// Skip /dev, /proc, /tmp as they're mounted with special options below
+		// Legacy mode: bind entire root filesystem read-only
-		for _, systemPath := range GetDefaultReadablePaths() {
-			if systemPath == "/dev" || systemPath == "/proc" || systemPath == "/tmp" ||
-				systemPath == "/private/tmp" {
-				continue
-			}
-			if fileExists(systemPath) {
-				bwrapArgs = append(bwrapArgs, "--ro-bind", systemPath, systemPath)
-			}
-		}
-
-		// Bind user-specified allowRead paths
-		if cfg != nil && cfg.Filesystem.AllowRead != nil {
-			boundPaths := make(map[string]bool)
-
-			expandedPaths := ExpandGlobPatterns(cfg.Filesystem.AllowRead)
-			for _, p := range expandedPaths {
-				if fileExists(p) && !strings.HasPrefix(p, "/dev/") && !strings.HasPrefix(p, "/proc/") && !boundPaths[p] {
-					boundPaths[p] = true
-					bwrapArgs = append(bwrapArgs, "--ro-bind", p, p)
-				}
-			}
-			// Add non-glob paths
-			for _, p := range cfg.Filesystem.AllowRead {
-				normalized := NormalizePath(p)
-				if !ContainsGlobChars(normalized) && fileExists(normalized) &&
-					!strings.HasPrefix(normalized, "/dev/") && !strings.HasPrefix(normalized, "/proc/") && !boundPaths[normalized] {
-					boundPaths[normalized] = true
-					bwrapArgs = append(bwrapArgs, "--ro-bind", normalized, normalized)
-				}
-			}
-		}
-	} else {
-		// Default mode: bind entire root filesystem read-only
 		bwrapArgs = append(bwrapArgs, "--ro-bind", "/", "/")
 	}
 
@@ -679,10 +857,20 @@ func WrapCommandLinuxWithOptions(cfg *config.Config, command string, proxyBridge
 		// subdirectory dangerous files without full tree walks that hang on large dirs.
 		mandatoryDeny := getMandatoryDenyPaths(cwd)
 
+		// In deny-by-default mode, sensitive project files are already masked
+		// with --ro-bind /dev/null by buildDenyByDefaultMounts(). Skip them here
+		// to avoid overriding the /dev/null mask with a real ro-bind.
+		maskedPaths := make(map[string]bool)
+		if defaultDenyRead {
+			for _, f := range SensitiveProjectFiles {
+				maskedPaths[filepath.Join(cwd, f)] = true
+			}
+		}
+
 		// Deduplicate
 		seen := make(map[string]bool)
 		for _, p := range mandatoryDeny {
-			if !seen[p] && fileExists(p) {
+			if !seen[p] && fileExists(p) && !maskedPaths[p] {
 				seen[p] = true
 				bwrapArgs = append(bwrapArgs, "--ro-bind", p, p)
 			}
@@ -750,7 +938,7 @@ func WrapCommandLinuxWithOptions(cfg *config.Config, command string, proxyBridge
 					// Supported by glibc, Go 1.21+, c-ares, and most DNS resolver libraries.
 					_, _ = tmpResolv.WriteString("nameserver 1.1.1.1\nnameserver 8.8.8.8\noptions use-vc\n")
 				}
-				tmpResolv.Close()
+				_ = tmpResolv.Close()
 				dnsRelayResolvConf = tmpResolv.Name()
 				bwrapArgs = append(bwrapArgs, "--ro-bind", dnsRelayResolvConf, "/etc/resolv.conf")
 				if opts.Debug {
@@ -898,7 +1086,8 @@ sleep 0.3
 	// after the main command exits; the user can Ctrl+C to stop it.
 	// A SIGCHLD trap kills strace once its direct child exits, handling
 	// the common case of background daemons (LSP servers, watchers).
-	if opts.Learning && opts.StraceLogPath != "" {
+	switch {
+	case opts.Learning && opts.StraceLogPath != "":
 		innerScript.WriteString(fmt.Sprintf(`# Learning mode: trace filesystem access (foreground for terminal access)
 strace -f -qq -I2 -e trace=openat,open,creat,mkdir,mkdirat,unlinkat,renameat,renameat2,symlinkat,linkat -o %s -- %s
 GREYWALL_STRACE_EXIT=$?
@@ -910,7 +1099,7 @@ exit $GREYWALL_STRACE_EXIT
 `,
 			ShellQuoteSingle(opts.StraceLogPath), command,
 		))
-	} else if useLandlockWrapper {
+	case useLandlockWrapper:
 		// Use Landlock wrapper if available
 		// Pass config via environment variable (serialized as JSON)
 		// This ensures allowWrite/denyWrite rules are properly applied
@@ -931,7 +1120,7 @@ exit $GREYWALL_STRACE_EXIT
 
 		// Use exec to replace bash with the wrapper (which will exec the command)
 		innerScript.WriteString(fmt.Sprintf("exec %s\n", ShellQuote(wrapperArgs)))
-	} else {
+	default:
 		innerScript.WriteString(command)
 		innerScript.WriteString("\n")
 	}

internal/sandbox/linux_features.go

@@ -370,7 +370,7 @@ func suggestInstallCmd(features *LinuxFeatures) string {
 }
 
 func readSysctl(name string) string {
-	data, err := os.ReadFile("/proc/sys/" + name)
+	data, err := os.ReadFile("/proc/sys/" + name) //nolint:gosec // reading sysctl values - trusted kernel path
 	if err != nil {
 		return ""
 	}

internal/sandbox/linux_landlock.go

@@ -81,19 +81,57 @@ func ApplyLandlockFromConfig(cfg *config.Config, cwd string, socketPaths []strin
 		}
 	}
 
-	// Current working directory - read access (may be upgraded to write below)
+	// Current working directory - read+write access (project directory)
 	if cwd != "" {
-		if err := ruleset.AllowRead(cwd); err != nil && debug {
+		if err := ruleset.AllowReadWrite(cwd); err != nil && debug {
-			fmt.Fprintf(os.Stderr, "[greywall:landlock] Warning: failed to add cwd read path: %v\n", err)
+			fmt.Fprintf(os.Stderr, "[greywall:landlock] Warning: failed to add cwd read/write path: %v\n", err)
 		}
 	}
 
-	// Home directory - read access
+	// Home directory - read access only when not in deny-by-default mode.
+	// In deny-by-default mode, only specific user tooling paths are allowed,
+	// not the entire home directory. Landlock can't selectively deny files
+	// within an allowed directory, so we rely on bwrap mount overlays for
+	// .env file masking.
+	defaultDenyRead := cfg != nil && cfg.Filesystem.IsDefaultDenyRead()
+	if !defaultDenyRead {
 		if home, err := os.UserHomeDir(); err == nil {
 			if err := ruleset.AllowRead(home); err != nil && debug {
 				fmt.Fprintf(os.Stderr, "[greywall:landlock] Warning: failed to add home read path: %v\n", err)
 			}
 		}
+	} else {
+		// In deny-by-default mode, allow specific user tooling paths
+		if home, err := os.UserHomeDir(); err == nil {
+			for _, p := range GetDefaultReadablePaths() {
+				if strings.HasPrefix(p, home) {
+					if err := ruleset.AllowRead(p); err != nil && debug {
+						fmt.Fprintf(os.Stderr, "[greywall:landlock] Warning: failed to add user tooling path %s: %v\n", p, err)
+					}
+				}
+			}
+			// Shell configs
+			shellConfigs := []string{".bashrc", ".bash_profile", ".profile", ".zshrc", ".zprofile", ".zshenv", ".inputrc"}
+			for _, f := range shellConfigs {
+				p := filepath.Join(home, f)
+				if err := ruleset.AllowRead(p); err != nil && debug {
+					if !os.IsNotExist(err) {
+						fmt.Fprintf(os.Stderr, "[greywall:landlock] Warning: failed to add shell config %s: %v\n", p, err)
+					}
+				}
+			}
+			// Home caches
+			homeCaches := []string{".cache", ".npm", ".cargo", ".rustup", ".local", ".config"}
+			for _, d := range homeCaches {
+				p := filepath.Join(home, d)
+				if err := ruleset.AllowRead(p); err != nil && debug {
+					if !os.IsNotExist(err) {
+						fmt.Fprintf(os.Stderr, "[greywall:landlock] Warning: failed to add home cache %s: %v\n", p, err)
+					}
+				}
+			}
+		}
+	}
 
 	// /tmp - allow read+write (many programs need this)
 	if err := ruleset.AllowReadWrite("/tmp"); err != nil && debug {
@@ -163,7 +201,7 @@ type LandlockRuleset struct {
 func NewLandlockRuleset(debug bool) (*LandlockRuleset, error) {
 	features := DetectLinuxFeatures()
 	if !features.CanUseLandlock() {
-		return nil, fmt.Errorf("Landlock not available (kernel %d.%d, need 5.13+)",
+		return nil, fmt.Errorf("landlock not available (kernel %d.%d, need 5.13+)",
 			features.KernelMajor, features.KernelMinor)
 	}
 
@@ -400,7 +438,7 @@ func (l *LandlockRuleset) addPathRule(path string, access uint64) error {
 // Apply applies the Landlock ruleset to the current process.
 func (l *LandlockRuleset) Apply() error {
 	if !l.initialized {
-		return fmt.Errorf("Landlock ruleset not initialized")
+		return fmt.Errorf("landlock ruleset not initialized")
 	}
 
 	// Set NO_NEW_PRIVS first (required for Landlock)

internal/sandbox/macos.go

@@ -37,6 +37,7 @@ type MacOSSandboxParams struct {
 	AllowLocalBinding       bool
 	AllowLocalOutbound      bool
 	DefaultDenyRead         bool
+	Cwd                     string // Current working directory (for deny-by-default CWD allowlisting)
 	ReadAllowPaths          []string
 	ReadDenyPaths           []string
 	WriteAllowPaths         []string
@@ -146,13 +147,13 @@ func getTmpdirParent() []string {
 }
 
 // generateReadRules generates filesystem read rules for the sandbox profile.
-func generateReadRules(defaultDenyRead bool, allowPaths, denyPaths []string, logTag string) []string {
+func generateReadRules(defaultDenyRead bool, cwd string, allowPaths, denyPaths []string, logTag string) []string {
 	var rules []string
 
 	if defaultDenyRead {
 		// When defaultDenyRead is enabled:
 		// 1. Allow file-read-metadata globally (needed for directory traversal, stat, etc.)
-		// 2. Allow file-read-data only for system paths + user-specified allowRead paths
+		// 2. Allow file-read-data only for system paths + CWD + user-specified allowRead paths
 		// This lets programs see what files exist but not read their contents.
 
 		// Allow metadata operations globally (stat, readdir, etc.) and root dir (for path resolution)
@@ -167,6 +168,44 @@ func generateReadRules(defaultDenyRead bool, allowPaths, denyPaths []string, log
 			)
 		}
 
+		// Allow reading CWD (full recursive read access)
+		if cwd != "" {
+			rules = append(rules,
+				"(allow file-read-data",
+				fmt.Sprintf("  (subpath %s))", escapePath(cwd)),
+			)
+
+			// Allow ancestor directory traversal (literal only, so programs can resolve CWD path)
+			for _, ancestor := range getAncestorDirectories(cwd) {
+				rules = append(rules,
+					fmt.Sprintf("(allow file-read-data (literal %s))", escapePath(ancestor)),
+				)
+			}
+		}
+
+		// Allow home shell configs and tool caches (read-only)
+		home, _ := os.UserHomeDir()
+		if home != "" {
+			// Shell config files (literal access)
+			shellConfigs := []string{".bashrc", ".bash_profile", ".profile", ".zshrc", ".zprofile", ".zshenv", ".inputrc"}
+			for _, f := range shellConfigs {
+				p := filepath.Join(home, f)
+				rules = append(rules,
+					fmt.Sprintf("(allow file-read-data (literal %s))", escapePath(p)),
+				)
+			}
+
+			// Home tool caches (subpath access for package managers/configs)
+			homeCaches := []string{".cache", ".npm", ".cargo", ".rustup", ".local", ".config", ".nvm", ".pyenv", ".rbenv", ".asdf"}
+			for _, d := range homeCaches {
+				p := filepath.Join(home, d)
+				rules = append(rules,
+					"(allow file-read-data",
+					fmt.Sprintf("  (subpath %s))", escapePath(p)),
+				)
+			}
+		}
+
 		// Allow reading data from user-specified paths
 		for _, pathPattern := range allowPaths {
 			normalized := NormalizePath(pathPattern)
@@ -184,6 +223,24 @@ func generateReadRules(defaultDenyRead bool, allowPaths, denyPaths []string, log
 				)
 			}
 		}
+
+		// Deny sensitive files within CWD (Seatbelt evaluates deny before allow)
+		if cwd != "" {
+			for _, f := range SensitiveProjectFiles {
+				p := filepath.Join(cwd, f)
+				rules = append(rules,
+					"(deny file-read*",
+					fmt.Sprintf("  (literal %s)", escapePath(p)),
+					fmt.Sprintf("  (with message %q))", logTag),
+				)
+			}
+			// Also deny .env.* pattern via regex
+			rules = append(rules,
+				"(deny file-read*",
+				fmt.Sprintf("  (regex %s)", escapePath("^"+regexp.QuoteMeta(cwd)+"/\\.env\\..*$")),
+				fmt.Sprintf("  (with message %q))", logTag),
+			)
+		}
 	} else {
 		// Allow all reads by default
 		rules = append(rules, "(allow file-read*)")
@@ -220,9 +277,19 @@ func generateReadRules(defaultDenyRead bool, allowPaths, denyPaths []string, log
 }
 
 // generateWriteRules generates filesystem write rules for the sandbox profile.
-func generateWriteRules(allowPaths, denyPaths []string, allowGitConfig bool, logTag string) []string {
+// When cwd is non-empty, it is automatically included in the write allow paths.
+func generateWriteRules(cwd string, allowPaths, denyPaths []string, allowGitConfig bool, logTag string) []string {
 	var rules []string
 
+	// Auto-allow CWD for writes (project directory should be writable)
+	if cwd != "" {
+		rules = append(rules,
+			"(allow file-write*",
+			fmt.Sprintf("  (subpath %s)", escapePath(cwd)),
+			fmt.Sprintf("  (with message %q))", logTag),
+		)
+	}
+
 	// Allow TMPDIR parent on macOS
 	for _, tmpdirParent := range getTmpdirParent() {
 		normalized := NormalizePath(tmpdirParent)
@@ -254,8 +321,11 @@ func generateWriteRules(allowPaths, denyPaths []string, allowGitConfig bool, log
 	}
 
 	// Combine user-specified and mandatory deny patterns
-	cwd, _ := os.Getwd()
+	mandatoryCwd := cwd
-	mandatoryDeny := GetMandatoryDenyPatterns(cwd, allowGitConfig)
+	if mandatoryCwd == "" {
+		mandatoryCwd, _ = os.Getwd()
+	}
+	mandatoryDeny := GetMandatoryDenyPatterns(mandatoryCwd, allowGitConfig)
 	allDenyPaths := make([]string, 0, len(denyPaths)+len(mandatoryDeny))
 	allDenyPaths = append(allDenyPaths, denyPaths...)
 	allDenyPaths = append(allDenyPaths, mandatoryDeny...)
@@ -530,14 +600,14 @@ func GenerateSandboxProfile(params MacOSSandboxParams) string {
 
 	// Read rules
 	profile.WriteString("; File read\n")
-	for _, rule := range generateReadRules(params.DefaultDenyRead, params.ReadAllowPaths, params.ReadDenyPaths, logTag) {
+	for _, rule := range generateReadRules(params.DefaultDenyRead, params.Cwd, params.ReadAllowPaths, params.ReadDenyPaths, logTag) {
 		profile.WriteString(rule + "\n")
 	}
 	profile.WriteString("\n")
 
 	// Write rules
 	profile.WriteString("; File write\n")
-	for _, rule := range generateWriteRules(params.WriteAllowPaths, params.WriteDenyPaths, params.AllowGitConfig, logTag) {
+	for _, rule := range generateWriteRules(params.Cwd, params.WriteAllowPaths, params.WriteDenyPaths, params.AllowGitConfig, logTag) {
 		profile.WriteString(rule + "\n")
 	}
 
@@ -562,6 +632,8 @@ func GenerateSandboxProfile(params MacOSSandboxParams) string {
 
 // WrapCommandMacOS wraps a command with macOS sandbox restrictions.
 func WrapCommandMacOS(cfg *config.Config, command string, exposedPorts []int, debug bool) (string, error) {
+	cwd, _ := os.Getwd()
+
 	// Build allow paths: default + configured
 	allowPaths := append(GetDefaultWritePaths(), cfg.Filesystem.AllowWrite...)
 
@@ -599,7 +671,8 @@ func WrapCommandMacOS(cfg *config.Config, command string, exposedPorts []int, de
 		AllowAllUnixSockets:     cfg.Network.AllowAllUnixSockets,
 		AllowLocalBinding:       allowLocalBinding,
 		AllowLocalOutbound:      allowLocalOutbound,
-		DefaultDenyRead:         cfg.Filesystem.DefaultDenyRead,
+		DefaultDenyRead:         cfg.Filesystem.IsDefaultDenyRead(),
+		Cwd:                     cwd,
 		ReadAllowPaths:          cfg.Filesystem.AllowRead,
 		ReadDenyPaths:           cfg.Filesystem.DenyRead,
 		WriteAllowPaths:         allowPaths,

internal/sandbox/macos_test.go

@@ -1,6 +1,7 @@
 package sandbox
 
 import (
+	"fmt"
 	"strings"
 	"testing"
 
@@ -108,7 +109,8 @@ func buildMacOSParamsForTest(cfg *config.Config) MacOSSandboxParams {
 		AllowAllUnixSockets:     cfg.Network.AllowAllUnixSockets,
 		AllowLocalBinding:       allowLocalBinding,
 		AllowLocalOutbound:      allowLocalOutbound,
-		DefaultDenyRead:         cfg.Filesystem.DefaultDenyRead,
+		DefaultDenyRead:         cfg.Filesystem.IsDefaultDenyRead(),
+		Cwd:                     "/tmp/test-project",
 		ReadAllowPaths:          cfg.Filesystem.AllowRead,
 		ReadDenyPaths:           cfg.Filesystem.DenyRead,
 		WriteAllowPaths:         allowPaths,
@@ -175,38 +177,46 @@ func TestMacOS_DefaultDenyRead(t *testing.T) {
 	tests := []struct {
 		name                      string
 		defaultDenyRead           bool
+		cwd                       string
 		allowRead                 []string
 		wantContainsBlanketAllow  bool
 		wantContainsMetadataAllow bool
 		wantContainsSystemAllows  bool
 		wantContainsUserAllowRead bool
+		wantContainsCwdAllow      bool
 	}{
 		{
-			name:                      "default mode - blanket allow read",
+			name:                      "legacy mode - blanket allow read",
 			defaultDenyRead:           false,
+			cwd:                       "/home/user/project",
 			allowRead:                 nil,
 			wantContainsBlanketAllow:  true,
 			wantContainsMetadataAllow: false,
 			wantContainsSystemAllows:  false,
 			wantContainsUserAllowRead: false,
+			wantContainsCwdAllow:      false,
 		},
 		{
-			name:                      "defaultDenyRead enabled - metadata allow, system data allows",
+			name:                      "defaultDenyRead enabled - metadata allow, system data allows, CWD allow",
 			defaultDenyRead:           true,
+			cwd:                       "/home/user/project",
 			allowRead:                 nil,
 			wantContainsBlanketAllow:  false,
 			wantContainsMetadataAllow: true,
 			wantContainsSystemAllows:  true,
 			wantContainsUserAllowRead: false,
+			wantContainsCwdAllow:      true,
 		},
 		{
 			name:                      "defaultDenyRead with allowRead paths",
 			defaultDenyRead:           true,
-			allowRead:                 []string{"/home/user/project"},
+			cwd:                       "/home/user/project",
+			allowRead:                 []string{"/home/user/other"},
 			wantContainsBlanketAllow:  false,
 			wantContainsMetadataAllow: true,
 			wantContainsSystemAllows:  true,
 			wantContainsUserAllowRead: true,
+			wantContainsCwdAllow:      true,
 		},
 	}
 
@@ -215,6 +225,7 @@ func TestMacOS_DefaultDenyRead(t *testing.T) {
 			params := MacOSSandboxParams{
 				Command:         "echo test",
 				DefaultDenyRead: tt.defaultDenyRead,
+				Cwd:             tt.cwd,
 				ReadAllowPaths:  tt.allowRead,
 			}
 
@@ -236,6 +247,13 @@ func TestMacOS_DefaultDenyRead(t *testing.T) {
 				t.Errorf("system path allows = %v, want %v\nProfile:\n%s", hasSystemAllows, tt.wantContainsSystemAllows, profile)
 			}
 
+			if tt.wantContainsCwdAllow && tt.cwd != "" {
+				hasCwdAllow := strings.Contains(profile, fmt.Sprintf(`(subpath %q)`, tt.cwd))
+				if !hasCwdAllow {
+					t.Errorf("CWD path %q not found in profile", tt.cwd)
+				}
+			}
+
 			if tt.wantContainsUserAllowRead && len(tt.allowRead) > 0 {
 				hasUserAllow := strings.Contains(profile, tt.allowRead[0])
 				if !hasUserAllow {

internal/sandbox/manager.go

@@ -78,7 +78,7 @@ func (m *Manager) Initialize() error {
 			bridge, err := NewProxyBridge(m.config.Network.ProxyURL, m.debug)
 			if err != nil {
 				if m.tun2socksPath != "" {
-					os.Remove(m.tun2socksPath)
+					_ = os.Remove(m.tun2socksPath)
 				}
 				return fmt.Errorf("failed to initialize proxy bridge: %w", err)
 			}
@@ -90,7 +90,7 @@ func (m *Manager) Initialize() error {
 				if err != nil {
 					m.proxyBridge.Cleanup()
 					if m.tun2socksPath != "" {
-						os.Remove(m.tun2socksPath)
+						_ = os.Remove(m.tun2socksPath)
 					}
 					return fmt.Errorf("failed to initialize DNS bridge: %w", err)
 				}
@@ -108,7 +108,7 @@ func (m *Manager) Initialize() error {
 					m.proxyBridge.Cleanup()
 				}
 				if m.tun2socksPath != "" {
-					os.Remove(m.tun2socksPath)
+					_ = os.Remove(m.tun2socksPath)
 				}
 				return fmt.Errorf("failed to initialize reverse bridge: %w", err)
 			}
@@ -166,7 +166,7 @@ func (m *Manager) wrapCommandLearning(command string) (string, error) {
 	if err != nil {
 		return "", fmt.Errorf("failed to create strace log file: %w", err)
 	}
-	tmpFile.Close()
+	_ = tmpFile.Close()
 	m.straceLogPath = tmpFile.Name()
 
 	m.logDebug("Strace log file: %s", m.straceLogPath)
@@ -193,7 +193,7 @@ func (m *Manager) GenerateLearnedTemplate(cmdName string) (string, error) {
 	}
 
 	// Clean up strace log since we've processed it
-	os.Remove(m.straceLogPath)
+	_ = os.Remove(m.straceLogPath)
 	m.straceLogPath = ""
 
 	return templatePath, nil
@@ -211,10 +211,10 @@ func (m *Manager) Cleanup() {
 		m.proxyBridge.Cleanup()
 	}
 	if m.tun2socksPath != "" {
-		os.Remove(m.tun2socksPath)
+		_ = os.Remove(m.tun2socksPath)
 	}
 	if m.straceLogPath != "" {
-		os.Remove(m.straceLogPath)
+		_ = os.Remove(m.straceLogPath)
 		m.straceLogPath = ""
 	}
 	m.logDebug("Sandbox manager cleaned up")

internal/sandbox/tun2socks_embed.go

@@ -38,14 +38,14 @@ func extractTun2Socks() (string, error) {
 	}
 
 	if _, err := tmpFile.Write(data); err != nil {
-		tmpFile.Close()
+		_ = tmpFile.Close()
-		os.Remove(tmpFile.Name())
+		_ = os.Remove(tmpFile.Name())
 		return "", fmt.Errorf("tun2socks: failed to write binary: %w", err)
 	}
-	tmpFile.Close()
+	_ = tmpFile.Close()
 
-	if err := os.Chmod(tmpFile.Name(), 0o755); err != nil {
+	if err := os.Chmod(tmpFile.Name(), 0o755); err != nil { //nolint:gosec // executable binary needs execute permission
-		os.Remove(tmpFile.Name())
+		_ = os.Remove(tmpFile.Name())
 		return "", fmt.Errorf("tun2socks: failed to make executable: %w", err)
 	}
 

scripts/release.sh

@@ -149,5 +149,5 @@ git push origin "$NEW_VERSION"
 
 echo ""
 info "✓ Released $NEW_VERSION"
-info "GitHub Actions will now build and publish the release."
+info "Gitea Actions will now build and publish the release."
 info "Watch progress at: https://gitea.app.monadical.io/monadical/greywall/actions"