/**
 * Seatbelt (macOS sandbox-exec)
 *
 * macOS built-in sandboxing using sandbox-exec with SBPL profiles.
 *
 * Important: Uses `-p` (inline profile) instead of `-f` (file) because
 * `-f` doesn't work reliably with path filters on modern macOS.
 *
 * Note on macOS sandbox limitations:
 * - `(allow file-read* (subpath ...))` only works WITH a preceding `(allow file-read*)`
 * - So for reads: allow all, then deny specific paths
 * - For writes: allow specific paths with subpath filters
 *
 * Based on the approach used by Claude Code's sandbox-runtime:
 * https://github.com/anthropic-experimental/sandbox-runtime
 */
import type { NativeSandboxConfig } from './types.js';
/**
 * Generate a seatbelt profile for the given configuration.
 *
 * The profile:
 * - Allows all file reads (can't restrict with subpath on macOS)
 * - Restricts file writes to workspace and temp directories
 * - Blocks network unless explicitly allowed
 *
 * @param workspacePath - The workspace directory to allow write access to
 * @param config - Additional sandbox configuration
 * @returns The generated SBPL profile content
 */
export declare function generateSeatbeltProfile(workspacePath: string, config: NativeSandboxConfig): string;
/**
 * Build the command arguments for sandbox-exec.
 *
 * Uses `-p` (inline profile) instead of `-f` (file) because
 * `-f` doesn't work reliably with path filters on modern macOS.
 *
 * @param command - The full shell command string to run
 * @param profile - The SBPL profile content (not a file path)
 * @returns Wrapped command and arguments for sandbox-exec
 */
export declare function buildSeatbeltCommand(command: string, profile: string): {
    command: string;
    args: string[];
};
//# sourceMappingURL=seatbelt.d.ts.map