Generate a custom macOS `sandbox-exec` profile for me, modeled on Agent Safehouse.

## Step 1: Inspect the real references first

Read these sources before you propose any profile:

- https://github.com/eugene1g/agent-safehouse/blob/main/profiles/00-base.sb
- https://github.com/eugene1g/agent-safehouse/blob/main/profiles/10-system-runtime.sb
- https://github.com/eugene1g/agent-safehouse/blob/main/profiles/20-network.sb
- https://github.com/eugene1g/agent-safehouse/tree/main/profiles/30-toolchains
- https://github.com/eugene1g/agent-safehouse/tree/main/profiles/40-shared
- https://github.com/eugene1g/agent-safehouse/tree/main/profiles/50-integrations-core
- https://github.com/eugene1g/agent-safehouse/tree/main/profiles/55-integrations-optional
- https://github.com/eugene1g/agent-safehouse/tree/main/profiles/60-agents
- https://github.com/eugene1g/agent-safehouse/tree/main/profiles/65-apps
- https://github.com/eugene1g/agent-safehouse/blob/main/bin/lib/bootstrap/source-manifest.sh
- https://github.com/eugene1g/agent-safehouse/blob/main/bin/lib/policy/request.sh
- https://github.com/eugene1g/agent-safehouse/blob/main/bin/lib/policy/plan.sh
- https://github.com/eugene1g/agent-safehouse/blob/main/bin/lib/policy/render.sh
- https://github.com/eugene1g/agent-safehouse/blob/main/bin/safehouse.sh

Use those as style and capability guides. Mirror the least-privilege patterns you find there. Do not invent a completely different structure.

## Step 2: Auto-detect as much as you can

Do not ask me a long questionnaire up front. Detect what you can first.

Detect:

- my absolute home directory path
- my current shell and the shell config file to edit
- installed toolchains such as Node, Bun, Python, uv, Go, Rust, and runtime managers
- installed agent CLIs such as Claude, Codex, Gemini, Aider, Cursor, and similar tools
- common machine-global dotfiles such as `~/.gitconfig`, `~/.gitignore_global`, `~/.npmrc`, `~/.yarnrc.yml`

Map detections to the matching Safehouse profile areas:

- `00-base.sb`
- `10-system-runtime.sb`
- `20-network.sb`
- only the relevant `30-toolchains/*.sb`
- `40-shared/agent-common.sb`
- the always-on `50-integrations-core/*.sb`
- only the needed `55` / `60` / `65` modules

## Step 3: Ask me one combined follow-up question

After detection, summarize what you found and ask one combined question that covers:

- which project directories should be read/write
- which extra paths, if any, should be read-only
- which paths, if any, should be explicitly denied
- anything detected that I want removed or added

Do not ask separate questions for HOME, shell, wrapper script, or toolchains unless detection failed.

## Step 4: Generate all outputs

Produce all of these in one response:

1. A complete `.sb` profile, default save path `~/.config/sandbox-exec/agent.sb`
2. A small wrapper script, if useful, default save path `~/.config/sandbox-exec/run-sandboxed.sh`
3. A clearly labeled shell snippet for my shell config
4. A short table explaining each access grant
5. A short verification checklist

## Requirements

- Start from deny-by-default.
- Do not grant my whole home directory unless I explicitly ask for it.
- Mirror Agent Safehouse's assembly order and comment style.
- Prefer `literal`, `prefix`, and narrow `subpath` rules over broad recursive grants.
- Keep global dotfile access minimal and explicit.
- Separate read-only grants from read/write grants.
- Use the HOME helper macros from `00-base.sb` for home-relative paths.
- Use ancestor `literal` read grants for every explicit directory you allow, following Safehouse's `emit_path_ancestor_literals()` behavior.
- Keep Docker sockets, SSH agent sockets, browser data, shell startup files, and other sensitive integrations denied unless the task clearly needs them.
- Keep the final profile commented and easy to audit.

## Wrapper behavior

If you generate a wrapper script, make it behave like this:

- accept an optional `--workdir=/path`
- resolve effective workdir as: explicit flag, then `pwd -P`
- generate the ancestor `literal` rules for that workdir at launch time
- generate the workdir read/write rules at launch time
- if the selected workdir is a git worktree root, snapshot the existing linked worktree paths at launch time and emit read-only grants for those sibling worktrees directly into the generated policy
- if the selected workdir is a linked git worktree root, grant its shared git common dir read/write access when that metadata lives outside the selected workdir
- write a temporary policy file, then run `sandbox-exec` with that file
- clean up temporary files with `trap`

Do not invent placeholder tokens such as `__SAFEHOUSE_WORKDIR__`. Do not rely on marker-based post-processing blocks. Generate the concrete workdir rules directly when the wrapper runs.

## Expected outputs

The result should usually look like this:

- one durable machine-local profile at `~/.config/sandbox-exec/agent.sb`
- one small wrapper that grants the current project directory
- one shell snippet that adds shortcuts such as `safe-claude`, `safe-codex`, or `safe-cursor`

Use the Safehouse references above to justify the structure, but output a self-contained result I can save directly.