feat(filesystem): add denyReadAlways for denies that beat allowRead

[smolyn]

Summary

Adds an optional filesystem.denyReadAlways: string[] schema field that emits read-deny rules with priority over allowRead. Designed to let users keep a broad allowRead (e.g. ~/src for cross-project work) while still blocking credential-style files (.env, ~/.aws/credentials, *.pem, …) inside.

Motivation

Today, read restrictions have two layers:

• denyRead — deny broad regions
• allowRead — re-allow within denied regions (wins over denyRead)

There is no way to express "deny X even though X is inside an allowed region." denyRead: ["~/src/**/.env*"] is silently overridden when allowRead: ["~/src"] is set, because generateReadRules (macos-sandbox-utils.ts:224-298) emits Seatbelt rules in allow → deny → allow order — last-match-wins makes allowRead the final word.

The write side already has the symmetric capability: denyWrite beats allowWrite via the existing denyWithinAllow channel (sandbox-config.ts:239-254). This PR adds the equivalent for reads.

Behavior

Rule list	Priority
denyReadAlways	highest — wins over allowRead and denyRead
allowRead (a.k.a. allowWithinDeny)	re-allows within denyRead
denyRead (a.k.a. denyOnly)	denies regions
(default)	allow

Example config:

{
  \"filesystem\": {
    \"denyRead\": [\"/Users\"],
    \"allowRead\": [\"~/src\"],
    \"denyReadAlways\": [
      \"/**/.env*\",
      \"/**/credentials\",
      \"/**/id_rsa*\",
      \"/**/id_ed25519*\"
    ]
  }
}

~/src/myproject/.env → blocked (denyReadAlways).
~/src/myproject/source.ts → allowed (allowRead beats denyRead).
~/Documents/note.md → blocked (denyRead /Users, no override).

Implementation

• src/sandbox/sandbox-config.ts — add denyReadAlways to FilesystemConfigSchema (optional, additive).
• src/sandbox/sandbox-schemas.ts — extend internal FsReadRestrictionConfig with denyAlways?: string[]; updated docstring to describe the three-layer model.
• src/sandbox/sandbox-manager.ts — plumb the field through getFsReadConfig and the customConfig override path, with the same Linux-glob-expansion treatment used for denyRead.
• src/sandbox/macos-sandbox-utils.ts — third pass in generateReadRules emitting (deny file-read* ...) after the allowWithinDeny loop so denies win. Also pass denyAlways paths to generateMoveBlockingRules so mv/rename cannot bypass.
• src/sandbox/linux-sandbox-utils.ts — third pass after the allowRead re-bind loop emitting --tmpfs <dir> or --ro-bind /dev/null <file>. Bubblewrap binds are applied in argument order, so later binds shadow earlier ones for the same destination.
• test/config-validation.test.ts — schema test confirming denyReadAlways validates.

+128 / -5 lines across 6 files. All additive — existing configs unaffected.

Glob anchoring note

Glob patterns are CWD-relative unless they start with / (the existing denyRead has the same behavior). The intended pattern for global credential matching is /**/.env*, which resolves to the regex ^/(.*/)?\.env[^/]*$. On Linux, broad globs like /**/.env* hit the existing "too broad" guard in expandGlobPattern and get skipped with a warning — same limitation as broad denyRead globs today. Linux users should narrow the patterns to e.g. ~/src/**/.env*.

Test plan

• pnpm exec tsc --noEmit clean
• test/config-validation.test.ts schema test passes
• End-to-end on macOS with srt --settings:
  • Created ~/src/srt-test/.env and ~/src/srt-test/regular.txt.
  • With allowRead: [\"~/src\"] only: both readable.
  • Added denyReadAlways: [\"/**/.env*\"]: .env blocked with EPERM, regular.txt still readable. ✓
• Linux integration verification (not run locally — would appreciate CI confirmation)

Dependency note

This branch stacks on #283 (allowAllDomains) — the PR diff currently includes both features. After #283 merges I'll rebase this branch onto fresh main so the diff shows only the denyReadAlways change.

🤖 Generated with Claude Code