fix(profile): allow Claude Code UID-suffixed tmp dirs and skills

[stefandeml]

Claude Code writes session data to /private/tmp/claude-501/ (with UID suffix) rather than /private/tmp/claude/. The previous literal path caused sandbox denials on file-write-create, making Claude hang when executing API calls (e.g. sx online claude -- claude -p "prompt").

Changes:

• Use glob /private/tmp/claude* to match UID-suffixed directories
• Add ~/.agents to allow_read for Claude skills/plugins access

[Pierozi]

I wanted to make the support of glob path but unfortunately it's not supported by Seatbelt.

[stefandeml]

Not sure I’m following.
"/private/tmp/zsh*" is already in there using a glob, right?
seatbelt.rs contains the glob-to-regex machinery.

[Pierozi]

Ah yes indeed I forgot that I finally added it with a "hack" of converting it to a regex.
Thanks for the change because for directory it's better to not have glob.

[Pierozi]

The folder and subfolder are already allowed. you can confirm it by running

sx claude -- ls -lh /private/tmp/claude/

Usually the hang are coming from MCP.

For full trace

sx --trace online claude -- claude --dangerously-skip-permissions -p "What is 2+3"
[sx:trace] Starting sandbox violation trace...
[sx:trace] [READ] file-read-data /private/tmp (2.1.25(55503))
[sx:trace] [READ] file-read-data /Applications/Pencil.app/Contents/Resources/app.asar.unpacked/out/mcp-server-darwin-arm64 (mcp-server-darwin-arm64(55528))
[sx:trace] [WRITE] file-write-create /Users/pierozi/.local/state/claude/locks/2.1.25.lock.tmp.55503.1769792503199 (2.1.25(55503))
[sx:trace] [READ] file-read-data /Users/pierozi/.cache/claude/staging (2.1.25(55503))
[sx:trace] [READ] file-read-data /Users/pierozi/.local/state/claude/locks (2.1.25(55503))
[sx:trace] [READ] file-read-data /Users/pierozi/.ssh/config (ssh(55546))
[sx:trace] [READ] file-read-data /Users/pierozi/.ssh/id_rsa (ssh(55546))
[sx:trace] [READ] file-read-data /Users/pierozi/.ssh/id_rsa.pub (ssh(55546))
[sx:trace] [READ] file-read-data /Users/pierozi/.ssh/id_rsa (ssh(55546))
[sx:trace] [READ] file-read-data /private/tmp (2.1.25(55533))
[sx:trace] [READ] file-read-data /private/tmp (2.1.25(55532))
[sx:trace] [READ] file-read-data /Users/pierozi/.ssh/known_hosts (ssh(55546))
[sx:trace] [READ] file-read-data /Users/pierozi (2.1.25(55503))
[sx:trace] [READ] file-read-data /Users/pierozi/.ssh/known_hosts (ssh(55546))
[sx:trace] [READ] file-read-data /Users/pierozi/.ssh/known_hosts (ssh(55546))
[sx:trace] [READ] file-read-data /Users/pierozi/.ssh/id_rsa (ssh(55546))
[sx:trace] [READ] file-read-data /Users/pierozi/.ssh/config (ssh(55599))
[sx:trace] [READ] file-read-data /Users/pierozi/.ssh/id_rsa (ssh(55599))
[sx:trace] [READ] file-read-data /Users/pierozi/.ssh/id_rsa.pub (ssh(55599))
[sx:trace] [READ] file-read-data /Users/pierozi/.ssh/id_rsa (ssh(55599))
[sx:trace] [READ] file-read-data /Users/pierozi/.ssh/known_hosts (ssh(55599))
[sx:trace] [READ] file-read-data /Users/pierozi/.ssh/id_rsa (ssh(55599))
5

[stefandeml]

Yeah, that folder obviously works.
But the issue is that 'claude' is not enough as parallel sessions create eg 'claude-001'.

[Pierozi]

remove only that because it's not related to Claude directly.

[stefandeml]

yeah I can delete. But many people these days just have symlinks form .claude to .agents to make sure things are picked up by opencode as well

[stefandeml]

deleted

[Pierozi]

Indeed I reproduced the issue. Strange that I did not encounter it before.
Thanks for contributing.