Feature Request: Support explicit deny read option

[youta1119]

Thank you for this great project!
Currently, cage allows read access to all paths by default, but there is no way to explicitly restrict read access to specific paths.
I would like to request explicit read deny option support.

Motivation

Within cage's sandbox, all files are readable by default. When using tools like Claude Code, users may want to prevent access to sensitive files such as .env, private keys, or credential files.

Proposed Changes

New flag

-deny <path>    Deny all access to specific paths (can be used multiple times)

Config file support

presets:
  my-preset:
    deny:
      - $HOME/.ssh
      - $HOME/.env

Platform implementation

macOS

Add deny rules to the sandbox profile using deny file-read* directive to restrict read access to denied paths.

Linux

The current Landlock-based implementation is whitelist-only, which makes it difficult to implement the deny option as-is. Implementing this feature may require switching the sandbox runtime to an alternative such as bubblewrap.

[Warashi]

Thank you for raising this feature request!

Previously, I closed this PR, which includes this feature, because I defined the cage not to restrict read ops.
ref; #79

But recently I want this feature in the cage, too.
I have no time to try to implement this for a while, so I'd be happy if you sent the PR.

[youta1119]

Thank you for the response! I'll try implementing this feature.

For Linux, I'm planning to use bubblewrap to implement the deny option. To maintain compatibility, the sandbox will fall back to bubblewrap only when deny options are specified. Let me know if you have any concerns.

[Warashi]

It's okay to go the way you wrote; I'll go the same way even when implementing it myself.