diff --git a/.gitignore b/.gitignore
index c001316..d244026 100644
--- a/.gitignore
+++ b/.gitignore
@@ -13,3 +13,4 @@ target/
 # MSVC Windows builds of rustc generate these, which store debugging information
 *.pdb
 actionlint
+worktrees/
diff --git a/profiles/base.toml b/profiles/base.toml
index f180898..5db2c39 100644
--- a/profiles/base.toml
+++ b/profiles/base.toml
@@ -5,6 +5,7 @@ network_mode = "offline"
 
 [filesystem]
 allow_read = [
+    # System paths
     "/usr",
     "/bin",
     "/sbin",
@@ -21,8 +22,16 @@ allow_read = [
     "/var/run",
     "/tmp",
     "/dev",
+    # sx config
     "~/.config/sx",
-    "~/Library",
+    # ~/Library - allowlist only safe subdirectories (shift-left)
+    "~/Library/Caches/",
+    "~/Library/Preferences/",
+    "~/Library/Application Support/",
+    "~/Library/Logs/",
+    "~/Library/Frameworks/",
+    "~/Library/Keychains/", # Encrypted, requires Security framework ACL to access secrets
+    "~/Library/Developer/",
     # Shell config files (read-only)
     "~/.zshrc",
     "~/.zshenv",
@@ -32,6 +41,7 @@ allow_read = [
     "~/.profile",
     "~/.inputrc",
 ]
+# This enforce deny on critical path containing sensibles data even if user allow HOME directory in global config
 deny_read = [
     "~/.ssh",
     "~/.aws",
@@ -42,10 +52,8 @@ deny_read = [
 ]
 allow_write = [
     "/tmp",
-    "/private/var/folders",
-    "/private/var/run",
-    "/var/folders",
-    "/var/run"
+    "/private$TMPDIR", # Session-specific temp dir (canonical path)
+    "$TMPDIR", # Session-specific temp dir (symlink path)
 ]
 
 [shell]
diff --git a/profiles/claude.toml b/profiles/claude.toml
index e46dab3..c516fdc 100644
--- a/profiles/claude.toml
+++ b/profiles/claude.toml
@@ -6,6 +6,7 @@ network_mode = "online"
 allow_read = [
     "~/.claude",
     "~/.claude.json",
+    "~/.claude.lock",
     "~/.local/share/claude",
     "~/.local/bin/claude",
     "~/.CFUserTextEncoding",
@@ -15,7 +16,10 @@ allow_read = [
 allow_write = [
     "~/.claude",
     "~/.claude.json",
+    "~/.claude.lock",
+    "~/.local/share/claude",
     "~/Library/Caches/claude-cli-nodejs/",
+    "~/Library/Keychains/login.keychain-db", # OAuth token refresh
     "/private/tmp/claude*", # claude-UID directories (e.g. claude-501)
     "/private/tmp/zsh*", # When claude use zsh in bash it create dynamic tmp file
 ]