fix: always allow localhost bind/inbound in macOS Seatbelt profile (#12)

On macOS, the Seatbelt sandbox denied network-bind and network-inbound
by default, requiring AllowLocalBinding to be set per-agent. This broke
OAuth login flows (e.g. Claude /login) which start a local callback
server on a random port.

On Linux, the isolated network namespace allows unrestricted local
binding. Align macOS behavior by always including localhost bind/inbound
rules. Outbound to localhost remains gated on AllowLocalOutbound.

Author: tito

internal/sandbox/macos.go

@@ -578,16 +578,17 @@ func GenerateSandboxProfile(params MacOSSandboxParams) string {
 	if !params.NeedsNetworkRestriction {
 		profile.WriteString("(allow network*)\n")
 	} else {
-		if params.AllowLocalBinding {
-			// Allow binding and inbound connections on localhost (for servers)
-			profile.WriteString(`(allow network-bind (local ip "localhost:*"))
+		// Always allow localhost binding and inbound connections.
+		// This matches Linux behavior where the isolated network namespace
+		// allows unrestricted local binding. Many tools need this for OAuth
+		// callbacks, MCP servers, dev servers, etc.
+		profile.WriteString(`(allow network-bind (local ip "localhost:*"))
 (allow network-inbound (local ip "localhost:*"))
 `)
-			// Process can make outbound connections to localhost
-			if params.AllowLocalOutbound {
-				profile.WriteString(`(allow network-outbound (local ip "localhost:*"))
+		// Process can make outbound connections to localhost
+		if params.AllowLocalOutbound {
+			profile.WriteString(`(allow network-outbound (local ip "localhost:*"))
 `)
-			}
 		}
 
 		if params.AllowAllUnixSockets {