diff --git a/packages/cli/src/utils/sandbox-macos-minimal.sb b/packages/cli/src/utils/sandbox-macos-minimal.sb
index c304b838..5a8b46dd 100644
--- a/packages/cli/src/utils/sandbox-macos-minimal.sb
+++ b/packages/cli/src/utils/sandbox-macos-minimal.sb
@@ -3,13 +3,14 @@
 ;; allow everything by default
 (allow default)
 
-;; deny all writes EXCEPT under project directory, temp directory, stdout/stderr and /dev/null
+;; deny all writes EXCEPT under specific paths
 (deny file-write*)
 (allow file-write*
     (subpath (param "TARGET_DIR"))
     (subpath (param "TMP_DIR"))
+    (subpath (string-append (param "HOME_DIR") "/.gemini"))
+    (subpath (string-append (param "HOME_DIR") "/.npm"))
     (literal "/dev/stdout")
     (literal "/dev/stderr")
     (literal "/dev/null")
-)
-
+)
\ No newline at end of file
diff --git a/packages/cli/src/utils/sandbox-macos-strict.sb b/packages/cli/src/utils/sandbox-macos-strict.sb
index 4c7c2df0..c477077f 100644
--- a/packages/cli/src/utils/sandbox-macos-strict.sb
+++ b/packages/cli/src/utils/sandbox-macos-strict.sb
@@ -66,6 +66,8 @@
 (allow file-write*
     (subpath (param "TARGET_DIR"))
     (subpath (param "TMP_DIR"))
+    (subpath (string-append (param "HOME_DIR") "/.gemini"))
+    (subpath (string-append (param "HOME_DIR") "/.npm"))
     (literal "/dev/stdout")
     (literal "/dev/stderr")
     (literal "/dev/null")
diff --git a/packages/cli/src/utils/sandbox.ts b/packages/cli/src/utils/sandbox.ts
index ef26792d..0f7e1e10 100644
--- a/packages/cli/src/utils/sandbox.ts
+++ b/packages/cli/src/utils/sandbox.ts
@@ -145,9 +145,11 @@ export async function start_sandbox(sandbox: string) {
     process.env.SEATBELT_PROFILE ??= 'minimal';
     const args = [
       '-D',
-      `TARGET_DIR=${process.cwd()}`,
+      `TARGET_DIR=${fs.realpathSync(process.cwd())}`,
       '-D',
       `TMP_DIR=${fs.realpathSync(os.tmpdir())}`,
+      '-D',
+      `HOME_DIR=${fs.realpathSync(os.homedir())}`,
       '-f',
       new URL(
         `sandbox-macos-${process.env.SEATBELT_PROFILE}.sb`,