Anyone have more understanding of how this is supposed to work , beyond the quick help "If enabled, the build system will sandbox user scripts to disallow undeclared input/output dependencies."? When I turned it on, one of my build scripts failed.
Operation not permitted error: Sandbox: bash(29174) deny(1) file-read-data
In this case, the input path is to a folder (a framework) and the output path is in the build directory. The paths are definitely correct, because the script accesses them as $SCRIPT_INPUT_FILE_0 and $SCRIPT_OUTPUT_FILE_0, so the script wouldn't work at all if I had an error in the paths.
I tried putting a slash at the end of an input path, and then the error was just "operation not permitted", without mentioning the sandbox.