Implement config file parsing and precedence with CLI

src/cli.rs

@@ -0,0 +1,60 @@
+use std::ffi::OsString;
+use std::path::PathBuf;
+
+use clap::Parser;
+
+#[derive(Parser, Debug, Default)]
+#[command(
+    name = "agent-sandbox",
+    version,
+    about = "Sandbox agentic coding assistants with bubblewrap"
+)]
+pub struct Args {
+    /// Blacklist mode: bind / read-only, overlay sensitive paths (default)
+    #[arg(long, conflicts_with = "whitelist")]
+    pub blacklist: bool,
+
+    /// Whitelist mode: only explicitly listed minimal paths visible
+    #[arg(long)]
+    pub whitelist: bool,
+
+    /// Harden: unshare IPC, PID, UTS; private /tmp, /dev, /run
+    #[arg(long)]
+    pub hardened: bool,
+
+    /// Unshare the network namespace
+    #[arg(long)]
+    pub no_net: bool,
+
+    /// Bind an extra path read-write (repeatable)
+    #[arg(long = "rw", value_name = "PATH", action = clap::ArgAction::Append)]
+    pub extra_rw: Vec<PathBuf>,
+
+    /// Bind an extra path read-only (repeatable)
+    #[arg(long = "ro", value_name = "PATH", action = clap::ArgAction::Append)]
+    pub extra_ro: Vec<PathBuf>,
+
+    /// Print the bwrap command without executing
+    #[arg(long)]
+    pub dry_run: bool,
+
+    /// Working directory inside the sandbox (default: current directory)
+    #[arg(long, value_name = "PATH")]
+    pub chdir: Option<PathBuf>,
+
+    /// Use a named profile from the config file
+    #[arg(long, conflicts_with = "no_config")]
+    pub profile: Option<String>,
+
+    /// Path to config file (default: $XDG_CONFIG_HOME/agent-sandbox/config.toml)
+    #[arg(long = "config", value_name = "PATH")]
+    pub config_path: Option<PathBuf>,
+
+    /// Skip loading the config file entirely
+    #[arg(long)]
+    pub no_config: bool,
+
+    /// Command and arguments to run inside the sandbox
+    #[arg(trailing_var_arg = true, allow_hyphen_values = true)]
+    pub command_and_args: Vec<OsString>,
+}