From 27d9db44a0f1abe8a404224c5634ceab45b4279b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christopher=20M=C3=BChl?= Date: Thu, 9 Apr 2026 21:18:10 +0200 Subject: [PATCH] feat(03-01): add SANDBOX.md generation and CLAUDE.md import check --- claudebox.sh | 51 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 51 insertions(+) diff --git a/claudebox.sh b/claudebox.sh index 9ecd00e..5429ea3 100644 --- a/claudebox.sh +++ b/claudebox.sh @@ -101,6 +101,57 @@ CWD=$(pwd) # Ensure ~/.claudebox exists mkdir -p "$HOME/.claudebox" +# === Sandbox-aware prompting (AWARE-01, AWARE-02) === + +# Write SANDBOX.md -- fully managed, overwritten every launch (D-02) +cat > "$HOME/.claudebox/SANDBOX.md" << 'SANDBOXEOF' +# Sandbox Environment + +You are running inside a bubblewrap (bwrap) sandbox managed by claudebox. +Your filesystem is isolated -- only the current working directory and +essential system paths are mounted. + +## Installing Tools + +You have two ways to install tools on the fly: + +**Comma (preferred for quick one-off commands):** +`, ripgrep` runs ripgrep without permanent installation. Comma uses +nix-index to find the right package automatically. + +**Nix shell (for persistent access within the session):** +`nix shell nixpkgs#python3 -c python3 script.py` runs a command with +a package available. To keep it in your PATH for the session: +`nix shell nixpkgs#python3` then use `python3` normally. + +## Default Restrictions + +By default, the following are not mounted into the sandbox: +- SSH keys (~/.ssh) +- GPG and age keys (~/.gnupg, age key files) +- Cloud credentials (~/.aws, ~/.config/gcloud) +- Tailscale state + +If your setup has been customized, some of these may be available. + +## Git + +Your git identity (name and email) is pre-configured from the host. +The `safe.directory` setting trusts the mounted working directory. +For remote operations, prefer HTTPS URLs over SSH since SSH keys +are not available by default. +SANDBOXEOF + +# Ensure CLAUDE.md has @SANDBOX.md import (D-03, D-08, AWARE-01) +CLAUDEMD="$HOME/.claudebox/CLAUDE.md" +if [[ ! -f "$CLAUDEMD" ]]; then + printf '%s\n' "@SANDBOX.md" > "$CLAUDEMD" +elif [[ "$(head -1 "$CLAUDEMD")" != "@SANDBOX.md" ]]; then + tmp=$(mktemp) + { printf '%s\n' "@SANDBOX.md"; cat "$CLAUDEMD"; } > "$tmp" + mv "$tmp" "$CLAUDEMD" +fi + # Generate minimal .gitconfig (D-05) GIT_NAME=$(git config --global user.name 2>/dev/null || echo "Claude User") GIT_EMAIL=$(git config --global user.email 2>/dev/null || echo "claude@localhost")