From 29996a2d4061edf21512cc0676d24a151fdae7c0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christopher=20M=C3=BChl?= <toki@toph.so>
Date: Tue, 28 Apr 2026 18:25:07 +0200
Subject: [PATCH] fix: resolve SSL cert symlinks before entering sandbox

On NixOS /etc/ssl/certs/ca-certificates.crt points through /etc/static
which is not mounted. Resolve to the actual /nix/store path first.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 claudebox.sh | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/claudebox.sh b/claudebox.sh
index 0b578fb..a763072 100644
--- a/claudebox.sh
+++ b/claudebox.sh
@@ -264,11 +264,14 @@ AUDIT_SANDBOX_VALS[SHELL]="$SANDBOX_BASH"
 AUDIT_SANDBOX_VALS[TMPDIR]="/tmp"
 AUDIT_SANDBOX_VALS[XDG_RUNTIME_DIR]="/tmp"
 
-# SSL cert path: prefer host NIX_SSL_CERT_FILE (NixOS sets this to a nix store path);
-# fall back to /etc/ssl/certs/ca-certificates.crt for non-NixOS hosts.
+# SSL cert path: resolve to real nix store path so symlinks work inside the sandbox.
+# On NixOS, /etc/ssl/certs/ca-certificates.crt -> /etc/static/ssl/... -> /nix/store/...
+# The sandbox mounts /nix/store but not /etc/static, so we must resolve before entering.
 _SSL_CERT_DEFAULT="/etc/ssl/certs/ca-certificates.crt"
 _NIX_SSL_CERT="${NIX_SSL_CERT_FILE:-$_SSL_CERT_DEFAULT}"
+_NIX_SSL_CERT="$(readlink -f "$_NIX_SSL_CERT" 2>/dev/null || echo "$_NIX_SSL_CERT")"
 _SSL_CERT="${SSL_CERT_FILE:-$_NIX_SSL_CERT}"
+_SSL_CERT="$(readlink -f "$_SSL_CERT" 2>/dev/null || echo "$_SSL_CERT")"
 ENV_ARGS+=(
   --setenv NIX_SSL_CERT_FILE "$_NIX_SSL_CERT"
   --setenv SSL_CERT_FILE "$_SSL_CERT"