diff --git a/claudebox.sh b/claudebox.sh index b3165a3..47bcb19 100644 --- a/claudebox.sh +++ b/claudebox.sh @@ -1,12 +1,17 @@ -# Resolve claude binary from host PATH (before clearenv strips it) -CLAUDE_BIN=$(readlink -f "$(command -v claude)") || { - echo "error: claude not found in PATH" >&2 - echo "Install Claude Code first: https://docs.anthropic.com/en/docs/claude-code" >&2 - exit 1 -} +# Parse claudebox flags +SHELL_MODE=false +for arg in "$@"; do + case "$arg" in + --shell) SHELL_MODE=true; shift; break ;; + --) shift; break ;; + *) break ;; + esac +done -# Capture sandbox PATH (runtimeInputs-constructed) -SANDBOX_PATH="$PATH" +# SANDBOX_PATH is injected by flake.nix via makeBinPath (only runtimeInputs, no host PATH) +# Resolve binary paths from runtimeInputs +SANDBOX_BASH="$(command -v bash)" +CLAUDE_BIN="$(command -v claude)" # Record CWD CWD=$(pwd) @@ -35,7 +40,7 @@ ENV_ARGS=( --setenv HOME "$HOME" --setenv USER "$USER" --setenv PATH "$SANDBOX_PATH" - --setenv SHELL /bin/bash + --setenv SHELL "$SANDBOX_BASH" --setenv TMPDIR /tmp --setenv XDG_RUNTIME_DIR /tmp --setenv NIX_SSL_CERT_FILE /etc/ssl/certs/ca-certificates.crt @@ -61,6 +66,13 @@ if [[ -v CLAUDEBOX_EXTRA_ENV ]]; then done fi +# Build sandbox command +if [[ "$SHELL_MODE" == true ]]; then + SANDBOX_CMD=("$SANDBOX_BASH" "$@") +else + SANDBOX_CMD=("$CLAUDE_BIN" --dangerously-skip-permissions "$@") +fi + # exec bwrap (SAND-04 through SAND-15, UX-06, D-01) exec bwrap \ --clearenv \ @@ -85,4 +97,4 @@ exec bwrap \ --ro-bind "$GITCONFIG_TMP" "$HOME/.gitconfig" \ --bind "$CWD" "$CWD" \ --chdir "$CWD" \ - -- "$CLAUDE_BIN" --dangerously-skip-permissions "$@" + -- "${SANDBOX_CMD[@]}" diff --git a/flake.lock b/flake.lock index ab10279..d904c93 100644 --- a/flake.lock +++ b/flake.lock @@ -1,5 +1,25 @@ { "nodes": { + "nix-claude-code": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1775702549, + "narHash": "sha256-33oPZsvyI41U8ygJbzgb6+GkyAaKEyVUQ3VcFNckeJY=", + "owner": "ryoppippi", + "repo": "nix-claude-code", + "rev": "729a851a87d66cebc50953e9509602e28ecb9520", + "type": "github" + }, + "original": { + "owner": "ryoppippi", + "repo": "nix-claude-code", + "type": "github" + } + }, "nix-index-database": { "inputs": { "nixpkgs": [ @@ -38,6 +58,7 @@ }, "root": { "inputs": { + "nix-claude-code": "nix-claude-code", "nix-index-database": "nix-index-database", "nixpkgs": "nixpkgs" } diff --git a/flake.nix b/flake.nix index 6408e27..362ee2a 100644 --- a/flake.nix +++ b/flake.nix @@ -3,35 +3,45 @@ inputs = { nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable"; + nix-claude-code = { + url = "github:ryoppippi/nix-claude-code"; + inputs.nixpkgs.follows = "nixpkgs"; + }; nix-index-database = { url = "github:nix-community/nix-index-database"; inputs.nixpkgs.follows = "nixpkgs"; }; }; - outputs = { self, nixpkgs, nix-index-database, ... }: + outputs = { self, nixpkgs, nix-claude-code, nix-index-database, ... }: let system = "x86_64-linux"; pkgs = nixpkgs.legacyPackages.${system}; + claude-code = nix-claude-code.packages.${system}.default; comma-with-db = nix-index-database.packages.${system}.comma-with-db; + runtimeDeps = [ + pkgs.bubblewrap + pkgs.coreutils + pkgs.git + pkgs.curl + pkgs.jq + pkgs.ripgrep + pkgs.fd + pkgs.nix + comma-with-db + pkgs.bash + pkgs.nodejs + claude-code + ]; + sandboxPath = pkgs.lib.makeBinPath runtimeDeps; in { packages.${system} = { claudebox = pkgs.writeShellApplication { name = "claudebox"; - runtimeInputs = [ - pkgs.bubblewrap - pkgs.coreutils - pkgs.git - pkgs.curl - pkgs.jq - pkgs.ripgrep - pkgs.fd - pkgs.nix - comma-with-db - pkgs.bash - pkgs.nodejs - ]; - text = builtins.readFile ./claudebox.sh; + runtimeInputs = runtimeDeps; + text = '' + SANDBOX_PATH="${sandboxPath}" + '' + builtins.readFile ./claudebox.sh; }; default = self.packages.${system}.claudebox; };