fix: SHELL path, PATH isolation, --shell flag, nix-claude-code input

- Resolve SHELL to nix store bash path (was /bin/bash which doesn't exist in sandbox) - Inject clean SANDBOX_PATH via makeBinPath (was leaking entire host PATH) - Add --shell flag to drop into sandboxed bash for manual verification - Use nix-claude-code flake for claude-code binary instead of host PATH discovery Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-09 14:59:43 +02:00 · 2026-04-09 14:59:43 +02:00 · 613d015cc1
commit 613d015cc1
parent dd6742abef
3 changed files with 68 additions and 25 deletions
--- a/claudebox.sh
+++ b/claudebox.sh
@ -1,12 +1,17 @@
-# Resolve claude binary from host PATH (before clearenv strips it)
-CLAUDE_BIN=$(readlink -f "$(command -v claude)") || {
-  echo "error: claude not found in PATH" >&2
-  echo "Install Claude Code first: https://docs.anthropic.com/en/docs/claude-code" >&2
-  exit 1
-}
+# Parse claudebox flags
+SHELL_MODE=false
+for arg in "$@"; do
+  case "$arg" in
+    --shell) SHELL_MODE=true; shift; break ;;
+    --) shift; break ;;
+    *) break ;;
+  esac
+done

-# Capture sandbox PATH (runtimeInputs-constructed)
-SANDBOX_PATH="$PATH"
+# SANDBOX_PATH is injected by flake.nix via makeBinPath (only runtimeInputs, no host PATH)
+# Resolve binary paths from runtimeInputs
+SANDBOX_BASH="$(command -v bash)"
+CLAUDE_BIN="$(command -v claude)"

 # Record CWD
 CWD=$(pwd)
@ -35,7 +40,7 @@ ENV_ARGS=(
  --setenv HOME "$HOME"
  --setenv USER "$USER"
  --setenv PATH "$SANDBOX_PATH"
-  --setenv SHELL /bin/bash
+  --setenv SHELL "$SANDBOX_BASH"
  --setenv TMPDIR /tmp
  --setenv XDG_RUNTIME_DIR /tmp
  --setenv NIX_SSL_CERT_FILE /etc/ssl/certs/ca-certificates.crt
@ -61,6 +66,13 @@ if [[ -v CLAUDEBOX_EXTRA_ENV ]]; then
  done
 fi

+# Build sandbox command
+if [[ "$SHELL_MODE" == true ]]; then
+  SANDBOX_CMD=("$SANDBOX_BASH" "$@")
+else
+  SANDBOX_CMD=("$CLAUDE_BIN" --dangerously-skip-permissions "$@")
+fi
+
 # exec bwrap (SAND-04 through SAND-15, UX-06, D-01)
 exec bwrap \
  --clearenv \
@ -85,4 +97,4 @@ exec bwrap \
  --ro-bind "$GITCONFIG_TMP" "$HOME/.gitconfig" \
  --bind "$CWD" "$CWD" \
  --chdir "$CWD" \
-  -- "$CLAUDE_BIN" --dangerously-skip-permissions "$@"
+  -- "${SANDBOX_CMD[@]}"
--- a/flake.lock
+++ b/flake.lock
@ -1,5 +1,25 @@
 {
  "nodes": {
+    "nix-claude-code": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1775702549,
+        "narHash": "sha256-33oPZsvyI41U8ygJbzgb6+GkyAaKEyVUQ3VcFNckeJY=",
+        "owner": "ryoppippi",
+        "repo": "nix-claude-code",
+        "rev": "729a851a87d66cebc50953e9509602e28ecb9520",
+        "type": "github"
+      },
+      "original": {
+        "owner": "ryoppippi",
+        "repo": "nix-claude-code",
+        "type": "github"
+      }
+    },
    "nix-index-database": {
      "inputs": {
        "nixpkgs": [
@ -38,6 +58,7 @@
    },
    "root": {
      "inputs": {
+        "nix-claude-code": "nix-claude-code",
        "nix-index-database": "nix-index-database",
        "nixpkgs": "nixpkgs"
      }
--- a/flake.nix
+++ b/flake.nix
@ -3,35 +3,45 @@

  inputs = {
    nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable";
+    nix-claude-code = {
+      url = "github:ryoppippi/nix-claude-code";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
    nix-index-database = {
      url = "github:nix-community/nix-index-database";
      inputs.nixpkgs.follows = "nixpkgs";
    };
  };

-  outputs = { self, nixpkgs, nix-index-database, ... }:
+  outputs = { self, nixpkgs, nix-claude-code, nix-index-database, ... }:
    let
      system = "x86_64-linux";
      pkgs = nixpkgs.legacyPackages.${system};
+      claude-code = nix-claude-code.packages.${system}.default;
      comma-with-db = nix-index-database.packages.${system}.comma-with-db;
+      runtimeDeps = [
+        pkgs.bubblewrap
+        pkgs.coreutils
+        pkgs.git
+        pkgs.curl
+        pkgs.jq
+        pkgs.ripgrep
+        pkgs.fd
+        pkgs.nix
+        comma-with-db
+        pkgs.bash
+        pkgs.nodejs
+        claude-code
+      ];
+      sandboxPath = pkgs.lib.makeBinPath runtimeDeps;
    in {
      packages.${system} = {
        claudebox = pkgs.writeShellApplication {
          name = "claudebox";
-          runtimeInputs = [
-            pkgs.bubblewrap
-            pkgs.coreutils
-            pkgs.git
-            pkgs.curl
-            pkgs.jq
-            pkgs.ripgrep
-            pkgs.fd
-            pkgs.nix
-            comma-with-db
-            pkgs.bash
-            pkgs.nodejs
-          ];
-          text = builtins.readFile ./claudebox.sh;
+          runtimeInputs = runtimeDeps;
+          text = ''
+            SANDBOX_PATH="${sandboxPath}"
+          '' + builtins.readFile ./claudebox.sh;
        };
        default = self.packages.${system}.claudebox;
      };