On NixOS /etc/ssl/certs/ca-certificates.crt points through /etc/static
which is not mounted. Resolve to the actual /nix/store path first.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- ~/.claudebox/env and <project>/.claudebox.env loaded at launch
- NIX_SSL_CERT_FILE passed from host instead of hardcoded path
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Rewrite mount architecture: direct ~/.claude bind replaces old ~/.claudebox symlink
- Per-project ~/.claude/projects/ isolation via SHA-256[:16] of canonical git root
- Worktree-aware canonical root resolution (git rev-parse --git-common-dir)
- --gc flag to remove stale instance dirs
- /bin/sh symlink fix for git hooks
- Auth credentials moved to ~/.claudebox/.credentials.json
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Remove ANTHROPIC_API_KEY from requirements (OAuth auth works without it)
- Add --gc flag to flags table
- Rewrite "How it works" to reflect direct ~/.claude bind + per-project overlay architecture
- Drop stale symlink/CLAUDE.md references
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Test 1: stale instance dir (project root gone) is removed
- Test 2: valid instance dir (project root exists) is preserved
- Test 3: empty projects/ dir produces GC complete: 0 instance(s) removed.
- Inline gc_instances definition for isolated testing (sed not in PATH)
- Canary check verifies gc_instances exists in claudebox.sh
- Add GC_MODE=false variable and --gc) case to flag parsing
- Define gc_instances() before --check block (callable before ANSI init)
- Add GC dispatch block after --check, before ANSI formatting (early exit)
- gc_instances iterates ~/.claudebox/projects/*/project-root, removes dirs
whose recorded root path no longer exists on disk
- Prints each removal and summary count to stderr (D-11, D-12, INST-04)
Claude Code hooks invoke /bin/sh which doesn't exist in the bwrap
sandbox. Symlink bash to /bin/sh alongside the existing /usr/bin/env
symlink so all hook-based tooling (GSD statusline, project hooks)
works correctly inside claudebox.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Replace --bind ~/.claudebox + --symlink with direct --bind ~/.claude ~/.claude
- Add compute_canonical_root() function using git rev-parse --git-common-dir
- Add per-project INSTANCE_DIR via sha256sum[:16] of canonical git root
- Overlay projects/ with per-project hash dir for isolated conversation history
- Overlay history.jsonl and SANDBOX.md as file-level bind mounts
- Update credential mount target from ~/.claudebox to ~/.claude
- Add CLAUDE_JSON_FILE (~/.claude.json) detection and conditional bind mount
- Remove stale CLAUDE.md injection logic (D-06: user's real CLAUDE.md used)
- Update dry-run block and print_audit to reflect new mount layout
- Update SANDBOX.md heredoc to remove ~/.claudebox reference
- Replace three-section audit with single unified list using [~]/[>]/[+] prefixes
- [~] green = sandbox-generated, [>] yellow = host allowlisted, [+] cyan = extra
- Prefixes are readable without color (accessibility requirement)
- PATH retains multiline indented display
- Add Mounts section: CWD, ~/.claude, and conditional credentials bind
- Add Network section: 'full (host network)' as Phase 6 placeholder
- All output to stderr, mask_value called for all env var values
- Add CREDS_FILE/CREDS_MOUNT detection after mkdir ~/.claudebox
- Conditional --bind in exec bwrap via BWRAP_ARGS array
- Mirror conditional bind in --dry-run display block
- Read-write mount (not ro-bind) for OAuth token refresh
- Silent skip when credentials file absent (no error/warning)
- Refactor exec bwrap to BWRAP_ARGS array for conditional mount support
Both paths now resolve inside the sandbox, so hook paths
and settings referencing ~/.claude work without fixups.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
