{
  description = "claudebox - thin layer over Claude Code /sandbox with CIDR egress block";

  inputs = {
    nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable";
    nix-claude-code = {
      url = "github:ryoppippi/nix-claude-code";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    nix-index-database = {
      url = "github:nix-community/nix-index-database";
      inputs.nixpkgs.follows = "nixpkgs";
    };
  };

  outputs = { self, nixpkgs, nix-claude-code, nix-index-database, ... }:
    let
      systems = [ "x86_64-linux" "aarch64-linux" ];
      forAllSystems = nixpkgs.lib.genAttrs systems;
    in
    {
      packages = forAllSystems (system:
        let
          pkgs = nixpkgs.legacyPackages.${system};
          claude-code = nix-claude-code.packages.${system}.default;
          comma-with-db = nix-index-database.packages.${system}.comma-with-db;
          runtimeDeps = [
            claude-code
            comma-with-db
            pkgs.bash
            pkgs.coreutils
            pkgs.git
            pkgs.gnugrep
            pkgs.gnused
            pkgs.jq
            pkgs.nix
            pkgs.nftables
            pkgs.systemd
          ];
        in
        rec {
          claudebox = pkgs.writeShellApplication {
            name = "claudebox";
            runtimeInputs = runtimeDeps;
            text = builtins.readFile ./claudebox.sh;
          };
          default = claudebox;
        });

      nixosModules.default = import ./modules;

      checks = forAllSystems (system:
        let pkgs = nixpkgs.legacyPackages.${system}; in
        {
          wrapper-syntax = pkgs.runCommand "claudebox-syntax-check" { } ''
            ${pkgs.bash}/bin/bash -n ${./claudebox.sh}
            touch $out
          '';
        });
    };
}