toph/claudebox
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
claudebox/.planning/phases/01-minimal-viable-sandbox/01-02-SUMMARY.md
Christopher Mühl e385f414ca
docs(01-02): complete build verification plan 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-09 11:15:53 +02:00

3.4 KiB
Raw Blame History

phase plan subsystem tags requires provides affects tech-stack key-files key-decisions patterns-established requirements-completed duration completed
01-minimal-viable-sandbox 02 infra
nix
bubblewrap
bwrap
sandbox
verification
smoke-test
phase provides
01-01 claudebox flake.nix and claudebox.sh
verified working claudebox command
sandbox path resolution fix for NixOS symlink chains
added patterns
readlink-f-for-nix-store-resolution
created modified
claudebox.sh
readlink -f required to resolve NixOS profile symlinks to real nix store paths for bwrap visibility
readlink -f for all host-resolved binaries passed into bwrap: NixOS profile paths are symlink chains that don't exist inside the sandbox
NIX-03
SAND-02
SAND-03
SAND-04
SAND-05
SAND-06
SAND-09
SAND-10
SAND-12
SAND-13
SAND-14
TOOL-01
TOOL-02
1min 2026-04-09

Phase 1 Plan 02: Build Verification and Smoke Tests Summary

Fixed NixOS symlink resolution for bwrap, verified nix build succeeds and claudebox --version returns Claude Code 2.1.70 inside sandbox

Performance

  • Duration: ~1 min
  • Started: 2026-04-09T09:13:38Z
  • Completed: 2026-04-09T09:15:01Z
  • Tasks: 2
  • Files modified: 1 (claudebox.sh)

Accomplishments

  • nix build succeeds with shellcheck passing
  • result/bin/claudebox executable exists with full runtimeInputs PATH (bubblewrap, git, curl, jq, ripgrep, fd, nix, comma-with-db, nodejs)
  • claudebox --version returns "2.1.70 (Claude Code)" confirming end-to-end sandbox launch
  • Fixed path resolution bug where NixOS profile symlinks weren't accessible inside bwrap

Task Commits

Each task was committed atomically:

  1. Task 1: Build flake and run automated smoke tests - 9296453 (fix)

Files Created/Modified

  • claudebox.sh - Added readlink -f for claude binary and env resolution to handle NixOS symlink chains

Decisions Made

  • Used readlink -f to resolve both claude and env binaries to their real nix store paths, since NixOS profile paths (/etc/profiles/per-user/...) are symlink chains not visible inside the bwrap sandbox

Deviations from Plan

Auto-fixed Issues

1. [Rule 1 - Bug] Fixed NixOS symlink resolution for bwrap

  • Found during: Task 1 (Build and smoke test)
  • Issue: command -v claude returns /etc/profiles/per-user/toph/bin/claude which is a symlink chain. This path doesn't exist inside bwrap since only /nix/store is mounted. Same issue with env.
  • Fix: Changed command -v claude to readlink -f "$(command -v claude)" and same for env, resolving to real /nix/store/... paths
  • Files modified: claudebox.sh
  • Verification: claudebox --version now returns "2.1.70 (Claude Code)" instead of "execvp: No such file or directory"
  • Committed in: 9296453

Total deviations: 1 auto-fixed (1 bug) Impact on plan: Essential fix -- sandbox was completely non-functional without it on NixOS.

Issues Encountered

None beyond the auto-fixed symlink resolution.

User Setup Required

None - no external service configuration required.

Next Phase Readiness

  • claudebox builds and launches successfully
  • Manual verification of env isolation, filesystem isolation, and tool access is the next step (auto-approved in this run)
  • Ready for phase 2 (hardening/refinement) if applicable

Self-Check: PASSED