Christopher Mühl
c5e8cca867
- Replace --bind ~/.claudebox + --symlink with direct --bind ~/.claude ~/.claude - Add compute_canonical_root() function using git rev-parse --git-common-dir - Add per-project INSTANCE_DIR via sha256sum[:16] of canonical git root - Overlay projects/ with per-project hash dir for isolated conversation history - Overlay history.jsonl and SANDBOX.md as file-level bind mounts - Update credential mount target from ~/.claudebox to ~/.claude - Add CLAUDE_JSON_FILE (~/.claude.json) detection and conditional bind mount - Remove stale CLAUDE.md injection logic (D-06: user's real CLAUDE.md used) - Update dry-run block and print_audit to reflect new mount layout - Update SANDBOX.md heredoc to remove ~/.claudebox reference
3.5 KiB
3.5 KiB
Phase 1: Minimal Viable Sandbox - Context
Gathered: 2026-04-09 Status: Ready for planning
## Phase BoundaryProduce a working claudebox command via Nix flake that launches Claude Code inside a bubblewrap sandbox with environment allowlisting, filesystem isolation, secret path hiding, and on-demand tool provisioning via comma/nix. User runs claudebox in any project directory and gets a fully functional Claude session with secrets invisible.
Argument Passthrough
- D-01: Forward all unknown flags to
claude. claudebox claims only its own flags (--yes,--dry-run,--check) and passes everything else through. No--separator required.--dangerously-skip-permissionsis always injected.
nix-index Database
- D-02: Use
comma-with-dbfrom thenix-community/nix-index-databaseflake. Self-contained — bundles the package index, no host dependency, no extra bind mount needed. DB updates when the flake input is bumped.
Environment Variables
- D-03: Strict allowlist per SAND-03, plus a
CLAUDEBOX_EXTRA_ENVescape hatch. Core allowlist always passes (HOME, PATH, TERM, EDITOR, LANG, LC_ALL, NIX_SSL_CERT_FILE, SSL_CERT_FILE, ANTHROPIC_API_KEY, USER, SHELL, XDG_RUNTIME_DIR). User can add extras at launch viaCLAUDEBOX_EXTRA_ENV="COLORTERM,NODE_OPTIONS"— their responsibility to not leak secrets. - D-04: Sandbox-generated vars (TMPDIR=/tmp, etc.) are set via
--setenv, never read from host.
Git Identity
- D-05: Generate a minimal
.gitconfiginside the sandbox at launch time. Readsuser.nameanduser.emailfrom the host's git config, writes them plussafe.directory = *into the sandbox's~/.gitconfig. No host.gitconfigmounted — avoids credential helper, pager, and alias breakage from missing binaries.
Claude's Discretion
- Mount ordering strategy for CWD-under-HOME (bwrap specifics)
- Exact tmpfs layout and /dev, /proc, /tmp setup
- How
--clearenv+--setenvare sequenced in the bwrap invocation - DNS resolution mount strategy (resolv.conf and its symlink targets)
- SSL cert bundle path detection
<canonical_refs>
Canonical References
Downstream agents MUST read these before planning or implementing.
Project Docs
.planning/PROJECT.md— Core value, constraints, key decisions.planning/REQUIREMENTS.md— Full requirement list with IDs (SAND-, TOOL-, GIT-, NIX-, UX-*).planning/ROADMAP.md— Phase 1 success criteria and requirement mapping
Stack Research
CLAUDE.md§Technology Stack — writeShellApplication, bwrap flags, comma/nix-index, flake structure, PATH construction, testing strategy
</canonical_refs>
<code_context>
Existing Code Insights
Reusable Assets
- None — greenfield project, only CLAUDE.md exists in the repo
Established Patterns
- None yet — Phase 1 establishes all patterns
Integration Points
- Nix flake as entry point (
nix run,nix profile install) writeShellApplicationproduces the claudebox script- bwrap is the sole runtime dependency for sandboxing
</code_context>
## Specific IdeasCLAUDEBOX_EXTRA_ENVis comma-separated, not space-separated- Git identity is read from host at launch time (not build time) so it works across machines
comma-with-dbas flake input, not a nixpkgs package
None — discussion stayed within phase scope
Phase: 01-minimal-viable-sandbox Context gathered: 2026-04-09