clabox 0.0.1 → 0.0.2

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Igor Suvorov
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,189 @@
+# 📦 clabox
+
+[![LSK.js](https://github.com/lskjs/presets/raw/main/docs/badge.svg)](https://github.com/lskjs)
+[![NPM version](https://badgen.net/npm/v/clabox)](https://www.npmjs.com/package/clabox)
+[![NPM downloads](https://badgen.net/npm/dt/clabox)](https://www.npmjs.com/package/clabox)
+[![Have TypeScript types](https://badgen.net/npm/types/clabox)](https://www.npmjs.com/package/clabox)
+[![Package size](https://img.shields.io/npm/unpacked-size/clabox?label=size&color=blue)](https://www.npmjs.com/package/clabox)
+[![License](https://badgen.net/github/license/ycmds/clabox)](https://github.com/ycmds/clabox/blob/main/LICENSE)
+[![Write us in Telegram](https://img.shields.io/badge/write%20us-0088CC?logo=telegram&logoColor=white)](https://t.me/isuvorov)
+
+<div align="center">
+  <h3><p><strong>🛡️ Run Claude Code in a sandbox for super-safe YOLO mode 🛡️</strong></p></h3>
+</div>
+
+<img src="./docs/logo.png" align="right" width="200" height="200" alt="clabox logo" />
+
+**🛡️ Tight Seatbelt sandbox** — the profile starts with `(deny default)` <br/>
+**📂 Project-scoped access** — only the CWD and explicitly allowed paths <br/>
+**🔒 Secrets stay out of reach** — SSH keys, `~/.aws`, `~/.ssh/id_*`, private dirs <br/>
+**📦 Declarative JS config** instead of sed surgery over a heredoc <br/>
+**🤖 Bot identity** for git/ssh inside the sandbox <br/>
+**🧨 Fork-bomb guard** via `ulimit -u` <br/>
+**⚡ YOLO mode, safely** (`--dangerously-skip-permissions`) <br/>
+**🍎 macOS only**, Node ≥ 18, no runtime deps beyond `yargs` <br/>
+
+---
+
+## Install
+
+```bash
+npm install -g clabox      # exposes the global `clabox` command
+# or run without installing:
+bunx clabox …
+npx clabox …
+```
+
+## Usage
+
+```bash
+# Default profile (~/.claude), YOLO mode
+clabox run --dangerously-skip-permissions
+
+# A different Claude profile
+CLAUDE_CONFIG_DIR=~/.claude_work clabox run --dangerously-skip-permissions
+
+# Debugging
+clabox generate            # build the profile, print the .sb path
+clabox profile             # just the path (no build)
+CLABOX_DEBUG=1 clabox      # print profile/config/dir on launch
+clabox --help
+```
+
+Unknown flags are passed straight through to `claude`, so anything after the
+command (`--dangerously-skip-permissions`, `--model …`, etc.) just works.
+
+---
+
+## Configuration
+
+Three layers, later wins: **defaults → environment variables → JS config file**.
+
+The config file is looked up in this order: `--config /path` →
+`CLABOX_CONFIG=/path` → `./clabox.config.mjs` (project root) →
+`~/.config/clabox/config.mjs`.
+See [`clabox.config.example.mjs`](clabox.config.example.mjs).
+
+```bash
+clabox --config ./my.clabox.mjs run --dangerously-skip-permissions
+```
+
+```js
+// clabox.config.mjs
+export default {
+  configDir: '~/.claude_work',
+  bot: { name: 'workBOT', email: 'bot@work.dev', sshDir: '~/.ssh/workbot' },
+  network: true,
+  paths: {
+    readWrite: ['~/scratch'],    // RW on top of project / configDir / tmp
+    readOnly:  ['~/reference'],   // RO
+    exec:      ['/opt/tool/bin'], // process-exec
+    deny:      ['~/secret'],      // explicit deny (read + write)
+  },
+};
+```
+
+You may also export a function `(defaults) => config` for full control. `~` is
+expanded to `$HOME`.
+
+### Environment variables
+
+| Variable | Purpose | Default |
+|---|---|---|
+| `CLAUDE_CONFIG_DIR` | Claude config/profile dir (multi-account); passed through to `claude` | `~/.claude` |
+| `CLABOX_CLAUDE_BIN` | path to the `claude` binary | `PATH`, then `~/.local/bin/claude` |
+| `CLABOX_BOT_NAME` / `CLABOX_BOT_EMAIL` | git identity | `claudeBOT` / `bot@example.com` |
+| `CLABOX_BOT_SSH_DIR` | bot key dir (`id_ed25519`, `config`) | `~/.ssh/claudebot` |
+| `CLABOX_CONFIG` | path to the JS config file (the `--config` flag overrides it) | — |
+| `CLABOX_HOOKS_DIR` | hooks dir (RO + exec inside the sandbox) | — (off) |
+| `CLABOX_DEBUG` | print diagnostics on launch | — |
+| `TMPDIR` | where the generated profile is stored | `/tmp` |
+
+---
+
+## How it works
+
+`sandbox-exec` runs a process inside a Seatbelt profile that starts with
+`(deny default)` — everything is forbidden unless explicitly allowed.
+
+```
+clabox run  →  loadConfig()  →  buildProfile()  →  <TMPDIR>/…sb
+            →  sh -c 'ulimit -u N; exec sandbox-exec -f <sb> env … claude …'
+```
+
+| Module | Responsibility |
+|---|---|
+| `src/utils/config.ts` | defaults, env, loading/merging the JS config, `~` expansion |
+| `src/sandbox/profile.ts` | assembling the SBPL profile from config (typed helpers `subpath`/`literal`/`regex`/…) |
+| `src/sandbox/run.ts` | locating `claude`/`sandbox-exec`, generating the profile, launching with bot env + `ulimit` |
+| `src/cli.ts` | the CLI (`run` / `generate` / `profile`), built on yargs |
+
+Profile path: `$TMPDIR/clabox-<dir-name>-<hash>.sb` (hash of the absolute
+project path — each project gets its own cached profile).
+
+Package managers are autodetected (`src/sandbox/profile.ts`) and added to the
+read/exec sections: Homebrew (`/opt/homebrew` or `/usr/local/Homebrew`),
+`~/.local`, Nix (`/nix/store`).
+
+### What the profile allows and denies
+
+**Read-only:** system dirs `/System`, `/usr`, `/bin`, `/sbin`,
+`/Library/Frameworks`, Command Line Tools / Xcode, tzdata, system and user
+`Library/Preferences`, detected package paths.
+
+**Read-write:** the project dir (CWD), the Claude config dir (`configDir`),
+`/tmp`, `/private/tmp`, `/private/var/folders/…`, `~/Library/Keychains` (for
+OAuth refresh), plus `paths.readWrite` from your config.
+
+**Network:** `(allow network*)` when `network: true` (the default).
+
+**Explicit deny — wins even over the allows above:**
+- private dirs: `denyHome` (`~/Documents`, `~/Desktop`, `~/Downloads`,
+  `~/Pictures`, `~/Movies`, `~/Music`);
+- secrets: `denyDotConfigs` (`~/.aws`, `~/.gnupg`, `~/.kube`, `~/.docker`,
+  `~/.config`) with a carve-out for `~/.config/git`;
+- personal SSH keys `~/.ssh/id_*`, `*.pem`, `*.key` — Claude physically cannot
+  read them. Only the bot key subdir (`bot.sshDir`) is readable.
+
+### Git/ssh bot identity
+
+- `ulimit -u <ulimitProcs>` — fork-bomb guard (`0` to disable);
+- `GIT_AUTHOR_*` / `GIT_COMMITTER_*` — bot name/email from config;
+- if `bot.sshDir/id_ed25519` exists, `GIT_SSH_COMMAND` is pinned to it
+  (`IdentitiesOnly=yes`, `IdentityAgent=none`);
+- gpg signing disabled, `NPM_CONFIG_USERCONFIG=/dev/null`, `DISABLE_AUTOUPDATER=1`.
+
+---
+
+## Tests
+
+```bash
+bun test            # unit + functional (bun:test)
+bun run test        # full gate: lint + types + unit + size
+```
+
+The suite tests the wrapper, not `claude`:
+
+- **Unit** — the generated profile text: SBPL preamble, project RW/exec, network
+  toggle, config dir, ssh-key denials, the deny list, extra config paths, hooks.
+- **Functional** — runs real `sandbox-exec` against a generated profile and
+  asserts that reads/writes inside the project succeed while denied paths are
+  blocked. Auto-skipped off macOS or when running nested inside another sandbox.
+
+---
+
+## Limitations
+
+- **macOS only** — needs `sandbox-exec` (Seatbelt). Formally deprecated, still
+  works on macOS 14/15.
+- **No nested sandbox** — you cannot launch the sandbox from inside another
+  sandbox (`sandbox_apply: Operation not permitted`). Run from a bare host.
+- **Keychain is writable** for OAuth refresh (otherwise tokens hit 401 after
+  ~24h). For a stricter setup, swap the RW Keychain block for RO in
+  `src/sandbox/profile.ts` (the "Keychain access" section).
+
+---
+
+## License
+
+[MIT](LICENSE)

package/clabox.config.example.mjs

@@ -0,0 +1,46 @@
+// Example clabox config. Copy to `clabox.config.mjs` (in your
+// project root) or `~/.config/clabox/config.mjs`, then edit.
+//
+// Default-export either a plain object (merged over the built-in defaults) or
+// a function `(defaults) => config` for full control. `~` is expanded to $HOME.
+
+export default {
+  // Which Claude profile/account to use.
+  configDir: '~/.claude',
+
+  // Args always passed to `claude`, before any args from the CLI.
+  claudeArgs: ['--settings', '{"includeCoAuthoredBy": false}'],
+
+  // Identity forced onto git commits/pushes made from inside the sandbox.
+  bot: {
+    name: 'claudeBOT',
+    email: 'bot@example.com',
+    // If `${sshDir}/id_ed25519` exists, git ssh is pinned to it and your
+    // personal keys (~/.ssh/id_*, *.pem, *.key) stay denied either way.
+    sshDir: '~/.ssh/claudebot',
+  },
+
+  // Outbound network (set false to cut it off entirely).
+  network: true,
+
+  // Process-table cap inside the sandbox (fork-bomb guard); 0 to disable.
+  ulimitProcs: 1024,
+
+  // Extra directory granted read + execute (e.g. shared Claude hooks).
+  hooksDir: null, // '~/some/hooks'
+
+  // Extra rules layered on top of the base profile.
+  paths: {
+    readWrite: [], // e.g. ['~/scratch', '/Volumes/work']
+    readOnly: [], // e.g. ['~/reference-data']
+    exec: [], // e.g. ['/opt/some/tool/bin']
+    deny: [], // e.g. ['~/secret-project']
+  },
+
+  // Home subdirectories denied entirely (read + write).
+  denyHome: ['Documents', 'Desktop', 'Downloads', 'Pictures', 'Movies', 'Music'],
+
+  // Dotfile config dirs under $HOME denied entirely (.config/git is re-allowed
+  // read-only regardless, so git keeps working).
+  denyDotConfigs: ['aws', 'gnupg', 'kube', 'docker', 'config'],
+};

package/docs/guideline.md

@@ -0,0 +1,163 @@
+# Project Guidelines
+
+> **This file contains project documentation for developers.** For AI assistant instructions see [CLAUDE.md](../CLAUDE.md).
+
+Guidelines for clabox — run Claude Code in a sandbox for super-safe YOLO mode, configured in plain JavaScript.
+
+**Important:**
+- Update this file after large project changes
+- Run `bun run fix` and `bun run test` after each code change
+
+## Stack
+
+| Tool | Choice | Notes |
+|---|---|---|
+| Runtime (published) | Node.js ≥ 18 | `lib/` is plain ESM; macOS only (`sandbox-exec`) |
+| Runtime (dev) | Bun | install / test / run TS source directly |
+| Language | TypeScript (ESM) | strict `tsconfig`, `module`/`moduleResolution` nodenext |
+| Build | tsdown (rolldown) | `src/**/*.ts` → `lib/` (ESM + `.d.ts` + sourcemaps) |
+| Lint / Format | Biome | `recommended` preset, `.js`-import enforcement |
+| Test | bun:test | `tests/` (configured in `bunfig.toml`) |
+| Type-check | `tsc --noEmit` | strict, `src/` only |
+| Size budget | size-limit | `@size-limit/preset-small-lib`, `lib/index.js` |
+| Release | semantic-release | fully automatic on push to `main` |
+| CI/CD | GitHub Actions | `macos-latest` (real `sandbox-exec`) |
+| CLI | yargs ^17 | the only runtime dependency |
+| Sandbox | macOS `sandbox-exec` (Seatbelt/SBPL) | profile generated as plain text |
+
+## Project Structure
+
+**Rule:** Only entry-point files live in `src/` root — `index.ts` (public API aggregator) and `cli.ts` (the CLI, built to `lib/cli.js` = the `clabox` bin). All other code lives in subdirectories. The build emits to `lib/`; `bin`/`main`/`exports` point at built `lib/*.js`.
+
+```
+src/
+├── index.ts              # public API aggregator — re-exports config / profile / run
+├── cli.ts                # CLI entry (yargs): run / generate / profile → lib/cli.js (bin)
+├── sandbox/
+│   ├── profile.ts        # pure SBPL builder: buildProfile, detectPackagePaths,
+│   │                     #   subpath/literal/regex/globalName/ipcName/reEscape helpers
+│   └── run.ts            # I/O: profilePath, generateProfile, runClaude (sandbox-exec launch)
+└── utils/
+    └── config.ts         # defaultConfig, expandHome, mergeConfig, findConfigFile, loadConfig
+tests/
+└── profile.test.ts       # bun:test — unit (profile text) + functional (real sandbox-exec)
+lib/                      # build output (tsdown) — gitignored
+docs/
+├── guideline.md          # this file
+└── logo.png              # README logo
+.github/workflows/
+├── test.yml              # PR → install + build + test (macos-latest)
+└── release.yml           # push main → semantic-release (macos-latest)
+clabox.config.example.mjs  # copyable user config (object or (defaults) => config)
+```
+
+## Commands
+
+```bash
+# Build
+bun run build                 # tsdown --out-dir lib (release build: ESM + .d.ts + maps)
+bun run build:tsdown          # tsdown → lib-tsdown (default outDir)
+bun run build:tsdown:release  # tsdown --out-dir lib
+bun run dev                   # tsdown --watch
+
+# Run
+bun run cli                   # bun run src/cli.ts  (pass args after `--`)
+bun run generate              # bun run src/cli.ts generate (build a profile, print its path)
+
+# Testing
+bun run test                  # lint + types + unit + size (the full gate)
+bun run test:unit             # bun test
+bun run test:unit:coverage    # bun test --coverage
+bun run test:unit:watch       # bun test --watch
+bun run test:types            # tsc --noEmit
+bun run test:lint             # biome lint
+bun run test:size             # size-limit
+
+# Fixing
+bun run fix                   # biome check --write
+bun run fix:lint              # biome check --write
+bun run fix:lint:unsafe       # biome check --write --unsafe
+
+# Release (normally automatic in CI)
+bun run version:release       # semantic-release --no-ci --dry-run (preview next version)
+bun run release               # build + test + dry-run + npm publish (local fallback)
+```
+
+## Architecture
+
+`sandbox-exec` runs a process inside a Seatbelt profile that starts with `(deny default)` — everything is forbidden unless explicitly allowed.
+
+```
+clabox run  →  loadConfig()  →  buildProfile()  →  <TMPDIR>/…sb
+            →  sh -c 'ulimit -u N; exec sandbox-exec -f <sb> env … claude …'
+```
+
+### `utils/config.ts`
+Builds the effective config in three layers (later wins): `defaultConfig` → env vars → a JS config file. `findConfigFile(explicit?)` looks up the explicit path (the `--config` CLI flag, falling back to `CLABOX_CONFIG`) → `./clabox.config.mjs` / `./clabox.config.js` → `~/.config/clabox/config.mjs`; the `--config` flag wins over `CLABOX_CONFIG`. `loadConfig(explicit?)` forwards that path, dynamically imports the file and accepts either a plain object (merged via `mergeConfig`, a deep merge over the defaults) or a function `(defaults) => config`. `expandHome()` expands a leading `~`. Exports the `Config`/`BotConfig`/`PathRules`/`LoadedConfig` types.
+
+### `sandbox/profile.ts` (pure)
+Assembles the SBPL profile text from typed helpers (`subpath`, `literal`, `regex`, `globalName`, `ipcName`, `reEscape`) — no I/O beyond `fs.existsSync` for autodetection. `detectPackagePaths()` finds installed package managers (Homebrew `/opt/homebrew` or `/usr/local/Homebrew`, `~/.local`, Nix `/nix/store`) to grant read/exec. `buildProfile(config, { projectDir, detectedPaths })` returns the full profile and sanity-checks it carries `(version 1)`.
+
+### `sandbox/run.ts` (I/O)
+`profilePath()` returns the deterministic `$TMPDIR/clabox-<dir>-<hash>.sb` path. `generateProfile()` requires `sandbox-exec`, builds the profile and writes it. `runClaude()` resolves the `claude` binary (config → PATH → `~/.local/bin/claude`), forces the bot git identity + hardening env (`buildEnvArgs`), sets the terminal title, and execs `sh -c 'ulimit -u N; exec sandbox-exec -f <sb> env … claude …'`, returning the exit code.
+
+### `cli.ts`
+The yargs CLI (`scriptName('clabox')`). Commands: `run [claudeArgs..]` (default), `generate`, `profile`. `unknown-options-as-args` keeps unknown flags as positionals so they pass straight through to `claude` (e.g. `--dangerously-skip-permissions`). The one clabox-owned flag is `--config <path>` (a JS config file that overrides `CLABOX_CONFIG`), forwarded to `loadConfig()` by `run` and `generate`.
+
+### What the profile allows and denies
+- **Read-only:** system dirs (`/System`, `/usr`, `/bin`, `/sbin`, `/Library/Frameworks`), Command Line Tools / Xcode, tzdata, system + user `Library/Preferences`, detected package paths.
+- **Read-write:** the project dir (CWD), the Claude config dir (`configDir`), `/tmp`, `/private/tmp`, `/private/var/folders/…`, `~/Library/Keychains` (OAuth refresh), plus `paths.readWrite`.
+- **Network:** `(allow network*)` when `network: true` (default).
+- **Explicit deny — wins over the allows:** `denyHome` (`~/Documents`, `~/Desktop`, …), `denyDotConfigs` (`~/.aws`, `~/.gnupg`, `~/.kube`, `~/.docker`, `~/.config`) with a carve-out for `~/.config/git`, and personal SSH keys `~/.ssh/id_*`, `*.pem`, `*.key`. Only the bot key subdir (`bot.sshDir`) is readable.
+
+### Git/ssh bot identity
+`ulimit -u <ulimitProcs>` (fork-bomb guard, `0` to disable); `GIT_AUTHOR_*` / `GIT_COMMITTER_*` from `bot.name`/`bot.email`; if `bot.sshDir/id_ed25519` exists, `GIT_SSH_COMMAND` is pinned to it (`IdentitiesOnly=yes`, `IdentityAgent=none`); gpg signing disabled; `NPM_CONFIG_USERCONFIG=/dev/null`; `DISABLE_AUTOUPDATER=1`.
+
+## Lint
+
+Biome (`biome.json`), scoped to `src/**/*.ts` + `tests/**/*.ts`:
+- `recommended` preset; `noExplicitAny` and `noNonNullAssertion` off.
+- `useImportExtensions` (error, `forceJsExtensions`) — relative imports must use `.js` specifiers.
+- Formatter: 2-space indent, line width 100, single quotes, always semicolons.
+
+## CI/CD
+
+Both workflows run on `macos-latest` so the functional tests can exercise the real `sandbox-exec`.
+
+- **`test.yml`** — on PR to `main`: checkout → setup Bun + Node 20 → `bun install --frozen-lockfile` → `bun run build` → `bun run test`.
+- **`release.yml`** — on push to `main`: checkout (`fetch-depth: 0`) → setup Bun + Node 20 (`registry-url`) → install → build → test → `npx semantic-release`. Releases are **fully automatic**: semantic-release reads the Conventional Commits, decides the version, updates `CHANGELOG.md`, publishes to npm (provenance) + GitHub Releases, and commits the bump back with `[skip ci]`. Nobody bumps a version by hand.
+
+## Size Limits
+
+| Entry | Limit | Note |
+|---|---|---|
+| `lib/index.js` | 10 kB | brotlied, `node:*` ignored (the CLI bin uses top-level await and is not size-budgeted) |
+
+## Package Exports
+
+```typescript
+import { loadConfig, buildProfile, runClaude } from 'clabox';        // lib/index.js
+import { loadConfig, defaultConfig, mergeConfig } from 'clabox/config'; // lib/utils/config.js
+import { buildProfile, detectPackagePaths } from 'clabox/profile';   // lib/sandbox/profile.js
+import { generateProfile, profilePath, runClaude } from 'clabox/run'; // lib/sandbox/run.js
+// CLI entry: clabox/cli (lib/cli.js) — also the `clabox` bin
+```
+
+## Environment Variables
+
+| Variable | Purpose | Default |
+|---|---|---|
+| `CLAUDE_CONFIG_DIR` | Claude config/profile dir (multi-account); passed through to `claude` | `~/.claude` |
+| `CLABOX_CLAUDE_BIN` | path to the `claude` binary | PATH, then `~/.local/bin/claude` |
+| `CLABOX_BOT_NAME` / `CLABOX_BOT_EMAIL` | git identity inside the sandbox | `claudeBOT` / `bot@example.com` |
+| `CLABOX_BOT_SSH_DIR` | bot key dir (`id_ed25519`, `config`) | `~/.ssh/claudebot` |
+| `CLABOX_CONFIG` | path to the JS config file (the `--config` flag overrides it) | — |
+| `CLABOX_HOOKS_DIR` | hooks dir (RO + exec inside the sandbox) | — (off) |
+| `CLABOX_DEBUG` | print profile/config/dir diagnostics on launch | — |
+| `TMPDIR` | where the generated profile is stored | `/tmp` |
+
+## Limitations
+
+- **macOS only** — needs `sandbox-exec` (Seatbelt). Formally deprecated, still works on macOS 14/15.
+- **No nested sandbox** — you cannot launch the sandbox from inside another sandbox (`sandbox_apply: Operation not permitted`). Run from a bare host.
+- **Keychain is writable** for OAuth refresh (else tokens hit 401 after ~24h). For a stricter setup, swap the RW Keychain block for RO in `src/sandbox/profile.ts` (the "Keychain access" section).

package/lib/cli.d.ts

@@ -0,0 +1 @@
+export { };

package/lib/cli.js

@@ -0,0 +1,34 @@
+#!/usr/bin/env node
+import { a as loadConfig } from "./config-DXTNeUhH.js";
+import { n as profilePath, r as runClaude, t as generateProfile } from "./run-Dyp_hW97.js";
+import yargs from "yargs";
+import { hideBin } from "yargs/helpers";
+//#region src/cli.ts
+await yargs(hideBin(process.argv)).scriptName("clabox").parserConfiguration({ "unknown-options-as-args": true }).option("config", {
+	type: "string",
+	describe: "Path to a JS config file (overrides CLABOX_CONFIG)"
+}).command(["run [claudeArgs..]", "$0 [claudeArgs..]"], "Generate the profile and run claude inside the sandbox (default)", (y) => y.positional("claudeArgs", {
+	describe: "Arguments passed through to claude",
+	array: true,
+	default: []
+}), async (argv) => {
+	const { config, configFile } = await loadConfig(argv.config);
+	const code = runClaude(config, argv.claudeArgs ?? [], { configFile });
+	process.exit(code);
+}).command("generate", "Build the sandbox profile only and print its path", {}, async (argv) => {
+	const { config } = await loadConfig(argv.config);
+	console.log(generateProfile(config));
+}).command("profile", "Print the sandbox profile path (no build)", {}, () => {
+	console.log(profilePath());
+}).example("$0 run --dangerously-skip-permissions", "YOLO mode inside the sandbox").example("$0 --config ./my.clabox.mjs run", "Use a specific JS config file").example("CLAUDE_CONFIG_DIR=~/.claude_work $0 run", "Use a different Claude profile").epilogue([
+	"Config (later wins): defaults -> env vars -> JS config file.",
+	"File: ./clabox.config.mjs or ~/.config/clabox/config.mjs",
+	"(or --config /path, or CLABOX_CONFIG=/path)."
+].join("\n")).version(false).help().alias("h", "help").fail((msg, err) => {
+	console.error(`Error: ${err?.message ?? msg}`);
+	process.exit(1);
+}).parseAsync();
+//#endregion
+export {};
+
+//# sourceMappingURL=cli.js.map

package/lib/cli.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cli.js","names":[],"sources":["../src/cli.ts"],"sourcesContent":["#!/usr/bin/env node\n// clabox — run Claude Code in a sandbox for super-safe YOLO mode.\n// SPDX-License-Identifier: MIT\n//\n// Configure in plain JS: clabox.config.mjs (CWD) or\n// ~/.config/clabox/config.mjs. See clabox.config.example.mjs.\n\nimport yargs from 'yargs';\nimport { hideBin } from 'yargs/helpers';\nimport { generateProfile, profilePath, runClaude } from './sandbox/run.js';\nimport { loadConfig } from './utils/config.js';\n\nawait yargs(hideBin(process.argv))\n  .scriptName('clabox')\n  // Keep unknown flags (e.g. --dangerously-skip-permissions) as positionals so\n  // they pass straight through to claude instead of erroring out.\n  .parserConfiguration({ 'unknown-options-as-args': true })\n  // clabox-owned flag: a config-file path that wins over CLABOX_CONFIG.\n  .option('config', {\n    type: 'string',\n    describe: 'Path to a JS config file (overrides CLABOX_CONFIG)',\n  })\n  .command(\n    ['run [claudeArgs..]', '$0 [claudeArgs..]'],\n    'Generate the profile and run claude inside the sandbox (default)',\n    (y) =>\n      y.positional('claudeArgs', {\n        describe: 'Arguments passed through to claude',\n        array: true,\n        default: [] as string[],\n      }),\n    async (argv) => {\n      const { config, configFile } = await loadConfig(argv.config as string | undefined);\n      const claudeArgs = (argv.claudeArgs ?? []) as string[];\n      const code = runClaude(config, claudeArgs, { configFile });\n      process.exit(code);\n    },\n  )\n  .command('generate', 'Build the sandbox profile only and print its path', {}, async (argv) => {\n    const { config } = await loadConfig(argv.config as string | undefined);\n    console.log(generateProfile(config));\n  })\n  .command('profile', 'Print the sandbox profile path (no build)', {}, () => {\n    console.log(profilePath());\n  })\n  .example('$0 run --dangerously-skip-permissions', 'YOLO mode inside the sandbox')\n  .example('$0 --config ./my.clabox.mjs run', 'Use a specific JS config file')\n  .example('CLAUDE_CONFIG_DIR=~/.claude_work $0 run', 'Use a different Claude profile')\n  .epilogue(\n    [\n      'Config (later wins): defaults -> env vars -> JS config file.',\n      'File: ./clabox.config.mjs or ~/.config/clabox/config.mjs',\n      '(or --config /path, or CLABOX_CONFIG=/path).',\n    ].join('\\n'),\n  )\n  .version(false)\n  .help()\n  .alias('h', 'help')\n  .fail((msg, err) => {\n    console.error(`Error: ${err?.message ?? msg}`);\n    process.exit(1);\n  })\n  .parseAsync();\n"],"mappings":";;;;;;AAYA,MAAM,MAAM,QAAQ,QAAQ,IAAI,CAAC,CAAC,CAC/B,WAAW,QAAQ,CAAC,CAGpB,oBAAoB,EAAE,2BAA2B,KAAK,CAAC,CAAC,CAExD,OAAO,UAAU;CAChB,MAAM;CACN,UAAU;AACZ,CAAC,CAAC,CACD,QACC,CAAC,sBAAsB,mBAAmB,GAC1C,qEACC,MACC,EAAE,WAAW,cAAc;CACzB,UAAU;CACV,OAAO;CACP,SAAS,CAAC;AACZ,CAAC,GACH,OAAO,SAAS;CACd,MAAM,EAAE,QAAQ,eAAe,MAAM,WAAW,KAAK,MAA4B;CAEjF,MAAM,OAAO,UAAU,QADH,KAAK,cAAc,CAAC,GACG,EAAE,WAAW,CAAC;CACzD,QAAQ,KAAK,IAAI;AACnB,CACF,CAAC,CACA,QAAQ,YAAY,qDAAqD,CAAC,GAAG,OAAO,SAAS;CAC5F,MAAM,EAAE,WAAW,MAAM,WAAW,KAAK,MAA4B;CACrE,QAAQ,IAAI,gBAAgB,MAAM,CAAC;AACrC,CAAC,CAAC,CACD,QAAQ,WAAW,6CAA6C,CAAC,SAAS;CACzE,QAAQ,IAAI,YAAY,CAAC;AAC3B,CAAC,CAAC,CACD,QAAQ,yCAAyC,8BAA8B,CAAC,CAChF,QAAQ,mCAAmC,+BAA+B,CAAC,CAC3E,QAAQ,2CAA2C,gCAAgC,CAAC,CACpF,SACC;CACE;CACA;CACA;AACF,CAAC,CAAC,KAAK,IAAI,CACb,CAAC,CACA,QAAQ,KAAK,CAAC,CACd,KAAK,CAAC,CACN,MAAM,KAAK,MAAM,CAAC,CAClB,MAAM,KAAK,QAAQ;CAClB,QAAQ,MAAM,UAAU,KAAK,WAAW,KAAK;CAC7C,QAAQ,KAAK,CAAC;AAChB,CAAC,CAAC,CACD,WAAW"}

package/lib/config-CUyriGxm.d.ts

@@ -0,0 +1,67 @@
+//#region src/utils/config.d.ts
+declare const HOME: string;
+/** Expand a leading `~` / `~/` to the user's home directory. */
+declare function expandHome(p: string): string;
+/** Dedicated git/ssh identity for commits made from inside the sandbox. */
+interface BotConfig {
+  name: string;
+  email: string;
+  /** If `${sshDir}/id_ed25519` exists, git ssh is pinned to it. */
+  sshDir: string;
+}
+/** Extra rules layered on top of the built-in base profile. */
+interface PathRules {
+  /** RW subpaths (beyond project dir + configDir + /tmp). */
+  readWrite: string[];
+  /** RO subpaths. */
+  readOnly: string[];
+  /** process-exec subpaths. */
+  exec: string[];
+  /** explicit deny subpaths (read + write). */
+  deny: string[];
+}
+/** Effective clabox configuration. */
+interface Config {
+  /** Path to the `claude` binary. null → autodetect (PATH, then ~/.local/bin). */
+  claudeBin: string | null;
+  /** Claude config/profile directory — supports multiple accounts. */
+  configDir: string;
+  /** Extra args always passed to `claude`, before any args from the CLI. */
+  claudeArgs: string[];
+  bot: BotConfig;
+  /** Allow outbound network. `false` → no `(allow network*)` line. */
+  network: boolean;
+  /** Cap the process table inside the sandbox (fork-bomb guard). 0 → skip. */
+  ulimitProcs: number;
+  /** Extra directory granted read + execute inside the sandbox. null → disabled. */
+  hooksDir: string | null;
+  paths: PathRules;
+  /** Home subdirectories denied entirely (read + write). */
+  denyHome: string[];
+  /** Dotfile config dirs under $HOME denied entirely. */
+  denyDotConfigs: string[];
+}
+/** Built-in defaults. Everything here is meant to be overridable. */
+declare const defaultConfig: Config;
+/** Merge a (partial) override over a full config, returning a new config. */
+declare function mergeConfig(base: Config, override: unknown): Config;
+/**
+ * Locate a config file: explicit (CLI arg, then `CLABOX_CONFIG` env),
+ * then CWD, then ~/.config. The CLI arg wins over the env var.
+ */
+declare function findConfigFile(explicit?: string | null): string | null;
+/** Result of {@link loadConfig}: the effective config and the file it came from. */
+interface LoadedConfig {
+  config: Config;
+  configFile: string | null;
+}
+/**
+ * Build the effective config: defaults ⊕ env ⊕ config file.
+ *
+ * @param explicitConfig optional config-file path (e.g. from `--config`);
+ *   takes precedence over `CLABOX_CONFIG` and the default lookup locations.
+ */
+declare function loadConfig(explicitConfig?: string | null): Promise<LoadedConfig>;
+//#endregion
+export { PathRules as a, findConfigFile as c, LoadedConfig as i, loadConfig as l, Config as n, defaultConfig as o, HOME as r, expandHome as s, BotConfig as t, mergeConfig as u };
+//# sourceMappingURL=config-CUyriGxm.d.ts.map

package/lib/config-DXTNeUhH.js

@@ -0,0 +1,103 @@
+import fs from "node:fs";
+import path from "node:path";
+import os from "node:os";
+import { pathToFileURL } from "node:url";
+//#region src/utils/config.ts
+const HOME = os.homedir();
+/** Expand a leading `~` / `~/` to the user's home directory. */
+function expandHome(p) {
+	if (!p) return p;
+	if (p === "~") return HOME;
+	if (p.startsWith("~/")) return path.join(HOME, p.slice(2));
+	return p;
+}
+const env = process.env;
+/** Built-in defaults. Everything here is meant to be overridable. */
+const defaultConfig = {
+	claudeBin: env.CLABOX_CLAUDE_BIN ?? null,
+	configDir: env.CLAUDE_CONFIG_DIR ?? "~/.claude",
+	claudeArgs: ["--settings", "{\"includeCoAuthoredBy\": false}"],
+	bot: {
+		name: env.CLABOX_BOT_NAME ?? "claudeBOT",
+		email: env.CLABOX_BOT_EMAIL ?? "bot@example.com",
+		sshDir: env.CLABOX_BOT_SSH_DIR ?? "~/.ssh/claudebot"
+	},
+	network: true,
+	ulimitProcs: 1024,
+	hooksDir: env.CLABOX_HOOKS_DIR ?? null,
+	paths: {
+		readWrite: [],
+		readOnly: [],
+		exec: [],
+		deny: []
+	},
+	denyHome: [
+		"Documents",
+		"Desktop",
+		"Downloads",
+		"Pictures",
+		"Movies",
+		"Music"
+	],
+	denyDotConfigs: [
+		"aws",
+		"gnupg",
+		"kube",
+		"docker",
+		"config"
+	]
+};
+function isPlainObject(v) {
+	return v != null && typeof v === "object" && !Array.isArray(v);
+}
+/** Shallow-deep merge: nested plain objects merge, everything else replaces. */
+function deepMerge(base, override) {
+	const out = { ...base };
+	for (const [key, val] of Object.entries(override)) {
+		if (val === void 0) continue;
+		const baseVal = base[key];
+		out[key] = isPlainObject(val) && isPlainObject(baseVal) ? deepMerge(baseVal, val) : val;
+	}
+	return out;
+}
+/** Merge a (partial) override over a full config, returning a new config. */
+function mergeConfig(base, override) {
+	if (!isPlainObject(override)) return base;
+	return deepMerge(base, override);
+}
+/**
+* Locate a config file: explicit (CLI arg, then `CLABOX_CONFIG` env),
+* then CWD, then ~/.config. The CLI arg wins over the env var.
+*/
+function findConfigFile(explicit) {
+	const chosen = explicit ?? env.CLABOX_CONFIG;
+	if (chosen) return expandHome(chosen);
+	return [
+		path.join(process.cwd(), "clabox.config.mjs"),
+		path.join(process.cwd(), "clabox.config.js"),
+		path.join(HOME, ".config", "clabox", "config.mjs")
+	].find((c) => fs.existsSync(c)) ?? null;
+}
+/**
+* Build the effective config: defaults ⊕ env ⊕ config file.
+*
+* @param explicitConfig optional config-file path (e.g. from `--config`);
+*   takes precedence over `CLABOX_CONFIG` and the default lookup locations.
+*/
+async function loadConfig(explicitConfig) {
+	let cfg = defaultConfig;
+	const file = findConfigFile(explicitConfig);
+	if (file) {
+		const mod = await import(pathToFileURL(file).href);
+		const exported = mod.default ?? mod.config ?? mod;
+		cfg = mergeConfig(defaultConfig, typeof exported === "function" ? await exported(defaultConfig) : exported);
+	}
+	return {
+		config: cfg,
+		configFile: file
+	};
+}
+//#endregion
+export { loadConfig as a, findConfigFile as i, defaultConfig as n, mergeConfig as o, expandHome as r, HOME as t };
+
+//# sourceMappingURL=config-DXTNeUhH.js.map

package/lib/config-DXTNeUhH.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"config-DXTNeUhH.js","names":[],"sources":["../src/utils/config.ts"],"sourcesContent":["// Configuration: sane defaults, env overrides, and an optional JS config file.\n//\n// Resolution order (later wins):\n//   1. defaultConfig (below)\n//   2. env vars (CLAUDE_CONFIG_DIR, CLABOX_*, …)\n//   3. a JS config file (see loadConfig)\n//\n// A config file default-exports either a plain object (merged over the defaults)\n// or a function `(defaults) => config` for full programmatic control.\n\nimport fs from 'node:fs';\nimport os from 'node:os';\nimport path from 'node:path';\nimport { pathToFileURL } from 'node:url';\n\nexport const HOME = os.homedir();\n\n/** Expand a leading `~` / `~/` to the user's home directory. */\nexport function expandHome(p: string): string {\n  if (!p) return p;\n  if (p === '~') return HOME;\n  if (p.startsWith('~/')) return path.join(HOME, p.slice(2));\n  return p;\n}\n\nconst env = process.env;\n\n/** Dedicated git/ssh identity for commits made from inside the sandbox. */\nexport interface BotConfig {\n  name: string;\n  email: string;\n  /** If `${sshDir}/id_ed25519` exists, git ssh is pinned to it. */\n  sshDir: string;\n}\n\n/** Extra rules layered on top of the built-in base profile. */\nexport interface PathRules {\n  /** RW subpaths (beyond project dir + configDir + /tmp). */\n  readWrite: string[];\n  /** RO subpaths. */\n  readOnly: string[];\n  /** process-exec subpaths. */\n  exec: string[];\n  /** explicit deny subpaths (read + write). */\n  deny: string[];\n}\n\n/** Effective clabox configuration. */\nexport interface Config {\n  /** Path to the `claude` binary. null → autodetect (PATH, then ~/.local/bin). */\n  claudeBin: string | null;\n  /** Claude config/profile directory — supports multiple accounts. */\n  configDir: string;\n  /** Extra args always passed to `claude`, before any args from the CLI. */\n  claudeArgs: string[];\n  bot: BotConfig;\n  /** Allow outbound network. `false` → no `(allow network*)` line. */\n  network: boolean;\n  /** Cap the process table inside the sandbox (fork-bomb guard). 0 → skip. */\n  ulimitProcs: number;\n  /** Extra directory granted read + execute inside the sandbox. null → disabled. */\n  hooksDir: string | null;\n  paths: PathRules;\n  /** Home subdirectories denied entirely (read + write). */\n  denyHome: string[];\n  /** Dotfile config dirs under $HOME denied entirely. */\n  denyDotConfigs: string[];\n}\n\n/** Built-in defaults. Everything here is meant to be overridable. */\nexport const defaultConfig: Config = {\n  claudeBin: env.CLABOX_CLAUDE_BIN ?? null,\n  configDir: env.CLAUDE_CONFIG_DIR ?? '~/.claude',\n  claudeArgs: ['--settings', '{\"includeCoAuthoredBy\": false}'],\n  bot: {\n    name: env.CLABOX_BOT_NAME ?? 'claudeBOT',\n    email: env.CLABOX_BOT_EMAIL ?? 'bot@example.com',\n    sshDir: env.CLABOX_BOT_SSH_DIR ?? '~/.ssh/claudebot',\n  },\n  network: true,\n  ulimitProcs: 1024,\n  hooksDir: env.CLABOX_HOOKS_DIR ?? null,\n  paths: {\n    readWrite: [],\n    readOnly: [],\n    exec: [],\n    deny: [],\n  },\n  denyHome: ['Documents', 'Desktop', 'Downloads', 'Pictures', 'Movies', 'Music'],\n  // `.config/git` is always carved back out for git RO config in the profile.\n  denyDotConfigs: ['aws', 'gnupg', 'kube', 'docker', 'config'],\n};\n\ntype Plain = Record<string, unknown>;\n\nfunction isPlainObject(v: unknown): v is Plain {\n  return v != null && typeof v === 'object' && !Array.isArray(v);\n}\n\n/** Shallow-deep merge: nested plain objects merge, everything else replaces. */\nfunction deepMerge(base: Plain, override: Plain): Plain {\n  const out: Plain = { ...base };\n  for (const [key, val] of Object.entries(override)) {\n    if (val === undefined) continue;\n    const baseVal = base[key];\n    out[key] = isPlainObject(val) && isPlainObject(baseVal) ? deepMerge(baseVal, val) : val;\n  }\n  return out;\n}\n\n/** Merge a (partial) override over a full config, returning a new config. */\nexport function mergeConfig(base: Config, override: unknown): Config {\n  if (!isPlainObject(override)) return base;\n  return deepMerge(base as unknown as Plain, override) as unknown as Config;\n}\n\n/**\n * Locate a config file: explicit (CLI arg, then `CLABOX_CONFIG` env),\n * then CWD, then ~/.config. The CLI arg wins over the env var.\n */\nexport function findConfigFile(explicit?: string | null): string | null {\n  const chosen = explicit ?? env.CLABOX_CONFIG;\n  if (chosen) return expandHome(chosen);\n  const candidates = [\n    path.join(process.cwd(), 'clabox.config.mjs'),\n    path.join(process.cwd(), 'clabox.config.js'),\n    path.join(HOME, '.config', 'clabox', 'config.mjs'),\n  ];\n  return candidates.find((c) => fs.existsSync(c)) ?? null;\n}\n\n/** Result of {@link loadConfig}: the effective config and the file it came from. */\nexport interface LoadedConfig {\n  config: Config;\n  configFile: string | null;\n}\n\n/**\n * Build the effective config: defaults ⊕ env ⊕ config file.\n *\n * @param explicitConfig optional config-file path (e.g. from `--config`);\n *   takes precedence over `CLABOX_CONFIG` and the default lookup locations.\n */\nexport async function loadConfig(explicitConfig?: string | null): Promise<LoadedConfig> {\n  let cfg: Config = defaultConfig;\n  const file = findConfigFile(explicitConfig);\n  if (file) {\n    const mod = await import(pathToFileURL(file).href);\n    const exported = mod.default ?? mod.config ?? mod;\n    const resolved = typeof exported === 'function' ? await exported(defaultConfig) : exported;\n    cfg = mergeConfig(defaultConfig, resolved);\n  }\n  return { config: cfg, configFile: file };\n}\n"],"mappings":";;;;;AAeA,MAAa,OAAO,GAAG,QAAQ;;AAG/B,SAAgB,WAAW,GAAmB;CAC5C,IAAI,CAAC,GAAG,OAAO;CACf,IAAI,MAAM,KAAK,OAAO;CACtB,IAAI,EAAE,WAAW,IAAI,GAAG,OAAO,KAAK,KAAK,MAAM,EAAE,MAAM,CAAC,CAAC;CACzD,OAAO;AACT;AAEA,MAAM,MAAM,QAAQ;;AA6CpB,MAAa,gBAAwB;CACnC,WAAW,IAAI,qBAAqB;CACpC,WAAW,IAAI,qBAAqB;CACpC,YAAY,CAAC,cAAc,kCAAgC;CAC3D,KAAK;EACH,MAAM,IAAI,mBAAmB;EAC7B,OAAO,IAAI,oBAAoB;EAC/B,QAAQ,IAAI,sBAAsB;CACpC;CACA,SAAS;CACT,aAAa;CACb,UAAU,IAAI,oBAAoB;CAClC,OAAO;EACL,WAAW,CAAC;EACZ,UAAU,CAAC;EACX,MAAM,CAAC;EACP,MAAM,CAAC;CACT;CACA,UAAU;EAAC;EAAa;EAAW;EAAa;EAAY;EAAU;CAAO;CAE7E,gBAAgB;EAAC;EAAO;EAAS;EAAQ;EAAU;CAAQ;AAC7D;AAIA,SAAS,cAAc,GAAwB;CAC7C,OAAO,KAAK,QAAQ,OAAO,MAAM,YAAY,CAAC,MAAM,QAAQ,CAAC;AAC/D;;AAGA,SAAS,UAAU,MAAa,UAAwB;CACtD,MAAM,MAAa,EAAE,GAAG,KAAK;CAC7B,KAAK,MAAM,CAAC,KAAK,QAAQ,OAAO,QAAQ,QAAQ,GAAG;EACjD,IAAI,QAAQ,KAAA,GAAW;EACvB,MAAM,UAAU,KAAK;EACrB,IAAI,OAAO,cAAc,GAAG,KAAK,cAAc,OAAO,IAAI,UAAU,SAAS,GAAG,IAAI;CACtF;CACA,OAAO;AACT;;AAGA,SAAgB,YAAY,MAAc,UAA2B;CACnE,IAAI,CAAC,cAAc,QAAQ,GAAG,OAAO;CACrC,OAAO,UAAU,MAA0B,QAAQ;AACrD;;;;;AAMA,SAAgB,eAAe,UAAyC;CACtE,MAAM,SAAS,YAAY,IAAI;CAC/B,IAAI,QAAQ,OAAO,WAAW,MAAM;CAMpC,OAAO;EAJL,KAAK,KAAK,QAAQ,IAAI,GAAG,mBAAmB;EAC5C,KAAK,KAAK,QAAQ,IAAI,GAAG,kBAAkB;EAC3C,KAAK,KAAK,MAAM,WAAW,UAAU,YAAY;CAEnC,CAAC,CAAC,MAAM,MAAM,GAAG,WAAW,CAAC,CAAC,KAAK;AACrD;;;;;;;AAcA,eAAsB,WAAW,gBAAuD;CACtF,IAAI,MAAc;CAClB,MAAM,OAAO,eAAe,cAAc;CAC1C,IAAI,MAAM;EACR,MAAM,MAAM,MAAM,OAAO,cAAc,IAAI,CAAC,CAAC;EAC7C,MAAM,WAAW,IAAI,WAAW,IAAI,UAAU;EAE9C,MAAM,YAAY,eADD,OAAO,aAAa,aAAa,MAAM,SAAS,aAAa,IAAI,QACzC;CAC3C;CACA,OAAO;EAAE,QAAQ;EAAK,YAAY;CAAK;AACzC"}

package/lib/index.d.ts

@@ -0,0 +1,4 @@
+import { a as PathRules, c as findConfigFile, i as LoadedConfig, l as loadConfig, n as Config, o as defaultConfig, r as HOME, s as expandHome, t as BotConfig, u as mergeConfig } from "./config-CUyriGxm.js";
+import { a as ipcName, c as regex, i as globalName, l as subpath, n as buildProfile, o as literal, r as detectPackagePaths, s as reEscape, t as ProfileContext } from "./profile-Bw6L1MiV.js";
+import { i as runClaude, n as generateProfile, r as profilePath, t as RunOptions } from "./run-BfF3Cwg7.js";
+export { type BotConfig, type Config, HOME, type LoadedConfig, type PathRules, type ProfileContext, type RunOptions, buildProfile, defaultConfig, detectPackagePaths, expandHome, findConfigFile, generateProfile, globalName, ipcName, literal, loadConfig, mergeConfig, profilePath, reEscape, regex, runClaude, subpath };

package/lib/index.js

@@ -0,0 +1,4 @@
+import { a as loadConfig, i as findConfigFile, n as defaultConfig, o as mergeConfig, r as expandHome, t as HOME } from "./config-DXTNeUhH.js";
+import { a as literal, c as subpath, i as ipcName, n as detectPackagePaths, o as reEscape, r as globalName, s as regex, t as buildProfile } from "./profile-CxqsgezL.js";
+import { n as profilePath, r as runClaude, t as generateProfile } from "./run-Dyp_hW97.js";
+export { HOME, buildProfile, defaultConfig, detectPackagePaths, expandHome, findConfigFile, generateProfile, globalName, ipcName, literal, loadConfig, mergeConfig, profilePath, reEscape, regex, runClaude, subpath };

package/lib/profile-Bw6L1MiV.d.ts

@@ -0,0 +1,29 @@
+import { n as Config } from "./config-CUyriGxm.js";
+
+//#region src/sandbox/profile.d.ts
+declare const subpath: (p: string) => string;
+declare const literal: (p: string) => string;
+declare const regex: (p: string) => string;
+declare const globalName: (n: string) => string;
+declare const ipcName: (n: string) => string;
+/** Escape a path for safe embedding inside an SBPL regex. */
+declare const reEscape: (s: string) => string;
+/** Detect installed package managers whose paths must be readable/executable. */
+declare function detectPackagePaths(): string[];
+/** Context needed to assemble a profile for a specific project. */
+interface ProfileContext {
+  projectDir: string;
+  detectedPaths?: string[];
+}
+/**
+ * Build the full SBPL profile text.
+ * @param config  effective config (see config.ts)
+ * @param ctx     { projectDir, detectedPaths }
+ */
+declare function buildProfile(config: Config, {
+  projectDir,
+  detectedPaths
+}: ProfileContext): string;
+//#endregion
+export { ipcName as a, regex as c, globalName as i, subpath as l, buildProfile as n, literal as o, detectPackagePaths as r, reEscape as s, ProfileContext as t };
+//# sourceMappingURL=profile-Bw6L1MiV.d.ts.map

package/lib/profile-CxqsgezL.js

@@ -0,0 +1,103 @@
+import { r as expandHome, t as HOME } from "./config-DXTNeUhH.js";
+import fs from "node:fs";
+import path from "node:path";
+//#region src/sandbox/profile.ts
+const q = (s) => `"${String(s).replace(/"/g, "\\\"")}"`;
+const subpath = (p) => `(subpath ${q(p)})`;
+const literal = (p) => `(literal ${q(p)})`;
+const regex = (p) => `(regex ${q(p)})`;
+const globalName = (n) => `(global-name ${q(n)})`;
+const ipcName = (n) => `(ipc-posix-name ${q(n)})`;
+/** Escape a path for safe embedding inside an SBPL regex. */
+const reEscape = (s) => s.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+function block(op, rules) {
+	return [
+		`(${op}`,
+		...rules.map((r) => `  ${r}`),
+		")"
+	].join("\n");
+}
+const allow = (op, ...rules) => block(`allow ${op}`, rules);
+const deny = (op, ...rules) => block(`deny ${op}`, rules);
+/** Detect installed package managers whose paths must be readable/executable. */
+function detectPackagePaths() {
+	const paths = [];
+	if (fs.existsSync("/opt/homebrew")) paths.push("/opt/homebrew");
+	else if (fs.existsSync("/usr/local/Homebrew")) paths.push("/usr/local/Homebrew");
+	const local = path.join(HOME, ".local");
+	if (fs.existsSync(local)) paths.push(local);
+	if (fs.existsSync("/nix/store")) paths.push("/nix/store");
+	return paths;
+}
+/**
+* Build the full SBPL profile text.
+* @param config  effective config (see config.ts)
+* @param ctx     { projectDir, detectedPaths }
+*/
+function buildProfile(config, { projectDir, detectedPaths = detectPackagePaths() }) {
+	const configDir = expandHome(config.configDir);
+	const sshDir = expandHome(config.bot.sshDir);
+	const hooksDir = config.hooksDir ? expandHome(config.hooksDir) : null;
+	const homeRe = reEscape(HOME);
+	const sections = [];
+	const add = (comment, body) => sections.push(`;; ---------- ${comment}\n${body}`);
+	sections.push([
+		";; ------------------------------------------------------------------",
+		";;  Claude Code macOS sandbox profile (autogenerated)",
+		";; ------------------------------------------------------------------",
+		"(version 1)",
+		"(deny default)"
+	].join("\n"));
+	add("introspection & sysctl", "(allow file-read-metadata)\n(allow sysctl-read)");
+	add("basic dir traversal", [
+		allow("file-read*", literal("/")),
+		allow("file-read*", literal("/private")),
+		allow("file-read-data", literal("/Users")),
+		allow("file-read-data", literal(HOME))
+	].join("\n"));
+	add("system runtime (read-only)", allow("file-read* file-map-executable", subpath("/System"), subpath("/usr"), subpath("/bin"), subpath("/sbin"), subpath("/Library/Frameworks"), subpath("/private/etc"), subpath("/var/db/dyld"), ...detectedPaths.map(subpath)));
+	add("Xcode / Command Line Tools (xcrun, git, etc.)", [allow("file-read* file-map-executable", subpath("/Library/Developer/CommandLineTools"), subpath("/Applications/Xcode.app")), allow("process-exec", subpath("/Library/Developer/CommandLineTools"), subpath("/Applications/Xcode.app"))].join("\n"));
+	const userPaths = detectedPaths.filter((p) => p.endsWith("/.local"));
+	add("global npm/pipx/cargo bins", userPaths.length ? userPaths.map((p) => allow("file-read*", subpath(p))).join("\n") : ";; No user package paths detected");
+	add("executable paths", allow("process-exec", subpath("/usr"), subpath("/System"), subpath("/bin"), subpath("/sbin"), literal("/usr/bin/env"), ...detectedPaths.map(subpath)));
+	add("temp dirs", allow("file-read* file-write*", subpath("/tmp"), subpath("/private/tmp"), regex("^/private/var/folders/")));
+	add("Claude config & token files", allow("file-read* file-write*", subpath(configDir)));
+	add("Claude auto-update (RO) -- suppress warnings", allow("file-read*", subpath(path.join(HOME, ".local/state/claude")), subpath(path.join(HOME, ".cache/claude"))));
+	add("time-zone & prefs (RO)", allow("file-read*", subpath("/private/var/db/timezone"), subpath("/Library/Preferences")));
+	add("/dev access (RO) + ioctl", [
+		allow("file-read*", literal("/dev")),
+		allow("file-read* file-write*", regex("^/dev/(tty.*|null|zero|dtracehelper)")),
+		allow("file-ioctl", literal("/dev/dtracehelper"), regex("^/dev/tty.*"))
+	].join("\n"));
+	add("mach-lookup services", allow("mach-lookup", globalName("com.apple.system.opendirectoryd.libinfo"), globalName("com.apple.SystemConfiguration.DNSConfiguration"), globalName("com.apple.coreservices.launchservicesd"), globalName("com.apple.CoreServices.coreservicesd"), globalName("com.apple.system.notification_center"), globalName("com.apple.logd"), globalName("com.apple.diagnosticd"), globalName("com.apple.lsd.mapdb"), globalName("com.apple.lsd.modifydb"), globalName("com.apple.coreservices.quarantine-resolver"), globalName("com.apple.pasteboard.pboard"), globalName("com.apple.pasteboard.1")));
+	add("Launch Services needed by /usr/bin/open", allow("mach-lookup", regex("^com\\.apple\\.lsd(\\..*)?$")));
+	add("Developer Tools (xcrun / libxcrun)", allow("mach-lookup", globalName("com.apple.dt.xcsecurity"), regex("^com\\.apple\\.dt\\..*$")));
+	add("Audio (afplay)", allow("mach-lookup", globalName("com.apple.audio.audiohald"), globalName("com.apple.audio.AudioComponentRegistrar")));
+	add("Notification Center shared-memory (RO)", allow("ipc-posix-shm-read-data", ipcName("apple.shm.notification_center")));
+	add("User-level preference reads (RO)", allow("file-read*", subpath(path.join(HOME, "Library/Preferences"))));
+	add("Keychain access (for OAuth)", [allow("file-read* file-write*", subpath(path.join(HOME, "Library/Keychains"))), allow("mach-lookup", globalName("com.apple.SecurityServer"), globalName("com.apple.security.agent"), globalName("com.apple.securityd"), globalName("com.apple.secd"), globalName("com.apple.trustd"), globalName("com.apple.trustd.agent"), globalName("com.apple.CoreAuthentication.daemon"))].join("\n"));
+	add("git config (RO)", allow("file-read*", literal(path.join(HOME, ".gitconfig")), literal(path.join(HOME, ".gitignore_global")), subpath(path.join(HOME, ".config/git"))));
+	const denyRules = [...config.denyHome.map((d) => subpath(path.join(HOME, d)))];
+	if (config.denyDotConfigs.length) denyRules.push(regex(`^${homeRe}/\\.(${config.denyDotConfigs.join("|")})($|/)`));
+	denyRules.push(...config.paths.deny.map((p) => subpath(expandHome(p))));
+	add("explicit sensitive DENY list", deny("file-read* file-write*", ...denyRules));
+	add("SSH: bot key only, deny other keys", [
+		allow("file-read*", literal(path.join(HOME, ".ssh")), literal(path.join(HOME, ".ssh/known_hosts")), literal(path.join(HOME, ".ssh/known_hosts2")), literal(path.join(HOME, ".ssh/config")), subpath(sshDir)),
+		allow("file-write*", literal(path.join(HOME, ".ssh/known_hosts")), literal(path.join(HOME, ".ssh/known_hosts2"))),
+		deny("file-read* file-write*", regex(`^${homeRe}/\\.ssh/id_`), regex(`^${homeRe}/\\.ssh/.*\\.pem$`), regex(`^${homeRe}/\\.ssh/.*\\.key$`))
+	].join("\n"));
+	add("claude hooks (RO + exec)", hooksDir && fs.existsSync(hooksDir) ? [allow("file-read* file-map-executable", subpath(hooksDir)), allow("process-exec", subpath(hooksDir))].join("\n") : ";; (no hooks dir; set config.hooksDir / CLABOX_HOOKS_DIR to enable)");
+	if (config.paths.readOnly.length) add("extra read-only paths", allow("file-read*", ...config.paths.readOnly.map((p) => subpath(expandHome(p)))));
+	if (config.paths.readWrite.length) add("extra read-write paths", allow("file-read* file-write*", ...config.paths.readWrite.map((p) => subpath(expandHome(p)))));
+	if (config.paths.exec.length) add("extra exec paths", allow("process-exec", ...config.paths.exec.map((p) => subpath(expandHome(p)))));
+	add("project workspace (RW)", [allow("file-read* file-write* file-map-executable", subpath(projectDir)), allow("process-exec", subpath(projectDir))].join("\n"));
+	if (config.network) add("networking", "(allow network*)");
+	sections.push("(allow process-fork)\n(allow lsopen)");
+	const text = `${sections.join("\n\n")}\n`;
+	if (!/^\(version 1\)/m.test(text)) throw new Error("generated sandbox profile is missing \"(version 1)\"");
+	return text;
+}
+//#endregion
+export { literal as a, subpath as c, ipcName as i, detectPackagePaths as n, reEscape as o, globalName as r, regex as s, buildProfile as t };
+
+//# sourceMappingURL=profile-CxqsgezL.js.map

package/lib/profile-CxqsgezL.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"profile-CxqsgezL.js","names":[],"sources":["../src/sandbox/profile.ts"],"sourcesContent":["// Seatbelt (SBPL) profile generator.\n//\n// The old bash version baked the profile into a heredoc and patched it with\n// sed. Here the profile is assembled from small typed helpers, so the parts\n// you actually want to tweak live in config.ts as plain data.\n\nimport fs from 'node:fs';\nimport path from 'node:path';\nimport { type Config, expandHome, HOME } from '../utils/config.js';\n\n// ---- SBPL helpers ----------------------------------------------------------\n\n// Quote a literal string for SBPL. Only `\"` needs escaping; backslashes are\n// left as-is so regex patterns survive verbatim.\nconst q = (s: string): string => `\"${String(s).replace(/\"/g, '\\\\\"')}\"`;\n\nexport const subpath = (p: string): string => `(subpath ${q(p)})`;\nexport const literal = (p: string): string => `(literal ${q(p)})`;\nexport const regex = (p: string): string => `(regex ${q(p)})`;\nexport const globalName = (n: string): string => `(global-name ${q(n)})`;\nexport const ipcName = (n: string): string => `(ipc-posix-name ${q(n)})`;\n\n/** Escape a path for safe embedding inside an SBPL regex. */\nexport const reEscape = (s: string): string => s.replace(/[.*+?^${}()|[\\]\\\\]/g, '\\\\$&');\n\nfunction block(op: string, rules: string[]): string {\n  return [`(${op}`, ...rules.map((r) => `  ${r}`), ')'].join('\\n');\n}\nconst allow = (op: string, ...rules: string[]): string => block(`allow ${op}`, rules);\nconst deny = (op: string, ...rules: string[]): string => block(`deny ${op}`, rules);\n\n// ---- package-manager autodetection ----------------------------------------\n\n/** Detect installed package managers whose paths must be readable/executable. */\nexport function detectPackagePaths(): string[] {\n  const paths: string[] = [];\n  if (fs.existsSync('/opt/homebrew')) paths.push('/opt/homebrew');\n  else if (fs.existsSync('/usr/local/Homebrew')) paths.push('/usr/local/Homebrew');\n  const local = path.join(HOME, '.local');\n  if (fs.existsSync(local)) paths.push(local);\n  if (fs.existsSync('/nix/store')) paths.push('/nix/store');\n  return paths;\n}\n\n/** Context needed to assemble a profile for a specific project. */\nexport interface ProfileContext {\n  projectDir: string;\n  detectedPaths?: string[];\n}\n\n/**\n * Build the full SBPL profile text.\n * @param config  effective config (see config.ts)\n * @param ctx     { projectDir, detectedPaths }\n */\nexport function buildProfile(\n  config: Config,\n  { projectDir, detectedPaths = detectPackagePaths() }: ProfileContext,\n): string {\n  const configDir = expandHome(config.configDir);\n  const sshDir = expandHome(config.bot.sshDir);\n  const hooksDir = config.hooksDir ? expandHome(config.hooksDir) : null;\n  const homeRe = reEscape(HOME);\n\n  const sections: string[] = [];\n  const add = (comment: string, body: string) => sections.push(`;; ---------- ${comment}\\n${body}`);\n\n  sections.push(\n    [\n      ';; ------------------------------------------------------------------',\n      ';;  Claude Code macOS sandbox profile (autogenerated)',\n      ';; ------------------------------------------------------------------',\n      '(version 1)',\n      '(deny default)',\n    ].join('\\n'),\n  );\n\n  add('introspection & sysctl', '(allow file-read-metadata)\\n(allow sysctl-read)');\n\n  add(\n    'basic dir traversal',\n    [\n      allow('file-read*', literal('/')),\n      allow('file-read*', literal('/private')),\n      allow('file-read-data', literal('/Users')),\n      allow('file-read-data', literal(HOME)),\n    ].join('\\n'),\n  );\n\n  add(\n    'system runtime (read-only)',\n    allow(\n      'file-read* file-map-executable',\n      subpath('/System'),\n      subpath('/usr'),\n      subpath('/bin'),\n      subpath('/sbin'),\n      subpath('/Library/Frameworks'),\n      subpath('/private/etc'),\n      subpath('/var/db/dyld'),\n      ...detectedPaths.map(subpath),\n    ),\n  );\n\n  add(\n    'Xcode / Command Line Tools (xcrun, git, etc.)',\n    [\n      allow(\n        'file-read* file-map-executable',\n        subpath('/Library/Developer/CommandLineTools'),\n        subpath('/Applications/Xcode.app'),\n      ),\n      allow(\n        'process-exec',\n        subpath('/Library/Developer/CommandLineTools'),\n        subpath('/Applications/Xcode.app'),\n      ),\n    ].join('\\n'),\n  );\n\n  // global npm/pipx/cargo bins (user-installed)\n  const userPaths = detectedPaths.filter((p) => p.endsWith('/.local'));\n  add(\n    'global npm/pipx/cargo bins',\n    userPaths.length\n      ? userPaths.map((p) => allow('file-read*', subpath(p))).join('\\n')\n      : ';; No user package paths detected',\n  );\n\n  add(\n    'executable paths',\n    allow(\n      'process-exec',\n      subpath('/usr'),\n      subpath('/System'),\n      subpath('/bin'),\n      subpath('/sbin'),\n      literal('/usr/bin/env'),\n      ...detectedPaths.map(subpath),\n    ),\n  );\n\n  add(\n    'temp dirs',\n    allow(\n      'file-read* file-write*',\n      subpath('/tmp'),\n      subpath('/private/tmp'),\n      regex('^/private/var/folders/'),\n    ),\n  );\n\n  add('Claude config & token files', allow('file-read* file-write*', subpath(configDir)));\n\n  add(\n    'Claude auto-update (RO) -- suppress warnings',\n    allow(\n      'file-read*',\n      subpath(path.join(HOME, '.local/state/claude')),\n      subpath(path.join(HOME, '.cache/claude')),\n    ),\n  );\n\n  add(\n    'time-zone & prefs (RO)',\n    allow('file-read*', subpath('/private/var/db/timezone'), subpath('/Library/Preferences')),\n  );\n\n  add(\n    '/dev access (RO) + ioctl',\n    [\n      allow('file-read*', literal('/dev')),\n      allow('file-read* file-write*', regex('^/dev/(tty.*|null|zero|dtracehelper)')),\n      allow('file-ioctl', literal('/dev/dtracehelper'), regex('^/dev/tty.*')),\n    ].join('\\n'),\n  );\n\n  add(\n    'mach-lookup services',\n    allow(\n      'mach-lookup',\n      globalName('com.apple.system.opendirectoryd.libinfo'),\n      globalName('com.apple.SystemConfiguration.DNSConfiguration'),\n      globalName('com.apple.coreservices.launchservicesd'),\n      globalName('com.apple.CoreServices.coreservicesd'),\n      globalName('com.apple.system.notification_center'),\n      globalName('com.apple.logd'),\n      globalName('com.apple.diagnosticd'),\n      globalName('com.apple.lsd.mapdb'),\n      globalName('com.apple.lsd.modifydb'),\n      globalName('com.apple.coreservices.quarantine-resolver'),\n      globalName('com.apple.pasteboard.pboard'),\n      globalName('com.apple.pasteboard.1'),\n    ),\n  );\n\n  add(\n    'Launch Services needed by /usr/bin/open',\n    allow('mach-lookup', regex('^com\\\\.apple\\\\.lsd(\\\\..*)?$')),\n  );\n\n  add(\n    'Developer Tools (xcrun / libxcrun)',\n    allow('mach-lookup', globalName('com.apple.dt.xcsecurity'), regex('^com\\\\.apple\\\\.dt\\\\..*$')),\n  );\n\n  add(\n    'Audio (afplay)',\n    allow(\n      'mach-lookup',\n      globalName('com.apple.audio.audiohald'),\n      globalName('com.apple.audio.AudioComponentRegistrar'),\n    ),\n  );\n\n  add(\n    'Notification Center shared-memory (RO)',\n    allow('ipc-posix-shm-read-data', ipcName('apple.shm.notification_center')),\n  );\n\n  add(\n    'User-level preference reads (RO)',\n    allow('file-read*', subpath(path.join(HOME, 'Library/Preferences'))),\n  );\n\n  // Keychain RW so Claude can persist refreshed OAuth tokens (else ~24h → 401).\n  add(\n    'Keychain access (for OAuth)',\n    [\n      allow('file-read* file-write*', subpath(path.join(HOME, 'Library/Keychains'))),\n      allow(\n        'mach-lookup',\n        globalName('com.apple.SecurityServer'),\n        globalName('com.apple.security.agent'),\n        globalName('com.apple.securityd'),\n        globalName('com.apple.secd'),\n        globalName('com.apple.trustd'),\n        globalName('com.apple.trustd.agent'),\n        globalName('com.apple.CoreAuthentication.daemon'),\n      ),\n    ].join('\\n'),\n  );\n\n  add(\n    'git config (RO)',\n    allow(\n      'file-read*',\n      literal(path.join(HOME, '.gitconfig')),\n      literal(path.join(HOME, '.gitignore_global')),\n      subpath(path.join(HOME, '.config/git')),\n    ),\n  );\n\n  // Explicit deny list — wins even over allows above.\n  const denyRules = [...config.denyHome.map((d) => subpath(path.join(HOME, d)))];\n  if (config.denyDotConfigs.length) {\n    denyRules.push(regex(`^${homeRe}/\\\\.(${config.denyDotConfigs.join('|')})($|/)`));\n  }\n  denyRules.push(...config.paths.deny.map((p) => subpath(expandHome(p))));\n  add('explicit sensitive DENY list', deny('file-read* file-write*', ...denyRules));\n\n  add(\n    'SSH: bot key only, deny other keys',\n    [\n      allow(\n        'file-read*',\n        literal(path.join(HOME, '.ssh')),\n        literal(path.join(HOME, '.ssh/known_hosts')),\n        literal(path.join(HOME, '.ssh/known_hosts2')),\n        literal(path.join(HOME, '.ssh/config')),\n        subpath(sshDir),\n      ),\n      allow(\n        'file-write*',\n        literal(path.join(HOME, '.ssh/known_hosts')),\n        literal(path.join(HOME, '.ssh/known_hosts2')),\n      ),\n      deny(\n        'file-read* file-write*',\n        regex(`^${homeRe}/\\\\.ssh/id_`),\n        regex(`^${homeRe}/\\\\.ssh/.*\\\\.pem$`),\n        regex(`^${homeRe}/\\\\.ssh/.*\\\\.key$`),\n      ),\n    ].join('\\n'),\n  );\n\n  add(\n    'claude hooks (RO + exec)',\n    hooksDir && fs.existsSync(hooksDir)\n      ? [\n          allow('file-read* file-map-executable', subpath(hooksDir)),\n          allow('process-exec', subpath(hooksDir)),\n        ].join('\\n')\n      : ';; (no hooks dir; set config.hooksDir / CLABOX_HOOKS_DIR to enable)',\n  );\n\n  // Extra user-supplied RO / RW / exec rules.\n  if (config.paths.readOnly.length)\n    add(\n      'extra read-only paths',\n      allow('file-read*', ...config.paths.readOnly.map((p) => subpath(expandHome(p)))),\n    );\n  if (config.paths.readWrite.length)\n    add(\n      'extra read-write paths',\n      allow('file-read* file-write*', ...config.paths.readWrite.map((p) => subpath(expandHome(p)))),\n    );\n  if (config.paths.exec.length)\n    add(\n      'extra exec paths',\n      allow('process-exec', ...config.paths.exec.map((p) => subpath(expandHome(p)))),\n    );\n\n  add(\n    'project workspace (RW)',\n    [\n      allow('file-read* file-write* file-map-executable', subpath(projectDir)),\n      allow('process-exec', subpath(projectDir)),\n    ].join('\\n'),\n  );\n\n  if (config.network) add('networking', '(allow network*)');\n\n  sections.push('(allow process-fork)\\n(allow lsopen)');\n\n  const text = `${sections.join('\\n\\n')}\\n`;\n\n  // Sanity-check before anyone feeds it to sandbox-exec.\n  if (!/^\\(version 1\\)/m.test(text)) {\n    throw new Error('generated sandbox profile is missing \"(version 1)\"');\n  }\n  return text;\n}\n"],"mappings":";;;;AAcA,MAAM,KAAK,MAAsB,IAAI,OAAO,CAAC,CAAC,CAAC,QAAQ,MAAM,MAAK,EAAE;AAEpE,MAAa,WAAW,MAAsB,YAAY,EAAE,CAAC,EAAE;AAC/D,MAAa,WAAW,MAAsB,YAAY,EAAE,CAAC,EAAE;AAC/D,MAAa,SAAS,MAAsB,UAAU,EAAE,CAAC,EAAE;AAC3D,MAAa,cAAc,MAAsB,gBAAgB,EAAE,CAAC,EAAE;AACtE,MAAa,WAAW,MAAsB,mBAAmB,EAAE,CAAC,EAAE;;AAGtE,MAAa,YAAY,MAAsB,EAAE,QAAQ,uBAAuB,MAAM;AAEtF,SAAS,MAAM,IAAY,OAAyB;CAClD,OAAO;EAAC,IAAI;EAAM,GAAG,MAAM,KAAK,MAAM,KAAK,GAAG;EAAG;CAAG,CAAC,CAAC,KAAK,IAAI;AACjE;AACA,MAAM,SAAS,IAAY,GAAG,UAA4B,MAAM,SAAS,MAAM,KAAK;AACpF,MAAM,QAAQ,IAAY,GAAG,UAA4B,MAAM,QAAQ,MAAM,KAAK;;AAKlF,SAAgB,qBAA+B;CAC7C,MAAM,QAAkB,CAAC;CACzB,IAAI,GAAG,WAAW,eAAe,GAAG,MAAM,KAAK,eAAe;MACzD,IAAI,GAAG,WAAW,qBAAqB,GAAG,MAAM,KAAK,qBAAqB;CAC/E,MAAM,QAAQ,KAAK,KAAK,MAAM,QAAQ;CACtC,IAAI,GAAG,WAAW,KAAK,GAAG,MAAM,KAAK,KAAK;CAC1C,IAAI,GAAG,WAAW,YAAY,GAAG,MAAM,KAAK,YAAY;CACxD,OAAO;AACT;;;;;;AAaA,SAAgB,aACd,QACA,EAAE,YAAY,gBAAgB,mBAAmB,KACzC;CACR,MAAM,YAAY,WAAW,OAAO,SAAS;CAC7C,MAAM,SAAS,WAAW,OAAO,IAAI,MAAM;CAC3C,MAAM,WAAW,OAAO,WAAW,WAAW,OAAO,QAAQ,IAAI;CACjE,MAAM,SAAS,SAAS,IAAI;CAE5B,MAAM,WAAqB,CAAC;CAC5B,MAAM,OAAO,SAAiB,SAAiB,SAAS,KAAK,iBAAiB,QAAQ,IAAI,MAAM;CAEhG,SAAS,KACP;EACE;EACA;EACA;EACA;EACA;CACF,CAAC,CAAC,KAAK,IAAI,CACb;CAEA,IAAI,0BAA0B,iDAAiD;CAE/E,IACE,uBACA;EACE,MAAM,cAAc,QAAQ,GAAG,CAAC;EAChC,MAAM,cAAc,QAAQ,UAAU,CAAC;EACvC,MAAM,kBAAkB,QAAQ,QAAQ,CAAC;EACzC,MAAM,kBAAkB,QAAQ,IAAI,CAAC;CACvC,CAAC,CAAC,KAAK,IAAI,CACb;CAEA,IACE,8BACA,MACE,kCACA,QAAQ,SAAS,GACjB,QAAQ,MAAM,GACd,QAAQ,MAAM,GACd,QAAQ,OAAO,GACf,QAAQ,qBAAqB,GAC7B,QAAQ,cAAc,GACtB,QAAQ,cAAc,GACtB,GAAG,cAAc,IAAI,OAAO,CAC9B,CACF;CAEA,IACE,iDACA,CACE,MACE,kCACA,QAAQ,qCAAqC,GAC7C,QAAQ,yBAAyB,CACnC,GACA,MACE,gBACA,QAAQ,qCAAqC,GAC7C,QAAQ,yBAAyB,CACnC,CACF,CAAC,CAAC,KAAK,IAAI,CACb;CAGA,MAAM,YAAY,cAAc,QAAQ,MAAM,EAAE,SAAS,SAAS,CAAC;CACnE,IACE,8BACA,UAAU,SACN,UAAU,KAAK,MAAM,MAAM,cAAc,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,IAAI,IAC/D,mCACN;CAEA,IACE,oBACA,MACE,gBACA,QAAQ,MAAM,GACd,QAAQ,SAAS,GACjB,QAAQ,MAAM,GACd,QAAQ,OAAO,GACf,QAAQ,cAAc,GACtB,GAAG,cAAc,IAAI,OAAO,CAC9B,CACF;CAEA,IACE,aACA,MACE,0BACA,QAAQ,MAAM,GACd,QAAQ,cAAc,GACtB,MAAM,wBAAwB,CAChC,CACF;CAEA,IAAI,+BAA+B,MAAM,0BAA0B,QAAQ,SAAS,CAAC,CAAC;CAEtF,IACE,gDACA,MACE,cACA,QAAQ,KAAK,KAAK,MAAM,qBAAqB,CAAC,GAC9C,QAAQ,KAAK,KAAK,MAAM,eAAe,CAAC,CAC1C,CACF;CAEA,IACE,0BACA,MAAM,cAAc,QAAQ,0BAA0B,GAAG,QAAQ,sBAAsB,CAAC,CAC1F;CAEA,IACE,4BACA;EACE,MAAM,cAAc,QAAQ,MAAM,CAAC;EACnC,MAAM,0BAA0B,MAAM,sCAAsC,CAAC;EAC7E,MAAM,cAAc,QAAQ,mBAAmB,GAAG,MAAM,aAAa,CAAC;CACxE,CAAC,CAAC,KAAK,IAAI,CACb;CAEA,IACE,wBACA,MACE,eACA,WAAW,yCAAyC,GACpD,WAAW,gDAAgD,GAC3D,WAAW,wCAAwC,GACnD,WAAW,sCAAsC,GACjD,WAAW,sCAAsC,GACjD,WAAW,gBAAgB,GAC3B,WAAW,uBAAuB,GAClC,WAAW,qBAAqB,GAChC,WAAW,wBAAwB,GACnC,WAAW,4CAA4C,GACvD,WAAW,6BAA6B,GACxC,WAAW,wBAAwB,CACrC,CACF;CAEA,IACE,2CACA,MAAM,eAAe,MAAM,6BAA6B,CAAC,CAC3D;CAEA,IACE,sCACA,MAAM,eAAe,WAAW,yBAAyB,GAAG,MAAM,yBAAyB,CAAC,CAC9F;CAEA,IACE,kBACA,MACE,eACA,WAAW,2BAA2B,GACtC,WAAW,yCAAyC,CACtD,CACF;CAEA,IACE,0CACA,MAAM,2BAA2B,QAAQ,+BAA+B,CAAC,CAC3E;CAEA,IACE,oCACA,MAAM,cAAc,QAAQ,KAAK,KAAK,MAAM,qBAAqB,CAAC,CAAC,CACrE;CAGA,IACE,+BACA,CACE,MAAM,0BAA0B,QAAQ,KAAK,KAAK,MAAM,mBAAmB,CAAC,CAAC,GAC7E,MACE,eACA,WAAW,0BAA0B,GACrC,WAAW,0BAA0B,GACrC,WAAW,qBAAqB,GAChC,WAAW,gBAAgB,GAC3B,WAAW,kBAAkB,GAC7B,WAAW,wBAAwB,GACnC,WAAW,qCAAqC,CAClD,CACF,CAAC,CAAC,KAAK,IAAI,CACb;CAEA,IACE,mBACA,MACE,cACA,QAAQ,KAAK,KAAK,MAAM,YAAY,CAAC,GACrC,QAAQ,KAAK,KAAK,MAAM,mBAAmB,CAAC,GAC5C,QAAQ,KAAK,KAAK,MAAM,aAAa,CAAC,CACxC,CACF;CAGA,MAAM,YAAY,CAAC,GAAG,OAAO,SAAS,KAAK,MAAM,QAAQ,KAAK,KAAK,MAAM,CAAC,CAAC,CAAC,CAAC;CAC7E,IAAI,OAAO,eAAe,QACxB,UAAU,KAAK,MAAM,IAAI,OAAO,OAAO,OAAO,eAAe,KAAK,GAAG,EAAE,OAAO,CAAC;CAEjF,UAAU,KAAK,GAAG,OAAO,MAAM,KAAK,KAAK,MAAM,QAAQ,WAAW,CAAC,CAAC,CAAC,CAAC;CACtE,IAAI,gCAAgC,KAAK,0BAA0B,GAAG,SAAS,CAAC;CAEhF,IACE,sCACA;EACE,MACE,cACA,QAAQ,KAAK,KAAK,MAAM,MAAM,CAAC,GAC/B,QAAQ,KAAK,KAAK,MAAM,kBAAkB,CAAC,GAC3C,QAAQ,KAAK,KAAK,MAAM,mBAAmB,CAAC,GAC5C,QAAQ,KAAK,KAAK,MAAM,aAAa,CAAC,GACtC,QAAQ,MAAM,CAChB;EACA,MACE,eACA,QAAQ,KAAK,KAAK,MAAM,kBAAkB,CAAC,GAC3C,QAAQ,KAAK,KAAK,MAAM,mBAAmB,CAAC,CAC9C;EACA,KACE,0BACA,MAAM,IAAI,OAAO,YAAY,GAC7B,MAAM,IAAI,OAAO,kBAAkB,GACnC,MAAM,IAAI,OAAO,kBAAkB,CACrC;CACF,CAAC,CAAC,KAAK,IAAI,CACb;CAEA,IACE,4BACA,YAAY,GAAG,WAAW,QAAQ,IAC9B,CACE,MAAM,kCAAkC,QAAQ,QAAQ,CAAC,GACzD,MAAM,gBAAgB,QAAQ,QAAQ,CAAC,CACzC,CAAC,CAAC,KAAK,IAAI,IACX,qEACN;CAGA,IAAI,OAAO,MAAM,SAAS,QACxB,IACE,yBACA,MAAM,cAAc,GAAG,OAAO,MAAM,SAAS,KAAK,MAAM,QAAQ,WAAW,CAAC,CAAC,CAAC,CAAC,CACjF;CACF,IAAI,OAAO,MAAM,UAAU,QACzB,IACE,0BACA,MAAM,0BAA0B,GAAG,OAAO,MAAM,UAAU,KAAK,MAAM,QAAQ,WAAW,CAAC,CAAC,CAAC,CAAC,CAC9F;CACF,IAAI,OAAO,MAAM,KAAK,QACpB,IACE,oBACA,MAAM,gBAAgB,GAAG,OAAO,MAAM,KAAK,KAAK,MAAM,QAAQ,WAAW,CAAC,CAAC,CAAC,CAAC,CAC/E;CAEF,IACE,0BACA,CACE,MAAM,8CAA8C,QAAQ,UAAU,CAAC,GACvE,MAAM,gBAAgB,QAAQ,UAAU,CAAC,CAC3C,CAAC,CAAC,KAAK,IAAI,CACb;CAEA,IAAI,OAAO,SAAS,IAAI,cAAc,kBAAkB;CAExD,SAAS,KAAK,sCAAsC;CAEpD,MAAM,OAAO,GAAG,SAAS,KAAK,MAAM,EAAE;CAGtC,IAAI,CAAC,kBAAkB,KAAK,IAAI,GAC9B,MAAM,IAAI,MAAM,sDAAoD;CAEtE,OAAO;AACT"}

package/lib/run-BfF3Cwg7.d.ts

@@ -0,0 +1,18 @@
+import { n as Config } from "./config-CUyriGxm.js";
+
+//#region src/sandbox/run.d.ts
+/** Deterministic per-project profile path under TMPDIR. */
+declare function profilePath(projectDir?: string): string;
+/** Generate the profile file for the current project, return its path. */
+declare function generateProfile(config: Config, projectDir?: string): string;
+/** Options accepted by {@link runClaude}. */
+interface RunOptions {
+  configFile?: string | null;
+}
+/** Generate the profile and exec claude under sandbox-exec. Returns exit code. */
+declare function runClaude(config: Config, claudeArgs: string[], {
+  configFile
+}?: RunOptions): number;
+//#endregion
+export { runClaude as i, generateProfile as n, profilePath as r, RunOptions as t };
+//# sourceMappingURL=run-BfF3Cwg7.d.ts.map

package/lib/run-Dyp_hW97.js

@@ -0,0 +1,104 @@
+import { r as expandHome, t as HOME } from "./config-DXTNeUhH.js";
+import { n as detectPackagePaths, t as buildProfile } from "./profile-CxqsgezL.js";
+import { execFileSync, spawnSync } from "node:child_process";
+import crypto from "node:crypto";
+import fs from "node:fs";
+import path from "node:path";
+//#region src/sandbox/run.ts
+const TMPDIR = (process.env.TMPDIR || "/tmp").replace(/\/$/, "");
+/** Deterministic per-project profile path under TMPDIR. */
+function profilePath(projectDir = process.cwd()) {
+	const hash = crypto.createHash("sha256").update(projectDir).digest("hex").slice(0, 8);
+	return path.join(TMPDIR, `clabox-${path.basename(projectDir)}-${hash}.sb`);
+}
+function which(bin) {
+	try {
+		return execFileSync("command", ["-v", bin], {
+			shell: "/bin/sh",
+			encoding: "utf8"
+		}).trim() || null;
+	} catch {
+		return null;
+	}
+}
+function requireSandboxExec() {
+	if (!which("sandbox-exec")) throw new Error("sandbox-exec not found. This tool requires macOS with sandbox-exec.");
+}
+function resolveClaudeBin(config) {
+	const candidate = config.claudeBin || which("claude") || path.join(HOME, ".local/bin/claude");
+	if (!candidate || !fs.existsSync(candidate)) throw new Error(`claude not found at '${candidate}'`);
+	return candidate;
+}
+/** Generate the profile file for the current project, return its path. */
+function generateProfile(config, projectDir = process.cwd()) {
+	requireSandboxExec();
+	const file = profilePath(projectDir);
+	const text = buildProfile(config, {
+		projectDir,
+		detectedPaths: detectPackagePaths()
+	});
+	fs.writeFileSync(file, text);
+	return file;
+}
+/** Build the `env KEY=VALUE …` argument list forced onto the sandboxed claude. */
+function buildEnvArgs(config) {
+	const sshDir = expandHome(config.bot.sshDir);
+	const botKey = path.join(sshDir, "id_ed25519");
+	const botCfg = path.join(sshDir, "config");
+	const args = [
+		`PATH=${path.join(HOME, ".local/bin")}:${process.env.PATH || ""}`,
+		`CLAUDE_CONFIG_DIR=${expandHome(config.configDir)}`,
+		"DISABLE_AUTOUPDATER=1",
+		"NPM_CONFIG_USERCONFIG=/dev/null",
+		`GIT_AUTHOR_NAME=${config.bot.name}`,
+		`GIT_AUTHOR_EMAIL=${config.bot.email}`,
+		`GIT_COMMITTER_NAME=${config.bot.name}`,
+		`GIT_COMMITTER_EMAIL=${config.bot.email}`,
+		"GIT_CONFIG_COUNT=2",
+		"GIT_CONFIG_KEY_0=commit.gpgsign",
+		"GIT_CONFIG_VALUE_0=false",
+		"GIT_CONFIG_KEY_1=tag.gpgsign",
+		"GIT_CONFIG_VALUE_1=false"
+	];
+	if (fs.existsSync(botKey)) args.push(`GIT_SSH_COMMAND=ssh -F ${botCfg} -i ${botKey} -o IdentitiesOnly=yes -o IdentityAgent=none`);
+	return args;
+}
+/** Generate the profile and exec claude under sandbox-exec. Returns exit code. */
+function runClaude(config, claudeArgs, { configFile } = {}) {
+	const projectDir = process.cwd();
+	const claudeBin = resolveClaudeBin(config);
+	const profileFile = generateProfile(config, projectDir);
+	if (process.env.CLABOX_DEBUG) {
+		console.error(`→ Running Claude Code sandboxed in:  ${projectDir}`);
+		console.error(`→ Profile: ${profileFile}`);
+		console.error(`→ Config:  ${expandHome(config.configDir)}`);
+		if (configFile) console.error(`→ Config file: ${configFile}`);
+	}
+	const title = projectDir.startsWith(HOME) ? `~${projectDir.slice(HOME.length)}` : projectDir;
+	process.stdout.write(`\x1b]0;${title}\x07`);
+	const envArgs = buildEnvArgs(config);
+	const defaultArgs = Array.isArray(config.claudeArgs) ? config.claudeArgs : [];
+	const inner = [
+		"sandbox-exec",
+		"-f",
+		profileFile,
+		"env",
+		...envArgs,
+		claudeBin,
+		...defaultArgs,
+		...claudeArgs
+	];
+	const res = spawnSync("/bin/sh", [
+		"-c",
+		`${config.ulimitProcs > 0 ? `ulimit -u ${config.ulimitProcs} 2>/dev/null; ` : ""}exec "$@"`,
+		"sh",
+		...inner
+	], { stdio: "inherit" });
+	if (res.error) throw res.error;
+	if (res.signal) return 1;
+	return res.status ?? 0;
+}
+//#endregion
+export { profilePath as n, runClaude as r, generateProfile as t };
+
+//# sourceMappingURL=run-Dyp_hW97.js.map

package/lib/run-Dyp_hW97.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"run-Dyp_hW97.js","names":[],"sources":["../src/sandbox/run.ts"],"sourcesContent":["// Profile materialization + launching `claude` under sandbox-exec.\n\nimport { execFileSync, spawnSync } from 'node:child_process';\nimport crypto from 'node:crypto';\nimport fs from 'node:fs';\nimport path from 'node:path';\nimport { type Config, expandHome, HOME } from '../utils/config.js';\nimport { buildProfile, detectPackagePaths } from './profile.js';\n\nconst TMPDIR = (process.env.TMPDIR || '/tmp').replace(/\\/$/, '');\n\n/** Deterministic per-project profile path under TMPDIR. */\nexport function profilePath(projectDir: string = process.cwd()): string {\n  const hash = crypto.createHash('sha256').update(projectDir).digest('hex').slice(0, 8);\n  return path.join(TMPDIR, `clabox-${path.basename(projectDir)}-${hash}.sb`);\n}\n\nfunction which(bin: string): string | null {\n  try {\n    return (\n      execFileSync('command', ['-v', bin], { shell: '/bin/sh', encoding: 'utf8' }).trim() || null\n    );\n  } catch {\n    return null;\n  }\n}\n\nfunction requireSandboxExec(): void {\n  if (!which('sandbox-exec')) {\n    throw new Error('sandbox-exec not found. This tool requires macOS with sandbox-exec.');\n  }\n}\n\nfunction resolveClaudeBin(config: Config): string {\n  const candidate = config.claudeBin || which('claude') || path.join(HOME, '.local/bin/claude');\n  if (!candidate || !fs.existsSync(candidate)) {\n    throw new Error(`claude not found at '${candidate}'`);\n  }\n  return candidate;\n}\n\n/** Generate the profile file for the current project, return its path. */\nexport function generateProfile(config: Config, projectDir: string = process.cwd()): string {\n  requireSandboxExec();\n  const file = profilePath(projectDir);\n  const text = buildProfile(config, { projectDir, detectedPaths: detectPackagePaths() });\n  fs.writeFileSync(file, text);\n  return file;\n}\n\n/** Build the `env KEY=VALUE …` argument list forced onto the sandboxed claude. */\nfunction buildEnvArgs(config: Config): string[] {\n  const sshDir = expandHome(config.bot.sshDir);\n  const botKey = path.join(sshDir, 'id_ed25519');\n  const botCfg = path.join(sshDir, 'config');\n  const args = [\n    `PATH=${path.join(HOME, '.local/bin')}:${process.env.PATH || ''}`,\n    `CLAUDE_CONFIG_DIR=${expandHome(config.configDir)}`,\n    'DISABLE_AUTOUPDATER=1',\n    'NPM_CONFIG_USERCONFIG=/dev/null',\n    `GIT_AUTHOR_NAME=${config.bot.name}`,\n    `GIT_AUTHOR_EMAIL=${config.bot.email}`,\n    `GIT_COMMITTER_NAME=${config.bot.name}`,\n    `GIT_COMMITTER_EMAIL=${config.bot.email}`,\n    'GIT_CONFIG_COUNT=2',\n    'GIT_CONFIG_KEY_0=commit.gpgsign',\n    'GIT_CONFIG_VALUE_0=false',\n    'GIT_CONFIG_KEY_1=tag.gpgsign',\n    'GIT_CONFIG_VALUE_1=false',\n  ];\n  // Pin git ssh to the bot key only when it actually exists, so the sandbox\n  // stays usable without a dedicated bot key configured.\n  if (fs.existsSync(botKey)) {\n    args.push(\n      `GIT_SSH_COMMAND=ssh -F ${botCfg} -i ${botKey} -o IdentitiesOnly=yes -o IdentityAgent=none`,\n    );\n  }\n  return args;\n}\n\n/** Options accepted by {@link runClaude}. */\nexport interface RunOptions {\n  configFile?: string | null;\n}\n\n/** Generate the profile and exec claude under sandbox-exec. Returns exit code. */\nexport function runClaude(\n  config: Config,\n  claudeArgs: string[],\n  { configFile }: RunOptions = {},\n): number {\n  const projectDir = process.cwd();\n  const claudeBin = resolveClaudeBin(config);\n  const profileFile = generateProfile(config, projectDir);\n\n  if (process.env.CLABOX_DEBUG) {\n    console.error(`→ Running Claude Code sandboxed in:  ${projectDir}`);\n    console.error(`→ Profile: ${profileFile}`);\n    console.error(`→ Config:  ${expandHome(config.configDir)}`);\n    if (configFile) console.error(`→ Config file: ${configFile}`);\n  }\n\n  // Terminal title = cwd (with ~ for $HOME), matching the bash version.\n  const title = projectDir.startsWith(HOME) ? `~${projectDir.slice(HOME.length)}` : projectDir;\n  process.stdout.write(`\\x1b]0;${title}\\x07`);\n\n  const envArgs = buildEnvArgs(config);\n  const defaultArgs = Array.isArray(config.claudeArgs) ? config.claudeArgs : [];\n  const inner = [\n    'sandbox-exec',\n    '-f',\n    profileFile,\n    'env',\n    ...envArgs,\n    claudeBin,\n    ...defaultArgs,\n    ...claudeArgs,\n  ];\n\n  // `ulimit` is a shell builtin; run the whole thing under sh so we can set it.\n  // `exec \"$@\"` keeps argv intact without re-quoting (args start after $0=sh).\n  const ulimit = config.ulimitProcs > 0 ? `ulimit -u ${config.ulimitProcs} 2>/dev/null; ` : '';\n  const res = spawnSync('/bin/sh', ['-c', `${ulimit}exec \"$@\"`, 'sh', ...inner], {\n    stdio: 'inherit',\n  });\n  if (res.error) throw res.error;\n  if (res.signal) return 1;\n  return res.status ?? 0;\n}\n"],"mappings":";;;;;;;AASA,MAAM,UAAU,QAAQ,IAAI,UAAU,OAAA,CAAQ,QAAQ,OAAO,EAAE;;AAG/D,SAAgB,YAAY,aAAqB,QAAQ,IAAI,GAAW;CACtE,MAAM,OAAO,OAAO,WAAW,QAAQ,CAAC,CAAC,OAAO,UAAU,CAAC,CAAC,OAAO,KAAK,CAAC,CAAC,MAAM,GAAG,CAAC;CACpF,OAAO,KAAK,KAAK,QAAQ,UAAU,KAAK,SAAS,UAAU,EAAE,GAAG,KAAK,IAAI;AAC3E;AAEA,SAAS,MAAM,KAA4B;CACzC,IAAI;EACF,OACE,aAAa,WAAW,CAAC,MAAM,GAAG,GAAG;GAAE,OAAO;GAAW,UAAU;EAAO,CAAC,CAAC,CAAC,KAAK,KAAK;CAE3F,QAAQ;EACN,OAAO;CACT;AACF;AAEA,SAAS,qBAA2B;CAClC,IAAI,CAAC,MAAM,cAAc,GACvB,MAAM,IAAI,MAAM,qEAAqE;AAEzF;AAEA,SAAS,iBAAiB,QAAwB;CAChD,MAAM,YAAY,OAAO,aAAa,MAAM,QAAQ,KAAK,KAAK,KAAK,MAAM,mBAAmB;CAC5F,IAAI,CAAC,aAAa,CAAC,GAAG,WAAW,SAAS,GACxC,MAAM,IAAI,MAAM,wBAAwB,UAAU,EAAE;CAEtD,OAAO;AACT;;AAGA,SAAgB,gBAAgB,QAAgB,aAAqB,QAAQ,IAAI,GAAW;CAC1F,mBAAmB;CACnB,MAAM,OAAO,YAAY,UAAU;CACnC,MAAM,OAAO,aAAa,QAAQ;EAAE;EAAY,eAAe,mBAAmB;CAAE,CAAC;CACrF,GAAG,cAAc,MAAM,IAAI;CAC3B,OAAO;AACT;;AAGA,SAAS,aAAa,QAA0B;CAC9C,MAAM,SAAS,WAAW,OAAO,IAAI,MAAM;CAC3C,MAAM,SAAS,KAAK,KAAK,QAAQ,YAAY;CAC7C,MAAM,SAAS,KAAK,KAAK,QAAQ,QAAQ;CACzC,MAAM,OAAO;EACX,QAAQ,KAAK,KAAK,MAAM,YAAY,EAAE,GAAG,QAAQ,IAAI,QAAQ;EAC7D,qBAAqB,WAAW,OAAO,SAAS;EAChD;EACA;EACA,mBAAmB,OAAO,IAAI;EAC9B,oBAAoB,OAAO,IAAI;EAC/B,sBAAsB,OAAO,IAAI;EACjC,uBAAuB,OAAO,IAAI;EAClC;EACA;EACA;EACA;EACA;CACF;CAGA,IAAI,GAAG,WAAW,MAAM,GACtB,KAAK,KACH,0BAA0B,OAAO,MAAM,OAAO,6CAChD;CAEF,OAAO;AACT;;AAQA,SAAgB,UACd,QACA,YACA,EAAE,eAA2B,CAAC,GACtB;CACR,MAAM,aAAa,QAAQ,IAAI;CAC/B,MAAM,YAAY,iBAAiB,MAAM;CACzC,MAAM,cAAc,gBAAgB,QAAQ,UAAU;CAEtD,IAAI,QAAQ,IAAI,cAAc;EAC5B,QAAQ,MAAM,wCAAwC,YAAY;EAClE,QAAQ,MAAM,cAAc,aAAa;EACzC,QAAQ,MAAM,cAAc,WAAW,OAAO,SAAS,GAAG;EAC1D,IAAI,YAAY,QAAQ,MAAM,kBAAkB,YAAY;CAC9D;CAGA,MAAM,QAAQ,WAAW,WAAW,IAAI,IAAI,IAAI,WAAW,MAAM,KAAK,MAAM,MAAM;CAClF,QAAQ,OAAO,MAAM,UAAU,MAAM,KAAK;CAE1C,MAAM,UAAU,aAAa,MAAM;CACnC,MAAM,cAAc,MAAM,QAAQ,OAAO,UAAU,IAAI,OAAO,aAAa,CAAC;CAC5E,MAAM,QAAQ;EACZ;EACA;EACA;EACA;EACA,GAAG;EACH;EACA,GAAG;EACH,GAAG;CACL;CAKA,MAAM,MAAM,UAAU,WAAW;EAAC;EAAM,GADzB,OAAO,cAAc,IAAI,aAAa,OAAO,YAAY,kBAAkB,GACxC;EAAY;EAAM,GAAG;CAAK,GAAG,EAC7E,OAAO,UACT,CAAC;CACD,IAAI,IAAI,OAAO,MAAM,IAAI;CACzB,IAAI,IAAI,QAAQ,OAAO;CACvB,OAAO,IAAI,UAAU;AACvB"}

package/lib/sandbox/profile.d.ts

@@ -0,0 +1,2 @@
+import { a as ipcName, c as regex, i as globalName, l as subpath, n as buildProfile, o as literal, r as detectPackagePaths, s as reEscape, t as ProfileContext } from "../profile-Bw6L1MiV.js";
+export { ProfileContext, buildProfile, detectPackagePaths, globalName, ipcName, literal, reEscape, regex, subpath };

package/lib/sandbox/profile.js

@@ -0,0 +1,2 @@
+import { a as literal, c as subpath, i as ipcName, n as detectPackagePaths, o as reEscape, r as globalName, s as regex, t as buildProfile } from "../profile-CxqsgezL.js";
+export { buildProfile, detectPackagePaths, globalName, ipcName, literal, reEscape, regex, subpath };

package/lib/sandbox/run.d.ts

@@ -0,0 +1,2 @@
+import { i as runClaude, n as generateProfile, r as profilePath, t as RunOptions } from "../run-BfF3Cwg7.js";
+export { RunOptions, generateProfile, profilePath, runClaude };

package/lib/sandbox/run.js

@@ -0,0 +1,2 @@
+import { n as profilePath, r as runClaude, t as generateProfile } from "../run-Dyp_hW97.js";
+export { generateProfile, profilePath, runClaude };

package/lib/utils/config.d.ts

@@ -0,0 +1,2 @@
+import { a as PathRules, c as findConfigFile, i as LoadedConfig, l as loadConfig, n as Config, o as defaultConfig, r as HOME, s as expandHome, t as BotConfig, u as mergeConfig } from "../config-CUyriGxm.js";
+export { BotConfig, Config, HOME, LoadedConfig, PathRules, defaultConfig, expandHome, findConfigFile, loadConfig, mergeConfig };

package/lib/utils/config.js

@@ -0,0 +1,2 @@
+import { a as loadConfig, i as findConfigFile, n as defaultConfig, o as mergeConfig, r as expandHome, t as HOME } from "../config-DXTNeUhH.js";
+export { HOME, defaultConfig, expandHome, findConfigFile, loadConfig, mergeConfig };

package/package.json

@@ -1,12 +1,146 @@
 {
   "name": "clabox",
-  "version": "0.0.1",
-  "description": "",
-  "main": "index.js",
+  "version": "0.0.2",
+  "description": "Run Claude Code in a sandbox for super-safe YOLO mode",
+  "type": "module",
+  "author": "Igor Suvorov",
+  "license": "MIT",
+  "bin": {
+    "clabox": "lib/cli.js"
+  },
+  "main": "lib/index.js",
+  "types": "lib/index.d.ts",
+  "exports": {
+    ".": {
+      "import": "./lib/index.js",
+      "types": "./lib/index.d.ts",
+      "default": "./lib/index.js"
+    },
+    "./cli": {
+      "import": "./lib/cli.js",
+      "types": "./lib/cli.d.ts",
+      "default": "./lib/cli.js"
+    },
+    "./config": {
+      "import": "./lib/utils/config.js",
+      "types": "./lib/utils/config.d.ts",
+      "default": "./lib/utils/config.js"
+    },
+    "./profile": {
+      "import": "./lib/sandbox/profile.js",
+      "types": "./lib/sandbox/profile.d.ts",
+      "default": "./lib/sandbox/profile.js"
+    },
+    "./run": {
+      "import": "./lib/sandbox/run.js",
+      "types": "./lib/sandbox/run.d.ts",
+      "default": "./lib/sandbox/run.js"
+    },
+    "./*": "./lib/*"
+  },
+  "engines": {
+    "node": ">=18"
+  },
+  "files": [
+    "lib",
+    "docs",
+    "clabox.config.example.mjs",
+    "README.md",
+    "LICENSE"
+  ],
   "scripts": {
-    "test": "echo \"Error: no test specified\" && exit 1"
+    "build:tsdown": "tsdown",
+    "build:tsdown:release": "tsdown --out-dir lib",
+    "build": "bun run build:tsdown:release",
+    "dev": "tsdown --watch",
+    "cli": "bun run src/cli.ts",
+    "generate": "bun run src/cli.ts generate",
+    "test:unit": "bun test",
+    "test:unit:coverage": "bun test --coverage",
+    "test:unit:watch": "bun test --watch",
+    "test:types": "tsc --noEmit",
+    "test:lint": "biome lint",
+    "test:size": "size-limit",
+    "test": "bun run test:lint && bun run test:types && bun run test:unit && bun run test:size",
+    "fix:lint": "biome check --write",
+    "fix:lint:unsafe": "biome check --write --unsafe",
+    "fix": "bun run fix:lint",
+    "version:release": "semantic-release --no-ci --dry-run",
+    "release": "bun run build && bun run test && bun run version:release && npm publish"
+  },
+  "size-limit": [
+    {
+      "path": "lib/index.js",
+      "limit": "10 kb",
+      "ignore": [
+        "node:*"
+      ]
+    }
+  ],
+  "dependencies": {
+    "yargs": "^17.7.2"
+  },
+  "release": {
+    "branches": [
+      "main"
+    ],
+    "plugins": [
+      "@semantic-release/commit-analyzer",
+      "@semantic-release/release-notes-generator",
+      "@semantic-release/changelog",
+      [
+        "@semantic-release/npm",
+        {
+          "npmPublish": true
+        }
+      ],
+      "@semantic-release/github",
+      [
+        "@semantic-release/git",
+        {
+          "assets": [
+            "package.json",
+            "CHANGELOG.md",
+            "bun.lock"
+          ],
+          "message": "chore(release): ${nextRelease.version} [skip ci]\n\n${nextRelease.notes}"
+        }
+      ]
+    ]
+  },
+  "publishConfig": {
+    "access": "public",
+    "provenance": true
+  },
+  "keywords": [
+    "claude",
+    "claude-code",
+    "sandbox",
+    "seatbelt",
+    "sandbox-exec",
+    "macos",
+    "security",
+    "cli"
+  ],
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/ycmds/clabox.git"
+  },
+  "homepage": "https://github.com/ycmds/clabox#readme",
+  "bugs": {
+    "url": "https://github.com/ycmds/clabox/issues"
   },
-  "keywords": [],
-  "author": "",
-  "license": "ISC"
+  "devDependencies": {
+    "@biomejs/biome": "^2.5.0",
+    "@semantic-release/changelog": "^6.0.3",
+    "@semantic-release/git": "^10.0.1",
+    "@size-limit/preset-small-lib": "^12.1.0",
+    "@types/bun": "^1.3.14",
+    "@types/node": "^26.0.0",
+    "@types/yargs": "^17.0.35",
+    "semantic-release": "^25.0.5",
+    "size-limit": "^12.1.0",
+    "tsdown": "^0.22.3",
+    "typescript": "^6.0.3"
+  }
 }