clabox 0.0.1 → 0.1.0

package/lib/config-DQWueb4a.d.ts

@@ -0,0 +1,134 @@
+//#region src/utils/config.d.ts
+declare const HOME: string;
+/** Expand a leading `~` / `~/` to the user's home directory. */
+declare function expandHome(p: string): string;
+/** Dedicated git/ssh identity for commits made from inside the sandbox. */
+interface BotConfig {
+  name: string;
+  email: string;
+  /** If `${sshDir}/id_ed25519` exists, git ssh is pinned to it. */
+  sshDir: string;
+}
+/**
+ * Opt-in marker that turns a box into a standalone Ghostty app. When a box
+ * config carries an `app`, `clabox init` generates a Ghostty config for it and
+ * builds a cloned `<appsDir>/<name>.app` that launches `clabox -b <box>`.
+ */
+interface AppConfig {
+  /** App display name → `<appsDir>/<name>.app` + CFBundleName. */
+  name: string;
+  /** Ghostty window title. Defaults to {@link AppConfig.name}. */
+  title?: string;
+  /** Emoji for the generated Raycast command. Default: the title's leading emoji. */
+  emoji?: string;
+  /** Path to a `.icns`/`.png` icon for the .app. `.png` is converted. `~` ok. */
+  icon?: string;
+  /** Ghostty built-in `macos-icon` (e.g. `retro`, `holographic`). */
+  macosIcon?: string;
+  /** Extra raw `key = value` lines appended to the generated Ghostty config. */
+  ghostty?: Record<string, string>;
+  /** Bundle id. Default: `com.ghostty.custom.<name dot-joined>`. */
+  bundleId?: string;
+}
+/** Machine-wide settings for the `clabox init` Ghostty-app builder. */
+interface AppBuilderConfig {
+  /** Donor app to clone. `~` is expanded. */
+  ghosttyApp: string;
+  /** Where built apps land. `~` is expanded. */
+  appsDir: string;
+  /** codesign identity. null → ad-hoc (`codesign -s -`). */
+  signId: string | null;
+  /** Optional base Ghostty config emitted as a leading `config-file = …`. */
+  baseGhosttyConfig: string | null;
+  /** `clabox` binary baked into the generated `command`. null → autodetect. */
+  claboxBin: string | null;
+}
+/** Extra rules layered on top of the built-in base profile. */
+interface PathRules {
+  /** RW subpaths (beyond project dir + configDir + /tmp). */
+  readWrite: string[];
+  /** RO subpaths. */
+  readOnly: string[];
+  /** process-exec subpaths. */
+  exec: string[];
+  /** explicit deny subpaths (read + write). */
+  deny: string[];
+}
+/** Effective clabox configuration. */
+interface Config {
+  /**
+   * Working directory to run `claude` in (and grant RW as the project dir).
+   * null → the shell's CWD. Handy for named boxes that always target one
+   * project regardless of where `clabox` is invoked from. `~` is expanded.
+   */
+  cwd: string | null;
+  /** Path to the `claude` binary. null → autodetect (PATH, then ~/.local/bin). */
+  claudeBin: string | null;
+  /** Claude config/profile directory — supports multiple accounts. */
+  configDir: string;
+  /** Extra args always passed to `claude`, before any args from the CLI. */
+  claudeArgs: string[];
+  bot: BotConfig;
+  /**
+   * Extra environment variables forced onto the sandboxed `claude` process,
+   * layered over the inherited shell env and after the built-in hardening vars
+   * (so a key set here wins). Use it to pass secrets like `GITHUB_TOKEN`.
+   */
+  env: Record<string, string>;
+  /** Allow outbound network. `false` → no `(allow network*)` line. */
+  network: boolean;
+  /** Cap the process table inside the sandbox (fork-bomb guard). 0 → skip. */
+  ulimitProcs: number;
+  /** Extra directory granted read + execute inside the sandbox. null → disabled. */
+  hooksDir: string | null;
+  paths: PathRules;
+  /** Home subdirectories denied entirely (read + write). */
+  denyHome: string[];
+  /** Dotfile config dirs under $HOME denied entirely. */
+  denyDotConfigs: string[];
+  /**
+   * Opt-in: build a standalone Ghostty app for this box during `clabox init`.
+   * Absent → the box only gets a shell alias (the default).
+   */
+  app?: AppConfig;
+  /** Machine-wide settings for the `clabox init` Ghostty-app builder. */
+  appBuilder: AppBuilderConfig;
+}
+/** Built-in defaults. Everything here is meant to be overridable. */
+declare const defaultConfig: Config;
+/** Merge a (partial) override over a full config, returning a new config. */
+declare function mergeConfig(base: Config, override: unknown): Config;
+/**
+ * Locate a config file: explicit (CLI arg, then `CLABOX_CONFIG` env),
+ * then CWD, then ~/.config. The CLI arg wins over the env var.
+ */
+declare function findConfigFile(explicit?: string | null): string | null;
+/**
+ * Global directory holding named "box" configs (`<name>.config.mjs`), used by
+ * the `clabox --box <name>` / `-b` flag. Override with `CLABOX_CONFIGS_DIR`.
+ */
+declare function configsDir(): string;
+/** Named box configs (sorted, de-duplicated) available in {@link configsDir}. */
+declare function listBoxes(dir?: string): string[];
+/**
+ * Resolve a box name to its config file in {@link configsDir}, preferring
+ * `<name>.config.mjs` over a bare `<name>.mjs`.
+ *
+ * @throws if no matching file exists (the message lists the available boxes).
+ */
+declare function resolveBox(name: string, dir?: string): string;
+/** Result of {@link loadConfig}: the effective config and the file it came from. */
+interface LoadedConfig {
+  config: Config;
+  configFile: string | null;
+}
+/**
+ * Build the effective config: defaults ⊕ env ⊕ config file.
+ *
+ * @param explicitConfig optional config-file path (e.g. from `--config`);
+ *   takes precedence over `CLABOX_CONFIG` and the default lookup locations.
+ */
+declare function loadConfig(explicitConfig?: string | null): Promise<LoadedConfig>;
+//#endregion
+export { HOME as a, configsDir as c, findConfigFile as d, listBoxes as f, resolveBox as h, Config as i, defaultConfig as l, mergeConfig as m, AppConfig as n, LoadedConfig as o, loadConfig as p, BotConfig as r, PathRules as s, AppBuilderConfig as t, expandHome as u };
+//# sourceMappingURL=config-DQWueb4a.d.ts.map

package/lib/ghostty-Ca0g9P9P.js

@@ -0,0 +1,74 @@
+import path from "node:path";
+//#region src/init/ghostty.ts
+/** The `command = bash -c '…'` line that boots clabox for the box. */
+function buildCommand(opts) {
+	return `command = bash -c '${`${opts.projectDir ? `cd ${opts.projectDir} && ` : ""}CLABOX_CONFIGS_DIR=${opts.configsDir} ${opts.claboxBin} -b ${opts.boxName}; exec zsh`}'`;
+}
+/** Build the Ghostty config text for an app box. */
+function buildGhosttyConfig(opts) {
+	const { app } = opts;
+	const lines = ["# Generated by `clabox init` — do not edit; rerun it after changing the box config."];
+	if (opts.baseGhosttyConfig) lines.push(`config-file = ${opts.baseGhosttyConfig}`);
+	lines.push("", `title = "${app.title ?? app.name}"`);
+	if (app.macosIcon) lines.push(`macos-icon = ${app.macosIcon}`);
+	if (app.ghostty && Object.keys(app.ghostty).length > 0) {
+		lines.push("");
+		for (const [key, value] of Object.entries(app.ghostty)) lines.push(`${key} = ${value}`);
+	}
+	lines.push("", buildCommand(opts));
+	return `${lines.join("\n")}\n`;
+}
+/** Escape a string for embedding as a C double-quoted literal. */
+function cEscape(s) {
+	return s.replace(/\\/g, "\\\\").replace(/"/g, "\\\"");
+}
+/**
+* Build the C launcher source. It finds itself, locates `ghostty.real` next to
+* it, and re-execs it with `--config-file=<configPath>` prepended — so the clone
+* always boots with its own config regardless of how it's launched.
+*/
+function buildLauncherSource(configPath) {
+	return `// Generated by clabox init. Launches ghostty.real with a baked config.
+#include <stdio.h>
+#include <unistd.h>
+#include <stdlib.h>
+#include <libgen.h>
+#include <mach-o/dyld.h>
+
+static const char *CONFIG_PATH = "${cEscape(configPath)}";
+
+int main(int argc, char *argv[]) {
+    char path[4096];
+    uint32_t size = sizeof(path);
+    _NSGetExecutablePath(path, &size);
+
+    char *dir = dirname(path);
+    char real_path[4096];
+    snprintf(real_path, sizeof(real_path), "%s/ghostty.real", dir);
+
+    char config_arg[4096];
+    snprintf(config_arg, sizeof(config_arg), "--config-file=%s", CONFIG_PATH);
+
+    char **new_argv = malloc(sizeof(char *) * (argc + 2));
+    new_argv[0] = real_path;
+    new_argv[1] = config_arg;
+    for (int i = 1; i < argc; i++) new_argv[i + 1] = argv[i];
+    new_argv[argc + 1] = NULL;
+
+    execv(real_path, new_argv);
+    return 1;
+}
+`;
+}
+/** Absolute path to the built `.app` bundle. */
+function appBundlePath(appsDir, app) {
+	return path.join(appsDir, `${app.name}.app`);
+}
+/** Bundle identifier for the clone (explicit, or derived from the box name). */
+function bundleId(boxName, app) {
+	return app.bundleId ?? `com.ghostty.custom.${boxName.replace(/-/g, ".")}`;
+}
+//#endregion
+export { bundleId as a, buildLauncherSource as i, buildCommand as n, buildGhosttyConfig as r, appBundlePath as t };
+
+//# sourceMappingURL=ghostty-Ca0g9P9P.js.map

package/lib/ghostty-Ca0g9P9P.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ghostty-Ca0g9P9P.js","names":[],"sources":["../src/init/ghostty.ts"],"sourcesContent":["// Pure builders for the Ghostty-app artifacts emitted by `clabox init`.\n//\n// For a box that opts in via `app` (see AppConfig), `init` generates a Ghostty\n// config whose `command` launches `clabox -b <box>`, then clones Ghostty.app\n// with a tiny C launcher that bakes in `--config-file=<that config>`. Everything\n// here is text-only (no I/O) so it can be unit-tested without macOS; the actual\n// build lives in init/app.ts.\n\nimport path from 'node:path';\nimport type { AppConfig } from '../utils/config.js';\n\n/** Inputs for {@link buildGhosttyConfig} (all paths already absolute). */\nexport interface GhosttyConfigOptions {\n  app: AppConfig;\n  /** The `-b` box name this config launches. */\n  boxName: string;\n  /** Absolute project dir to `cd` into. null → don't `cd` (run in launch cwd). */\n  projectDir: string | null;\n  /** Absolute `CLABOX_CONFIGS_DIR` so `-b` resolves the box from any cwd. */\n  configsDir: string;\n  /** Absolute path to the `clabox` binary. */\n  claboxBin: string;\n  /** Absolute path to a base Ghostty config, emitted as a leading `config-file`. */\n  baseGhosttyConfig?: string | null;\n}\n\n/** The `command = bash -c '…'` line that boots clabox for the box. */\nexport function buildCommand(opts: GhosttyConfigOptions): string {\n  const cd = opts.projectDir ? `cd ${opts.projectDir} && ` : '';\n  const inner = `${cd}CLABOX_CONFIGS_DIR=${opts.configsDir} ${opts.claboxBin} -b ${opts.boxName}; exec zsh`;\n  return `command = bash -c '${inner}'`;\n}\n\n/** Build the Ghostty config text for an app box. */\nexport function buildGhosttyConfig(opts: GhosttyConfigOptions): string {\n  const { app } = opts;\n  const lines: string[] = [\n    '# Generated by `clabox init` — do not edit; rerun it after changing the box config.',\n  ];\n  if (opts.baseGhosttyConfig) lines.push(`config-file = ${opts.baseGhosttyConfig}`);\n  lines.push('', `title = \"${app.title ?? app.name}\"`);\n  if (app.macosIcon) lines.push(`macos-icon = ${app.macosIcon}`);\n  if (app.ghostty && Object.keys(app.ghostty).length > 0) {\n    lines.push('');\n    for (const [key, value] of Object.entries(app.ghostty)) lines.push(`${key} = ${value}`);\n  }\n  lines.push('', buildCommand(opts));\n  return `${lines.join('\\n')}\\n`;\n}\n\n/** Escape a string for embedding as a C double-quoted literal. */\nfunction cEscape(s: string): string {\n  return s.replace(/\\\\/g, '\\\\\\\\').replace(/\"/g, '\\\\\"');\n}\n\n/**\n * Build the C launcher source. It finds itself, locates `ghostty.real` next to\n * it, and re-execs it with `--config-file=<configPath>` prepended — so the clone\n * always boots with its own config regardless of how it's launched.\n */\nexport function buildLauncherSource(configPath: string): string {\n  return `// Generated by clabox init. Launches ghostty.real with a baked config.\n#include <stdio.h>\n#include <unistd.h>\n#include <stdlib.h>\n#include <libgen.h>\n#include <mach-o/dyld.h>\n\nstatic const char *CONFIG_PATH = \"${cEscape(configPath)}\";\n\nint main(int argc, char *argv[]) {\n    char path[4096];\n    uint32_t size = sizeof(path);\n    _NSGetExecutablePath(path, &size);\n\n    char *dir = dirname(path);\n    char real_path[4096];\n    snprintf(real_path, sizeof(real_path), \"%s/ghostty.real\", dir);\n\n    char config_arg[4096];\n    snprintf(config_arg, sizeof(config_arg), \"--config-file=%s\", CONFIG_PATH);\n\n    char **new_argv = malloc(sizeof(char *) * (argc + 2));\n    new_argv[0] = real_path;\n    new_argv[1] = config_arg;\n    for (int i = 1; i < argc; i++) new_argv[i + 1] = argv[i];\n    new_argv[argc + 1] = NULL;\n\n    execv(real_path, new_argv);\n    return 1;\n}\n`;\n}\n\n/** Absolute path to the built `.app` bundle. */\nexport function appBundlePath(appsDir: string, app: AppConfig): string {\n  return path.join(appsDir, `${app.name}.app`);\n}\n\n/** Bundle identifier for the clone (explicit, or derived from the box name). */\nexport function bundleId(boxName: string, app: AppConfig): string {\n  return app.bundleId ?? `com.ghostty.custom.${boxName.replace(/-/g, '.')}`;\n}\n"],"mappings":";;;AA2BA,SAAgB,aAAa,MAAoC;CAG/D,OAAO,sBAAsB,GAFlB,KAAK,aAAa,MAAM,KAAK,WAAW,QAAQ,GACvC,qBAAqB,KAAK,WAAW,GAAG,KAAK,UAAU,MAAM,KAAK,QAAQ,YAC3D;AACrC;;AAGA,SAAgB,mBAAmB,MAAoC;CACrE,MAAM,EAAE,QAAQ;CAChB,MAAM,QAAkB,CACtB,qFACF;CACA,IAAI,KAAK,mBAAmB,MAAM,KAAK,iBAAiB,KAAK,mBAAmB;CAChF,MAAM,KAAK,IAAI,YAAY,IAAI,SAAS,IAAI,KAAK,EAAE;CACnD,IAAI,IAAI,WAAW,MAAM,KAAK,gBAAgB,IAAI,WAAW;CAC7D,IAAI,IAAI,WAAW,OAAO,KAAK,IAAI,OAAO,CAAC,CAAC,SAAS,GAAG;EACtD,MAAM,KAAK,EAAE;EACb,KAAK,MAAM,CAAC,KAAK,UAAU,OAAO,QAAQ,IAAI,OAAO,GAAG,MAAM,KAAK,GAAG,IAAI,KAAK,OAAO;CACxF;CACA,MAAM,KAAK,IAAI,aAAa,IAAI,CAAC;CACjC,OAAO,GAAG,MAAM,KAAK,IAAI,EAAE;AAC7B;;AAGA,SAAS,QAAQ,GAAmB;CAClC,OAAO,EAAE,QAAQ,OAAO,MAAM,CAAC,CAAC,QAAQ,MAAM,MAAK;AACrD;;;;;;AAOA,SAAgB,oBAAoB,YAA4B;CAC9D,OAAO;;;;;;;oCAO2B,QAAQ,UAAU,EAAE;;;;;;;;;;;;;;;;;;;;;;;;AAwBxD;;AAGA,SAAgB,cAAc,SAAiB,KAAwB;CACrE,OAAO,KAAK,KAAK,SAAS,GAAG,IAAI,KAAK,KAAK;AAC7C;;AAGA,SAAgB,SAAS,SAAiB,KAAwB;CAChE,OAAO,IAAI,YAAY,sBAAsB,QAAQ,QAAQ,MAAM,GAAG;AACxE"}

package/lib/ghostty-DemKkfqf.d.ts

@@ -0,0 +1,34 @@
+import { n as AppConfig } from "./config-DQWueb4a.js";
+
+//#region src/init/ghostty.d.ts
+/** Inputs for {@link buildGhosttyConfig} (all paths already absolute). */
+interface GhosttyConfigOptions {
+  app: AppConfig;
+  /** The `-b` box name this config launches. */
+  boxName: string;
+  /** Absolute project dir to `cd` into. null → don't `cd` (run in launch cwd). */
+  projectDir: string | null;
+  /** Absolute `CLABOX_CONFIGS_DIR` so `-b` resolves the box from any cwd. */
+  configsDir: string;
+  /** Absolute path to the `clabox` binary. */
+  claboxBin: string;
+  /** Absolute path to a base Ghostty config, emitted as a leading `config-file`. */
+  baseGhosttyConfig?: string | null;
+}
+/** The `command = bash -c '…'` line that boots clabox for the box. */
+declare function buildCommand(opts: GhosttyConfigOptions): string;
+/** Build the Ghostty config text for an app box. */
+declare function buildGhosttyConfig(opts: GhosttyConfigOptions): string;
+/**
+ * Build the C launcher source. It finds itself, locates `ghostty.real` next to
+ * it, and re-execs it with `--config-file=<configPath>` prepended — so the clone
+ * always boots with its own config regardless of how it's launched.
+ */
+declare function buildLauncherSource(configPath: string): string;
+/** Absolute path to the built `.app` bundle. */
+declare function appBundlePath(appsDir: string, app: AppConfig): string;
+/** Bundle identifier for the clone (explicit, or derived from the box name). */
+declare function bundleId(boxName: string, app: AppConfig): string;
+//#endregion
+export { buildLauncherSource as a, buildGhosttyConfig as i, appBundlePath as n, bundleId as o, buildCommand as r, GhosttyConfigOptions as t };
+//# sourceMappingURL=ghostty-DemKkfqf.d.ts.map

package/lib/index.d.ts

@@ -0,0 +1,9 @@
+import { a as buildIndex, i as buildAliasFiles, n as InitFile, o as buildWrapper, r as aliasName, t as AliasPaths } from "./aliases-DXyz-ufw.js";
+import { a as HOME, c as configsDir, d as findConfigFile, f as listBoxes, h as resolveBox, i as Config, l as defaultConfig, m as mergeConfig, n as AppConfig, o as LoadedConfig, p as loadConfig, r as BotConfig, s as PathRules, t as AppBuilderConfig, u as expandHome } from "./config-DQWueb4a.js";
+import { i as canBuildApps, n as BuildAppResult, r as buildApp, t as BuildAppOptions } from "./app-CpuMtOoj.js";
+import { a as buildLauncherSource, i as buildGhosttyConfig, n as appBundlePath, o as bundleId, r as buildCommand, t as GhosttyConfigOptions } from "./ghostty-DemKkfqf.js";
+import { n as buildRaycastCommand, r as raycastIcon, t as RaycastCommandOptions } from "./raycast-DM7c559f.js";
+import { a as runInit, i as discoverProfiles, n as InitOptions, r as InitResult, t as BuiltApp } from "./scaffold-ByIbYAeS.js";
+import { a as ipcName, c as regex, i as globalName, l as subpath, n as buildProfile, o as literal, r as detectPackagePaths, s as reEscape, t as ProfileContext } from "./profile-BeM41NXc.js";
+import { a as resolveProjectDir, i as profilePath, o as runClaude, r as generateProfile, t as RunOptions } from "./run-Cx8cuTh5.js";
+export { type AliasPaths, type AppBuilderConfig, type AppConfig, type BotConfig, type BuildAppOptions, type BuildAppResult, type BuiltApp, type Config, type GhosttyConfigOptions, HOME, type InitFile, type InitOptions, type InitResult, type LoadedConfig, type PathRules, type ProfileContext, type RaycastCommandOptions, type RunOptions, aliasName, appBundlePath, buildAliasFiles, buildApp, buildCommand, buildGhosttyConfig, buildIndex, buildLauncherSource, buildProfile, buildRaycastCommand, buildWrapper, bundleId, canBuildApps, configsDir, defaultConfig, detectPackagePaths, discoverProfiles, expandHome, findConfigFile, generateProfile, globalName, ipcName, listBoxes, literal, loadConfig, mergeConfig, profilePath, raycastIcon, reEscape, regex, resolveBox, resolveProjectDir, runClaude, runInit, subpath };

package/lib/index.js

@@ -0,0 +1,9 @@
+import { a as findConfigFile, c as mergeConfig, i as expandHome, l as resolveBox, n as configsDir, o as listBoxes, r as defaultConfig, s as loadConfig, t as HOME } from "./config-BQ44iVWT.js";
+import { i as buildWrapper, n as buildAliasFiles, r as buildIndex, t as aliasName } from "./aliases-DKGcMHHe.js";
+import { a as bundleId, i as buildLauncherSource, n as buildCommand, r as buildGhosttyConfig, t as appBundlePath } from "./ghostty-Ca0g9P9P.js";
+import { n as canBuildApps, t as buildApp } from "./app-CieBa29D.js";
+import { n as raycastIcon, t as buildRaycastCommand } from "./raycast-BCdO2Se1.js";
+import { n as runInit, t as discoverProfiles } from "./scaffold-CRzC5KYe.js";
+import { a as literal, c as subpath, i as ipcName, n as detectPackagePaths, o as reEscape, r as globalName, s as regex, t as buildProfile } from "./profile-DM6NAgb-.js";
+import { a as runClaude, i as resolveProjectDir, n as generateProfile, r as profilePath } from "./run-CNehSQ-S.js";
+export { HOME, aliasName, appBundlePath, buildAliasFiles, buildApp, buildCommand, buildGhosttyConfig, buildIndex, buildLauncherSource, buildProfile, buildRaycastCommand, buildWrapper, bundleId, canBuildApps, configsDir, defaultConfig, detectPackagePaths, discoverProfiles, expandHome, findConfigFile, generateProfile, globalName, ipcName, listBoxes, literal, loadConfig, mergeConfig, profilePath, raycastIcon, reEscape, regex, resolveBox, resolveProjectDir, runClaude, runInit, subpath };

package/lib/init/aliases.d.ts

@@ -0,0 +1,2 @@
+import { a as buildIndex, i as buildAliasFiles, n as InitFile, o as buildWrapper, r as aliasName, t as AliasPaths } from "../aliases-DXyz-ufw.js";
+export { AliasPaths, InitFile, aliasName, buildAliasFiles, buildIndex, buildWrapper };

package/lib/init/aliases.js

@@ -0,0 +1,2 @@
+import { i as buildWrapper, n as buildAliasFiles, r as buildIndex, t as aliasName } from "../aliases-DKGcMHHe.js";
+export { aliasName, buildAliasFiles, buildIndex, buildWrapper };

package/lib/init/app.d.ts

@@ -0,0 +1,2 @@
+import { i as canBuildApps, n as BuildAppResult, r as buildApp, t as BuildAppOptions } from "../app-CpuMtOoj.js";
+export { BuildAppOptions, BuildAppResult, buildApp, canBuildApps };

package/lib/init/app.js

@@ -0,0 +1,2 @@
+import { n as canBuildApps, t as buildApp } from "../app-CieBa29D.js";
+export { buildApp, canBuildApps };

package/lib/init/ghostty.d.ts

@@ -0,0 +1,2 @@
+import { a as buildLauncherSource, i as buildGhosttyConfig, n as appBundlePath, o as bundleId, r as buildCommand, t as GhosttyConfigOptions } from "../ghostty-DemKkfqf.js";
+export { GhosttyConfigOptions, appBundlePath, buildCommand, buildGhosttyConfig, buildLauncherSource, bundleId };

package/lib/init/ghostty.js

@@ -0,0 +1,2 @@
+import { a as bundleId, i as buildLauncherSource, n as buildCommand, r as buildGhosttyConfig, t as appBundlePath } from "../ghostty-Ca0g9P9P.js";
+export { appBundlePath, buildCommand, buildGhosttyConfig, buildLauncherSource, bundleId };

package/lib/init/raycast.d.ts

@@ -0,0 +1,2 @@
+import { n as buildRaycastCommand, r as raycastIcon, t as RaycastCommandOptions } from "../raycast-DM7c559f.js";
+export { RaycastCommandOptions, buildRaycastCommand, raycastIcon };

package/lib/init/raycast.js

@@ -0,0 +1,2 @@
+import { n as raycastIcon, t as buildRaycastCommand } from "../raycast-BCdO2Se1.js";
+export { buildRaycastCommand, raycastIcon };

package/lib/init/scaffold.d.ts

@@ -0,0 +1,2 @@
+import { a as runInit, i as discoverProfiles, n as InitOptions, r as InitResult, t as BuiltApp } from "../scaffold-ByIbYAeS.js";
+export { BuiltApp, InitOptions, InitResult, discoverProfiles, runInit };

package/lib/init/scaffold.js

@@ -0,0 +1,2 @@
+import { n as runInit, t as discoverProfiles } from "../scaffold-CRzC5KYe.js";
+export { discoverProfiles, runInit };

package/lib/profile-BeM41NXc.d.ts

@@ -0,0 +1,29 @@
+import { i as Config } from "./config-DQWueb4a.js";
+
+//#region src/sandbox/profile.d.ts
+declare const subpath: (p: string) => string;
+declare const literal: (p: string) => string;
+declare const regex: (p: string) => string;
+declare const globalName: (n: string) => string;
+declare const ipcName: (n: string) => string;
+/** Escape a path for safe embedding inside an SBPL regex. */
+declare const reEscape: (s: string) => string;
+/** Detect installed package managers whose paths must be readable/executable. */
+declare function detectPackagePaths(): string[];
+/** Context needed to assemble a profile for a specific project. */
+interface ProfileContext {
+  projectDir: string;
+  detectedPaths?: string[];
+}
+/**
+ * Build the full SBPL profile text.
+ * @param config  effective config (see config.ts)
+ * @param ctx     { projectDir, detectedPaths }
+ */
+declare function buildProfile(config: Config, {
+  projectDir,
+  detectedPaths
+}: ProfileContext): string;
+//#endregion
+export { ipcName as a, regex as c, globalName as i, subpath as l, buildProfile as n, literal as o, detectPackagePaths as r, reEscape as s, ProfileContext as t };
+//# sourceMappingURL=profile-BeM41NXc.d.ts.map

package/lib/profile-DM6NAgb-.js

@@ -0,0 +1,100 @@
+import { i as expandHome, t as HOME } from "./config-BQ44iVWT.js";
+import path from "node:path";
+import fs from "node:fs";
+//#region src/sandbox/profile.ts
+const q = (s) => `"${String(s).replace(/"/g, "\\\"")}"`;
+const subpath = (p) => `(subpath ${q(p)})`;
+const literal = (p) => `(literal ${q(p)})`;
+const regex = (p) => `(regex ${q(p)})`;
+const globalName = (n) => `(global-name ${q(n)})`;
+const ipcName = (n) => `(ipc-posix-name ${q(n)})`;
+/** Escape a path for safe embedding inside an SBPL regex. */
+const reEscape = (s) => s.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+function block(op, rules) {
+	return [
+		`(${op}`,
+		...rules.map((r) => `  ${r}`),
+		")"
+	].join("\n");
+}
+const allow = (op, ...rules) => block(`allow ${op}`, rules);
+const deny = (op, ...rules) => block(`deny ${op}`, rules);
+/** Detect installed package managers whose paths must be readable/executable. */
+function detectPackagePaths() {
+	const paths = [];
+	if (fs.existsSync("/opt/homebrew")) paths.push("/opt/homebrew");
+	else if (fs.existsSync("/usr/local/Homebrew")) paths.push("/usr/local/Homebrew");
+	const local = path.join(HOME, ".local");
+	if (fs.existsSync(local)) paths.push(local);
+	if (fs.existsSync("/nix/store")) paths.push("/nix/store");
+	return paths;
+}
+/**
+* Build the full SBPL profile text.
+* @param config  effective config (see config.ts)
+* @param ctx     { projectDir, detectedPaths }
+*/
+function buildProfile(config, { projectDir, detectedPaths = detectPackagePaths() }) {
+	const configDir = expandHome(config.configDir);
+	const sshDir = expandHome(config.bot.sshDir);
+	const hooksDir = config.hooksDir ? expandHome(config.hooksDir) : null;
+	const homeRe = reEscape(HOME);
+	const sections = [];
+	const add = (comment, body) => sections.push(`;; ---------- ${comment}\n${body}`);
+	sections.push([
+		";; ------------------------------------------------------------------",
+		";;  Claude Code macOS sandbox profile (autogenerated)",
+		";; ------------------------------------------------------------------",
+		"(version 1)",
+		"(deny default)"
+	].join("\n"));
+	add("introspection & sysctl", "(allow file-read-metadata)\n(allow sysctl-read)");
+	add("basic dir traversal", [
+		allow("file-read*", literal("/")),
+		allow("file-read*", literal("/private")),
+		allow("file-read-data", literal("/Users")),
+		allow("file-read-data", literal(HOME))
+	].join("\n"));
+	add("system runtime (read-only)", allow("file-read* file-map-executable", subpath("/System"), subpath("/usr"), subpath("/bin"), subpath("/sbin"), subpath("/Library/Frameworks"), subpath("/private/etc"), subpath("/var/db/dyld"), ...detectedPaths.map(subpath)));
+	add("Xcode / Command Line Tools (xcrun, git, etc.)", [allow("file-read* file-map-executable", subpath("/Library/Developer/CommandLineTools"), subpath("/Applications/Xcode.app")), allow("process-exec", subpath("/Library/Developer/CommandLineTools"), subpath("/Applications/Xcode.app"))].join("\n"));
+	const userPaths = detectedPaths.filter((p) => p.endsWith("/.local"));
+	add("global npm/pipx/cargo bins", userPaths.length ? userPaths.map((p) => allow("file-read*", subpath(p))).join("\n") : ";; No user package paths detected");
+	add("executable paths", allow("process-exec", subpath("/usr"), subpath("/System"), subpath("/bin"), subpath("/sbin"), literal("/usr/bin/env"), ...detectedPaths.map(subpath)));
+	add("temp dirs", allow("file-read* file-write*", subpath("/tmp"), subpath("/private/tmp"), regex("^/private/var/folders/")));
+	add("Claude config & token files", allow("file-read* file-write*", subpath(configDir)));
+	add("Claude auto-update (RO) -- suppress warnings", allow("file-read*", subpath(path.join(HOME, ".local/state/claude")), subpath(path.join(HOME, ".cache/claude"))));
+	add("time-zone & prefs (RO)", allow("file-read*", subpath("/private/var/db/timezone"), subpath("/Library/Preferences")));
+	add("/dev access (RO) + ioctl", [
+		allow("file-read*", literal("/dev")),
+		allow("file-read* file-write*", regex("^/dev/(tty.*|null|zero|dtracehelper)")),
+		allow("file-ioctl", literal("/dev/dtracehelper"), regex("^/dev/tty.*"))
+	].join("\n"));
+	add("mach-lookup services", allow("mach-lookup", globalName("com.apple.system.opendirectoryd.libinfo"), globalName("com.apple.SystemConfiguration.DNSConfiguration"), globalName("com.apple.coreservices.launchservicesd"), globalName("com.apple.CoreServices.coreservicesd"), globalName("com.apple.system.notification_center"), globalName("com.apple.logd"), globalName("com.apple.diagnosticd"), globalName("com.apple.lsd.mapdb"), globalName("com.apple.lsd.modifydb"), globalName("com.apple.coreservices.quarantine-resolver"), globalName("com.apple.pasteboard.pboard"), globalName("com.apple.pasteboard.1")));
+	add("Launch Services needed by /usr/bin/open", allow("mach-lookup", regex("^com\\.apple\\.lsd(\\..*)?$")));
+	add("Developer Tools (xcrun / libxcrun)", allow("mach-lookup", globalName("com.apple.dt.xcsecurity"), regex("^com\\.apple\\.dt\\..*$")));
+	add("Audio (afplay)", allow("mach-lookup", globalName("com.apple.audio.audiohald"), globalName("com.apple.audio.AudioComponentRegistrar")));
+	add("Notification Center shared-memory (RO)", allow("ipc-posix-shm-read-data", ipcName("apple.shm.notification_center")));
+	add("User-level preference reads (RO)", allow("file-read*", subpath(path.join(HOME, "Library/Preferences"))));
+	add("Keychain access (for OAuth)", [allow("file-read* file-write*", subpath(path.join(HOME, "Library/Keychains"))), allow("mach-lookup", globalName("com.apple.SecurityServer"), globalName("com.apple.security.agent"), globalName("com.apple.securityd"), globalName("com.apple.secd"), globalName("com.apple.trustd"), globalName("com.apple.trustd.agent"), globalName("com.apple.CoreAuthentication.daemon"))].join("\n"));
+	add("git config (RO)", allow("file-read*", literal(path.join(HOME, ".gitconfig")), literal(path.join(HOME, ".gitignore_global")), subpath(path.join(HOME, ".config/git"))));
+	add("soft privacy DENY list (overridable by explicit grants)", deny("file-read* file-write*", ...[...config.denyHome.map((d) => subpath(path.join(HOME, d))), ...config.paths.deny.map((p) => subpath(expandHome(p)))]));
+	add("SSH: bot key + known_hosts (personal keys hard-denied at the very end)", [allow("file-read*", literal(path.join(HOME, ".ssh")), literal(path.join(HOME, ".ssh/known_hosts")), literal(path.join(HOME, ".ssh/known_hosts2")), literal(path.join(HOME, ".ssh/config")), subpath(sshDir)), allow("file-write*", literal(path.join(HOME, ".ssh/known_hosts")), literal(path.join(HOME, ".ssh/known_hosts2")))].join("\n"));
+	add("claude hooks (RO + exec)", hooksDir && fs.existsSync(hooksDir) ? [allow("file-read* file-map-executable", subpath(hooksDir)), allow("process-exec", subpath(hooksDir))].join("\n") : ";; (no hooks dir; set config.hooksDir / CLABOX_HOOKS_DIR to enable)");
+	if (config.paths.readOnly.length) add("extra read-only paths", allow("file-read*", ...config.paths.readOnly.map((p) => subpath(expandHome(p)))));
+	if (config.paths.readWrite.length) add("extra read-write paths", allow("file-read* file-write*", ...config.paths.readWrite.map((p) => subpath(expandHome(p)))));
+	if (config.paths.exec.length) add("extra exec paths", allow("process-exec", ...config.paths.exec.map((p) => subpath(expandHome(p)))));
+	add("project workspace (RW)", [allow("file-read* file-write* file-map-executable", subpath(projectDir)), allow("process-exec", subpath(projectDir))].join("\n"));
+	const hardDeny = [];
+	if (config.denyDotConfigs.length) hardDeny.push(regex(`^${homeRe}/\\.(${config.denyDotConfigs.join("|")})($|/)`));
+	hardDeny.push(regex(`^${homeRe}/\\.ssh/id_`), regex(`^${homeRe}/\\.ssh/.*\\.pem$`), regex(`^${homeRe}/\\.ssh/.*\\.key$`));
+	add("hard secret DENY (always wins — credentials & private keys)", deny("file-read* file-write*", ...hardDeny));
+	if (config.network) add("networking", "(allow network*)");
+	sections.push("(allow process-fork)\n(allow lsopen)");
+	const text = `${sections.join("\n\n")}\n`;
+	if (!/^\(version 1\)/m.test(text)) throw new Error("generated sandbox profile is missing \"(version 1)\"");
+	return text;
+}
+//#endregion
+export { literal as a, subpath as c, ipcName as i, detectPackagePaths as n, reEscape as o, globalName as r, regex as s, buildProfile as t };
+
+//# sourceMappingURL=profile-DM6NAgb-.js.map

package/lib/profile-DM6NAgb-.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"profile-DM6NAgb-.js","names":[],"sources":["../src/sandbox/profile.ts"],"sourcesContent":["// Seatbelt (SBPL) profile generator.\n//\n// The old bash version baked the profile into a heredoc and patched it with\n// sed. Here the profile is assembled from small typed helpers, so the parts\n// you actually want to tweak live in config.ts as plain data.\n\nimport fs from 'node:fs';\nimport path from 'node:path';\nimport { type Config, expandHome, HOME } from '../utils/config.js';\n\n// ---- SBPL helpers ----------------------------------------------------------\n\n// Quote a literal string for SBPL. Only `\"` needs escaping; backslashes are\n// left as-is so regex patterns survive verbatim.\nconst q = (s: string): string => `\"${String(s).replace(/\"/g, '\\\\\"')}\"`;\n\nexport const subpath = (p: string): string => `(subpath ${q(p)})`;\nexport const literal = (p: string): string => `(literal ${q(p)})`;\nexport const regex = (p: string): string => `(regex ${q(p)})`;\nexport const globalName = (n: string): string => `(global-name ${q(n)})`;\nexport const ipcName = (n: string): string => `(ipc-posix-name ${q(n)})`;\n\n/** Escape a path for safe embedding inside an SBPL regex. */\nexport const reEscape = (s: string): string => s.replace(/[.*+?^${}()|[\\]\\\\]/g, '\\\\$&');\n\nfunction block(op: string, rules: string[]): string {\n  return [`(${op}`, ...rules.map((r) => `  ${r}`), ')'].join('\\n');\n}\nconst allow = (op: string, ...rules: string[]): string => block(`allow ${op}`, rules);\nconst deny = (op: string, ...rules: string[]): string => block(`deny ${op}`, rules);\n\n// ---- package-manager autodetection ----------------------------------------\n\n/** Detect installed package managers whose paths must be readable/executable. */\nexport function detectPackagePaths(): string[] {\n  const paths: string[] = [];\n  if (fs.existsSync('/opt/homebrew')) paths.push('/opt/homebrew');\n  else if (fs.existsSync('/usr/local/Homebrew')) paths.push('/usr/local/Homebrew');\n  const local = path.join(HOME, '.local');\n  if (fs.existsSync(local)) paths.push(local);\n  if (fs.existsSync('/nix/store')) paths.push('/nix/store');\n  return paths;\n}\n\n/** Context needed to assemble a profile for a specific project. */\nexport interface ProfileContext {\n  projectDir: string;\n  detectedPaths?: string[];\n}\n\n/**\n * Build the full SBPL profile text.\n * @param config  effective config (see config.ts)\n * @param ctx     { projectDir, detectedPaths }\n */\nexport function buildProfile(\n  config: Config,\n  { projectDir, detectedPaths = detectPackagePaths() }: ProfileContext,\n): string {\n  const configDir = expandHome(config.configDir);\n  const sshDir = expandHome(config.bot.sshDir);\n  const hooksDir = config.hooksDir ? expandHome(config.hooksDir) : null;\n  const homeRe = reEscape(HOME);\n\n  const sections: string[] = [];\n  const add = (comment: string, body: string) => sections.push(`;; ---------- ${comment}\\n${body}`);\n\n  sections.push(\n    [\n      ';; ------------------------------------------------------------------',\n      ';;  Claude Code macOS sandbox profile (autogenerated)',\n      ';; ------------------------------------------------------------------',\n      '(version 1)',\n      '(deny default)',\n    ].join('\\n'),\n  );\n\n  add('introspection & sysctl', '(allow file-read-metadata)\\n(allow sysctl-read)');\n\n  add(\n    'basic dir traversal',\n    [\n      allow('file-read*', literal('/')),\n      allow('file-read*', literal('/private')),\n      allow('file-read-data', literal('/Users')),\n      allow('file-read-data', literal(HOME)),\n    ].join('\\n'),\n  );\n\n  add(\n    'system runtime (read-only)',\n    allow(\n      'file-read* file-map-executable',\n      subpath('/System'),\n      subpath('/usr'),\n      subpath('/bin'),\n      subpath('/sbin'),\n      subpath('/Library/Frameworks'),\n      subpath('/private/etc'),\n      subpath('/var/db/dyld'),\n      ...detectedPaths.map(subpath),\n    ),\n  );\n\n  add(\n    'Xcode / Command Line Tools (xcrun, git, etc.)',\n    [\n      allow(\n        'file-read* file-map-executable',\n        subpath('/Library/Developer/CommandLineTools'),\n        subpath('/Applications/Xcode.app'),\n      ),\n      allow(\n        'process-exec',\n        subpath('/Library/Developer/CommandLineTools'),\n        subpath('/Applications/Xcode.app'),\n      ),\n    ].join('\\n'),\n  );\n\n  // global npm/pipx/cargo bins (user-installed)\n  const userPaths = detectedPaths.filter((p) => p.endsWith('/.local'));\n  add(\n    'global npm/pipx/cargo bins',\n    userPaths.length\n      ? userPaths.map((p) => allow('file-read*', subpath(p))).join('\\n')\n      : ';; No user package paths detected',\n  );\n\n  add(\n    'executable paths',\n    allow(\n      'process-exec',\n      subpath('/usr'),\n      subpath('/System'),\n      subpath('/bin'),\n      subpath('/sbin'),\n      literal('/usr/bin/env'),\n      ...detectedPaths.map(subpath),\n    ),\n  );\n\n  add(\n    'temp dirs',\n    allow(\n      'file-read* file-write*',\n      subpath('/tmp'),\n      subpath('/private/tmp'),\n      regex('^/private/var/folders/'),\n    ),\n  );\n\n  add('Claude config & token files', allow('file-read* file-write*', subpath(configDir)));\n\n  add(\n    'Claude auto-update (RO) -- suppress warnings',\n    allow(\n      'file-read*',\n      subpath(path.join(HOME, '.local/state/claude')),\n      subpath(path.join(HOME, '.cache/claude')),\n    ),\n  );\n\n  add(\n    'time-zone & prefs (RO)',\n    allow('file-read*', subpath('/private/var/db/timezone'), subpath('/Library/Preferences')),\n  );\n\n  add(\n    '/dev access (RO) + ioctl',\n    [\n      allow('file-read*', literal('/dev')),\n      allow('file-read* file-write*', regex('^/dev/(tty.*|null|zero|dtracehelper)')),\n      allow('file-ioctl', literal('/dev/dtracehelper'), regex('^/dev/tty.*')),\n    ].join('\\n'),\n  );\n\n  add(\n    'mach-lookup services',\n    allow(\n      'mach-lookup',\n      globalName('com.apple.system.opendirectoryd.libinfo'),\n      globalName('com.apple.SystemConfiguration.DNSConfiguration'),\n      globalName('com.apple.coreservices.launchservicesd'),\n      globalName('com.apple.CoreServices.coreservicesd'),\n      globalName('com.apple.system.notification_center'),\n      globalName('com.apple.logd'),\n      globalName('com.apple.diagnosticd'),\n      globalName('com.apple.lsd.mapdb'),\n      globalName('com.apple.lsd.modifydb'),\n      globalName('com.apple.coreservices.quarantine-resolver'),\n      globalName('com.apple.pasteboard.pboard'),\n      globalName('com.apple.pasteboard.1'),\n    ),\n  );\n\n  add(\n    'Launch Services needed by /usr/bin/open',\n    allow('mach-lookup', regex('^com\\\\.apple\\\\.lsd(\\\\..*)?$')),\n  );\n\n  add(\n    'Developer Tools (xcrun / libxcrun)',\n    allow('mach-lookup', globalName('com.apple.dt.xcsecurity'), regex('^com\\\\.apple\\\\.dt\\\\..*$')),\n  );\n\n  add(\n    'Audio (afplay)',\n    allow(\n      'mach-lookup',\n      globalName('com.apple.audio.audiohald'),\n      globalName('com.apple.audio.AudioComponentRegistrar'),\n    ),\n  );\n\n  add(\n    'Notification Center shared-memory (RO)',\n    allow('ipc-posix-shm-read-data', ipcName('apple.shm.notification_center')),\n  );\n\n  add(\n    'User-level preference reads (RO)',\n    allow('file-read*', subpath(path.join(HOME, 'Library/Preferences'))),\n  );\n\n  // Keychain RW so Claude can persist refreshed OAuth tokens (else ~24h → 401).\n  add(\n    'Keychain access (for OAuth)',\n    [\n      allow('file-read* file-write*', subpath(path.join(HOME, 'Library/Keychains'))),\n      allow(\n        'mach-lookup',\n        globalName('com.apple.SecurityServer'),\n        globalName('com.apple.security.agent'),\n        globalName('com.apple.securityd'),\n        globalName('com.apple.secd'),\n        globalName('com.apple.trustd'),\n        globalName('com.apple.trustd.agent'),\n        globalName('com.apple.CoreAuthentication.daemon'),\n      ),\n    ].join('\\n'),\n  );\n\n  add(\n    'git config (RO)',\n    allow(\n      'file-read*',\n      literal(path.join(HOME, '.gitconfig')),\n      literal(path.join(HOME, '.gitignore_global')),\n      subpath(path.join(HOME, '.config/git')),\n    ),\n  );\n\n  // Soft privacy DENY list — placed BEFORE the extra readOnly/readWrite and the\n  // project dir, so an explicit grant may override it (e.g. running on a project\n  // that lives under ~/Documents). The hard secret deny below is what's binding.\n  const softDeny = [\n    ...config.denyHome.map((d) => subpath(path.join(HOME, d))),\n    ...config.paths.deny.map((p) => subpath(expandHome(p))),\n  ];\n  add(\n    'soft privacy DENY list (overridable by explicit grants)',\n    deny('file-read* file-write*', ...softDeny),\n  );\n\n  add(\n    'SSH: bot key + known_hosts (personal keys hard-denied at the very end)',\n    [\n      allow(\n        'file-read*',\n        literal(path.join(HOME, '.ssh')),\n        literal(path.join(HOME, '.ssh/known_hosts')),\n        literal(path.join(HOME, '.ssh/known_hosts2')),\n        literal(path.join(HOME, '.ssh/config')),\n        subpath(sshDir),\n      ),\n      allow(\n        'file-write*',\n        literal(path.join(HOME, '.ssh/known_hosts')),\n        literal(path.join(HOME, '.ssh/known_hosts2')),\n      ),\n    ].join('\\n'),\n  );\n\n  add(\n    'claude hooks (RO + exec)',\n    hooksDir && fs.existsSync(hooksDir)\n      ? [\n          allow('file-read* file-map-executable', subpath(hooksDir)),\n          allow('process-exec', subpath(hooksDir)),\n        ].join('\\n')\n      : ';; (no hooks dir; set config.hooksDir / CLABOX_HOOKS_DIR to enable)',\n  );\n\n  // Extra user-supplied RO / RW / exec rules.\n  if (config.paths.readOnly.length)\n    add(\n      'extra read-only paths',\n      allow('file-read*', ...config.paths.readOnly.map((p) => subpath(expandHome(p)))),\n    );\n  if (config.paths.readWrite.length)\n    add(\n      'extra read-write paths',\n      allow('file-read* file-write*', ...config.paths.readWrite.map((p) => subpath(expandHome(p)))),\n    );\n  if (config.paths.exec.length)\n    add(\n      'extra exec paths',\n      allow('process-exec', ...config.paths.exec.map((p) => subpath(expandHome(p)))),\n    );\n\n  add(\n    'project workspace (RW)',\n    [\n      allow('file-read* file-write* file-map-executable', subpath(projectDir)),\n      allow('process-exec', subpath(projectDir)),\n    ].join('\\n'),\n  );\n\n  // Hard secret DENY — emitted LAST of all file rules so it wins even over a\n  // broad readOnly/readWrite or the project dir (SBPL = last matching rule\n  // wins). This is the binding invariant: personal credentials and private keys\n  // are never readable, however wide the grants above. Only the bot key subdir\n  // (allowed earlier, and not matched by these patterns) stays readable.\n  const hardDeny: string[] = [];\n  if (config.denyDotConfigs.length) {\n    hardDeny.push(regex(`^${homeRe}/\\\\.(${config.denyDotConfigs.join('|')})($|/)`));\n  }\n  hardDeny.push(\n    regex(`^${homeRe}/\\\\.ssh/id_`),\n    regex(`^${homeRe}/\\\\.ssh/.*\\\\.pem$`),\n    regex(`^${homeRe}/\\\\.ssh/.*\\\\.key$`),\n  );\n  add(\n    'hard secret DENY (always wins — credentials & private keys)',\n    deny('file-read* file-write*', ...hardDeny),\n  );\n\n  if (config.network) add('networking', '(allow network*)');\n\n  sections.push('(allow process-fork)\\n(allow lsopen)');\n\n  const text = `${sections.join('\\n\\n')}\\n`;\n\n  // Sanity-check before anyone feeds it to sandbox-exec.\n  if (!/^\\(version 1\\)/m.test(text)) {\n    throw new Error('generated sandbox profile is missing \"(version 1)\"');\n  }\n  return text;\n}\n"],"mappings":";;;;AAcA,MAAM,KAAK,MAAsB,IAAI,OAAO,CAAC,CAAC,CAAC,QAAQ,MAAM,MAAK,EAAE;AAEpE,MAAa,WAAW,MAAsB,YAAY,EAAE,CAAC,EAAE;AAC/D,MAAa,WAAW,MAAsB,YAAY,EAAE,CAAC,EAAE;AAC/D,MAAa,SAAS,MAAsB,UAAU,EAAE,CAAC,EAAE;AAC3D,MAAa,cAAc,MAAsB,gBAAgB,EAAE,CAAC,EAAE;AACtE,MAAa,WAAW,MAAsB,mBAAmB,EAAE,CAAC,EAAE;;AAGtE,MAAa,YAAY,MAAsB,EAAE,QAAQ,uBAAuB,MAAM;AAEtF,SAAS,MAAM,IAAY,OAAyB;CAClD,OAAO;EAAC,IAAI;EAAM,GAAG,MAAM,KAAK,MAAM,KAAK,GAAG;EAAG;CAAG,CAAC,CAAC,KAAK,IAAI;AACjE;AACA,MAAM,SAAS,IAAY,GAAG,UAA4B,MAAM,SAAS,MAAM,KAAK;AACpF,MAAM,QAAQ,IAAY,GAAG,UAA4B,MAAM,QAAQ,MAAM,KAAK;;AAKlF,SAAgB,qBAA+B;CAC7C,MAAM,QAAkB,CAAC;CACzB,IAAI,GAAG,WAAW,eAAe,GAAG,MAAM,KAAK,eAAe;MACzD,IAAI,GAAG,WAAW,qBAAqB,GAAG,MAAM,KAAK,qBAAqB;CAC/E,MAAM,QAAQ,KAAK,KAAK,MAAM,QAAQ;CACtC,IAAI,GAAG,WAAW,KAAK,GAAG,MAAM,KAAK,KAAK;CAC1C,IAAI,GAAG,WAAW,YAAY,GAAG,MAAM,KAAK,YAAY;CACxD,OAAO;AACT;;;;;;AAaA,SAAgB,aACd,QACA,EAAE,YAAY,gBAAgB,mBAAmB,KACzC;CACR,MAAM,YAAY,WAAW,OAAO,SAAS;CAC7C,MAAM,SAAS,WAAW,OAAO,IAAI,MAAM;CAC3C,MAAM,WAAW,OAAO,WAAW,WAAW,OAAO,QAAQ,IAAI;CACjE,MAAM,SAAS,SAAS,IAAI;CAE5B,MAAM,WAAqB,CAAC;CAC5B,MAAM,OAAO,SAAiB,SAAiB,SAAS,KAAK,iBAAiB,QAAQ,IAAI,MAAM;CAEhG,SAAS,KACP;EACE;EACA;EACA;EACA;EACA;CACF,CAAC,CAAC,KAAK,IAAI,CACb;CAEA,IAAI,0BAA0B,iDAAiD;CAE/E,IACE,uBACA;EACE,MAAM,cAAc,QAAQ,GAAG,CAAC;EAChC,MAAM,cAAc,QAAQ,UAAU,CAAC;EACvC,MAAM,kBAAkB,QAAQ,QAAQ,CAAC;EACzC,MAAM,kBAAkB,QAAQ,IAAI,CAAC;CACvC,CAAC,CAAC,KAAK,IAAI,CACb;CAEA,IACE,8BACA,MACE,kCACA,QAAQ,SAAS,GACjB,QAAQ,MAAM,GACd,QAAQ,MAAM,GACd,QAAQ,OAAO,GACf,QAAQ,qBAAqB,GAC7B,QAAQ,cAAc,GACtB,QAAQ,cAAc,GACtB,GAAG,cAAc,IAAI,OAAO,CAC9B,CACF;CAEA,IACE,iDACA,CACE,MACE,kCACA,QAAQ,qCAAqC,GAC7C,QAAQ,yBAAyB,CACnC,GACA,MACE,gBACA,QAAQ,qCAAqC,GAC7C,QAAQ,yBAAyB,CACnC,CACF,CAAC,CAAC,KAAK,IAAI,CACb;CAGA,MAAM,YAAY,cAAc,QAAQ,MAAM,EAAE,SAAS,SAAS,CAAC;CACnE,IACE,8BACA,UAAU,SACN,UAAU,KAAK,MAAM,MAAM,cAAc,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,IAAI,IAC/D,mCACN;CAEA,IACE,oBACA,MACE,gBACA,QAAQ,MAAM,GACd,QAAQ,SAAS,GACjB,QAAQ,MAAM,GACd,QAAQ,OAAO,GACf,QAAQ,cAAc,GACtB,GAAG,cAAc,IAAI,OAAO,CAC9B,CACF;CAEA,IACE,aACA,MACE,0BACA,QAAQ,MAAM,GACd,QAAQ,cAAc,GACtB,MAAM,wBAAwB,CAChC,CACF;CAEA,IAAI,+BAA+B,MAAM,0BAA0B,QAAQ,SAAS,CAAC,CAAC;CAEtF,IACE,gDACA,MACE,cACA,QAAQ,KAAK,KAAK,MAAM,qBAAqB,CAAC,GAC9C,QAAQ,KAAK,KAAK,MAAM,eAAe,CAAC,CAC1C,CACF;CAEA,IACE,0BACA,MAAM,cAAc,QAAQ,0BAA0B,GAAG,QAAQ,sBAAsB,CAAC,CAC1F;CAEA,IACE,4BACA;EACE,MAAM,cAAc,QAAQ,MAAM,CAAC;EACnC,MAAM,0BAA0B,MAAM,sCAAsC,CAAC;EAC7E,MAAM,cAAc,QAAQ,mBAAmB,GAAG,MAAM,aAAa,CAAC;CACxE,CAAC,CAAC,KAAK,IAAI,CACb;CAEA,IACE,wBACA,MACE,eACA,WAAW,yCAAyC,GACpD,WAAW,gDAAgD,GAC3D,WAAW,wCAAwC,GACnD,WAAW,sCAAsC,GACjD,WAAW,sCAAsC,GACjD,WAAW,gBAAgB,GAC3B,WAAW,uBAAuB,GAClC,WAAW,qBAAqB,GAChC,WAAW,wBAAwB,GACnC,WAAW,4CAA4C,GACvD,WAAW,6BAA6B,GACxC,WAAW,wBAAwB,CACrC,CACF;CAEA,IACE,2CACA,MAAM,eAAe,MAAM,6BAA6B,CAAC,CAC3D;CAEA,IACE,sCACA,MAAM,eAAe,WAAW,yBAAyB,GAAG,MAAM,yBAAyB,CAAC,CAC9F;CAEA,IACE,kBACA,MACE,eACA,WAAW,2BAA2B,GACtC,WAAW,yCAAyC,CACtD,CACF;CAEA,IACE,0CACA,MAAM,2BAA2B,QAAQ,+BAA+B,CAAC,CAC3E;CAEA,IACE,oCACA,MAAM,cAAc,QAAQ,KAAK,KAAK,MAAM,qBAAqB,CAAC,CAAC,CACrE;CAGA,IACE,+BACA,CACE,MAAM,0BAA0B,QAAQ,KAAK,KAAK,MAAM,mBAAmB,CAAC,CAAC,GAC7E,MACE,eACA,WAAW,0BAA0B,GACrC,WAAW,0BAA0B,GACrC,WAAW,qBAAqB,GAChC,WAAW,gBAAgB,GAC3B,WAAW,kBAAkB,GAC7B,WAAW,wBAAwB,GACnC,WAAW,qCAAqC,CAClD,CACF,CAAC,CAAC,KAAK,IAAI,CACb;CAEA,IACE,mBACA,MACE,cACA,QAAQ,KAAK,KAAK,MAAM,YAAY,CAAC,GACrC,QAAQ,KAAK,KAAK,MAAM,mBAAmB,CAAC,GAC5C,QAAQ,KAAK,KAAK,MAAM,aAAa,CAAC,CACxC,CACF;CASA,IACE,2DACA,KAAK,0BAA0B,GAAG,CALlC,GAAG,OAAO,SAAS,KAAK,MAAM,QAAQ,KAAK,KAAK,MAAM,CAAC,CAAC,CAAC,GACzD,GAAG,OAAO,MAAM,KAAK,KAAK,MAAM,QAAQ,WAAW,CAAC,CAAC,CAAC,CAIb,CAAC,CAC5C;CAEA,IACE,0EACA,CACE,MACE,cACA,QAAQ,KAAK,KAAK,MAAM,MAAM,CAAC,GAC/B,QAAQ,KAAK,KAAK,MAAM,kBAAkB,CAAC,GAC3C,QAAQ,KAAK,KAAK,MAAM,mBAAmB,CAAC,GAC5C,QAAQ,KAAK,KAAK,MAAM,aAAa,CAAC,GACtC,QAAQ,MAAM,CAChB,GACA,MACE,eACA,QAAQ,KAAK,KAAK,MAAM,kBAAkB,CAAC,GAC3C,QAAQ,KAAK,KAAK,MAAM,mBAAmB,CAAC,CAC9C,CACF,CAAC,CAAC,KAAK,IAAI,CACb;CAEA,IACE,4BACA,YAAY,GAAG,WAAW,QAAQ,IAC9B,CACE,MAAM,kCAAkC,QAAQ,QAAQ,CAAC,GACzD,MAAM,gBAAgB,QAAQ,QAAQ,CAAC,CACzC,CAAC,CAAC,KAAK,IAAI,IACX,qEACN;CAGA,IAAI,OAAO,MAAM,SAAS,QACxB,IACE,yBACA,MAAM,cAAc,GAAG,OAAO,MAAM,SAAS,KAAK,MAAM,QAAQ,WAAW,CAAC,CAAC,CAAC,CAAC,CACjF;CACF,IAAI,OAAO,MAAM,UAAU,QACzB,IACE,0BACA,MAAM,0BAA0B,GAAG,OAAO,MAAM,UAAU,KAAK,MAAM,QAAQ,WAAW,CAAC,CAAC,CAAC,CAAC,CAC9F;CACF,IAAI,OAAO,MAAM,KAAK,QACpB,IACE,oBACA,MAAM,gBAAgB,GAAG,OAAO,MAAM,KAAK,KAAK,MAAM,QAAQ,WAAW,CAAC,CAAC,CAAC,CAAC,CAC/E;CAEF,IACE,0BACA,CACE,MAAM,8CAA8C,QAAQ,UAAU,CAAC,GACvE,MAAM,gBAAgB,QAAQ,UAAU,CAAC,CAC3C,CAAC,CAAC,KAAK,IAAI,CACb;CAOA,MAAM,WAAqB,CAAC;CAC5B,IAAI,OAAO,eAAe,QACxB,SAAS,KAAK,MAAM,IAAI,OAAO,OAAO,OAAO,eAAe,KAAK,GAAG,EAAE,OAAO,CAAC;CAEhF,SAAS,KACP,MAAM,IAAI,OAAO,YAAY,GAC7B,MAAM,IAAI,OAAO,kBAAkB,GACnC,MAAM,IAAI,OAAO,kBAAkB,CACrC;CACA,IACE,+DACA,KAAK,0BAA0B,GAAG,QAAQ,CAC5C;CAEA,IAAI,OAAO,SAAS,IAAI,cAAc,kBAAkB;CAExD,SAAS,KAAK,sCAAsC;CAEpD,MAAM,OAAO,GAAG,SAAS,KAAK,MAAM,EAAE;CAGtC,IAAI,CAAC,kBAAkB,KAAK,IAAI,GAC9B,MAAM,IAAI,MAAM,sDAAoD;CAEtE,OAAO;AACT"}

package/lib/raycast-BCdO2Se1.js

@@ -0,0 +1,35 @@
+//#region src/init/raycast.ts
+/** Single-quote a string for safe use in a POSIX shell. */
+function shellQuote(s) {
+	return `'${s.replace(/'/g, `'\\''`)}'`;
+}
+/**
+* The Raycast command icon: explicit `app.emoji`, else the title's leading
+* token when it isn't plain ASCII (i.e. an emoji), else the Ghostty 👻.
+*/
+function raycastIcon(app) {
+	if (app.emoji) return app.emoji;
+	const lead = (app.title ?? "").split(" ")[0];
+	if (lead && !/^[\x00-\x7F]*$/.test(lead)) return lead;
+	return "👻";
+}
+/** Build a Raycast script command that opens the box's built app. */
+function buildRaycastCommand({ app, appPath }) {
+	return `${[
+		"#!/bin/bash",
+		"# Generated by `clabox init`.",
+		"",
+		"# @raycast.schemaVersion 1",
+		`# @raycast.title ${app.title ?? app.name}`,
+		"# @raycast.mode silent",
+		`# @raycast.icon ${raycastIcon(app)}`,
+		"# @raycast.packageName Ghostty",
+		`# @raycast.description Open ${app.name} with Claude Code in Ghostty (clabox)`,
+		"",
+		`open ${shellQuote(appPath)}`
+	].join("\n")}\n`;
+}
+//#endregion
+export { raycastIcon as n, buildRaycastCommand as t };
+
+//# sourceMappingURL=raycast-BCdO2Se1.js.map

package/lib/raycast-BCdO2Se1.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"raycast-BCdO2Se1.js","names":[],"sources":["../src/init/raycast.ts"],"sourcesContent":["// Pure builder for the Raycast script commands emitted by `clabox init`.\n//\n// For each `app` box, `init` writes a Raycast script command (`@raycast.*`\n// metadata + `open <app>`) so the built bundle is launchable from Raycast —\n// modelled on the hand-written ghostty-*.sh examples. Text only; the fs I/O\n// lives in init/scaffold.ts.\n\nimport type { AppConfig } from '../utils/config.js';\n\n/** Inputs for {@link buildRaycastCommand}. */\nexport interface RaycastCommandOptions {\n  app: AppConfig;\n  /** Absolute path to the built `.app` to open. */\n  appPath: string;\n}\n\n/** Single-quote a string for safe use in a POSIX shell. */\nfunction shellQuote(s: string): string {\n  return `'${s.replace(/'/g, `'\\\\''`)}'`;\n}\n\n/**\n * The Raycast command icon: explicit `app.emoji`, else the title's leading\n * token when it isn't plain ASCII (i.e. an emoji), else the Ghostty 👻.\n */\nexport function raycastIcon(app: AppConfig): string {\n  if (app.emoji) return app.emoji;\n  const lead = (app.title ?? '').split(' ')[0];\n  // biome-ignore lint/suspicious/noControlCharactersInRegex: ASCII-range guard\n  if (lead && !/^[\\x00-\\x7F]*$/.test(lead)) return lead;\n  return '👻';\n}\n\n/** Build a Raycast script command that opens the box's built app. */\nexport function buildRaycastCommand({ app, appPath }: RaycastCommandOptions): string {\n  const title = app.title ?? app.name;\n  return `${[\n    '#!/bin/bash',\n    '# Generated by `clabox init`.',\n    '',\n    '# @raycast.schemaVersion 1',\n    `# @raycast.title ${title}`,\n    '# @raycast.mode silent',\n    `# @raycast.icon ${raycastIcon(app)}`,\n    '# @raycast.packageName Ghostty',\n    `# @raycast.description Open ${app.name} with Claude Code in Ghostty (clabox)`,\n    '',\n    `open ${shellQuote(appPath)}`,\n  ].join('\\n')}\\n`;\n}\n"],"mappings":";;AAiBA,SAAS,WAAW,GAAmB;CACrC,OAAO,IAAI,EAAE,QAAQ,MAAM,OAAO,EAAE;AACtC;;;;;AAMA,SAAgB,YAAY,KAAwB;CAClD,IAAI,IAAI,OAAO,OAAO,IAAI;CAC1B,MAAM,QAAQ,IAAI,SAAS,GAAA,CAAI,MAAM,GAAG,CAAC,CAAC;CAE1C,IAAI,QAAQ,CAAC,iBAAiB,KAAK,IAAI,GAAG,OAAO;CACjD,OAAO;AACT;;AAGA,SAAgB,oBAAoB,EAAE,KAAK,WAA0C;CAEnF,OAAO,GAAG;EACR;EACA;EACA;EACA;EACA,oBANY,IAAI,SAAS,IAAI;EAO7B;EACA,mBAAmB,YAAY,GAAG;EAClC;EACA,+BAA+B,IAAI,KAAK;EACxC;EACA,QAAQ,WAAW,OAAO;CAC5B,CAAC,CAAC,KAAK,IAAI,EAAE;AACf"}

package/lib/raycast-DM7c559f.d.ts

@@ -0,0 +1,22 @@
+import { n as AppConfig } from "./config-DQWueb4a.js";
+
+//#region src/init/raycast.d.ts
+/** Inputs for {@link buildRaycastCommand}. */
+interface RaycastCommandOptions {
+  app: AppConfig;
+  /** Absolute path to the built `.app` to open. */
+  appPath: string;
+}
+/**
+ * The Raycast command icon: explicit `app.emoji`, else the title's leading
+ * token when it isn't plain ASCII (i.e. an emoji), else the Ghostty 👻.
+ */
+declare function raycastIcon(app: AppConfig): string;
+/** Build a Raycast script command that opens the box's built app. */
+declare function buildRaycastCommand({
+  app,
+  appPath
+}: RaycastCommandOptions): string;
+//#endregion
+export { buildRaycastCommand as n, raycastIcon as r, RaycastCommandOptions as t };
+//# sourceMappingURL=raycast-DM7c559f.d.ts.map