clabox 0.0.2 → 0.1.1

package/README.md

@@ -43,6 +43,9 @@ clabox run --dangerously-skip-permissions
 # A different Claude profile
 CLAUDE_CONFIG_DIR=~/.claude_work clabox run --dangerously-skip-permissions
 
+# A named box from ~/.config/clabox/configs/<name>.config.mjs
+clabox -b ax-root --dangerously-skip-permissions
+
 # Debugging
 clabox generate            # build the profile, print the .sb path
 clabox profile             # just the path (no build)
@@ -86,6 +89,31 @@ export default {
 You may also export a function `(defaults) => config` for full control. `~` is
 expanded to `$HOME`.
 
+### Named boxes (`-b` / `--box`)
+
+Keep a directory of named configs and switch between them by name from anywhere:
+
+```bash
+# ~/.config/clabox/configs/ax-root.config.mjs
+clabox -b ax-root --dangerously-skip-permissions
+```
+
+`-b <name>` resolves `~/.config/clabox/configs/<name>.config.mjs` (falling back
+to a bare `<name>.mjs`) and loads it like `--config` — so it wins over `--config`
+/ `CLABOX_CONFIG`. Override the dir with `CLABOX_CONFIGS_DIR`. Files named
+`_*.mjs` are treated as shared partials (e.g. `_presets.mjs`), not boxes.
+
+A box can pin its own `cwd` so it always targets one project, no matter where you
+run `clabox` from:
+
+```js
+// ~/.config/clabox/configs/ax-root.config.mjs
+export default {
+  cwd: '~/projects/my-app', // claude runs here; this dir is the RW project dir
+  configDir: '~/.claude_axiomus',
+};
+```
+
 ### Environment variables
 
 | Variable | Purpose | Default |
@@ -95,6 +123,8 @@ expanded to `$HOME`.
 | `CLABOX_BOT_NAME` / `CLABOX_BOT_EMAIL` | git identity | `claudeBOT` / `bot@example.com` |
 | `CLABOX_BOT_SSH_DIR` | bot key dir (`id_ed25519`, `config`) | `~/.ssh/claudebot` |
 | `CLABOX_CONFIG` | path to the JS config file (the `--config` flag overrides it) | — |
+| `CLABOX_CONFIGS_DIR` | global dir of named boxes for `-b`/`--box <name>` (`<name>.config.mjs`) | `~/.config/clabox/configs` |
+| `CLABOX_CWD` | working dir to run `claude` in (also the RW project dir); `~` expanded | — (the shell CWD) |
 | `CLABOX_HOOKS_DIR` | hooks dir (RO + exec inside the sandbox) | — (off) |
 | `CLABOX_DEBUG` | print diagnostics on launch | — |
 | `TMPDIR` | where the generated profile is stored | `/tmp` |

package/clabox.config.example.mjs

@@ -5,6 +5,11 @@
 // a function `(defaults) => config` for full control. `~` is expanded to $HOME.
 
 export default {
+  // Working directory to run `claude` in (also granted RW as the project dir).
+  // null → the shell's CWD. Set it on a named box that should always target one
+  // project regardless of where you launch `clabox` from. `~` is expanded.
+  cwd: null, // e.g. '~/projects/my-app'
+
   // Which Claude profile/account to use.
   configDir: '~/.claude',
 
@@ -20,6 +25,15 @@ export default {
     sshDir: '~/.ssh/claudebot',
   },
 
+  // Extra environment variables forced onto the sandboxed `claude` process.
+  // Layered after the built-in vars (so a key here wins) and on top of the
+  // inherited shell env. Handy for secrets like GITHUB_TOKEN. Don't hard-code
+  // secrets in a config committed to the repo — read them from process.env, or
+  // keep this file in ~/.config/clabox/config.mjs (outside the project).
+  env: {
+    // GITHUB_TOKEN: process.env.MY_GH_TOKEN ?? '',
+  },
+
   // Outbound network (set false to cut it off entirely).
   network: true,
 
@@ -43,4 +57,34 @@ export default {
   // Dotfile config dirs under $HOME denied entirely (.config/git is re-allowed
   // read-only regardless, so git keeps working).
   denyDotConfigs: ['aws', 'gnupg', 'kube', 'docker', 'config'],
+
+  // Opt-in: turn this box into a standalone Ghostty app. With `app` present,
+  // `clabox init` writes a Ghostty config (with a `command` that runs
+  // `clabox -b <box>`), a Raycast command (`<dir>/raycast/<name>.sh` → opens the
+  // app), and clones Ghostty.app into <appsDir>/<name>.app. Omit `app` entirely
+  // on boxes that should only get a shell alias (the default).
+  // app: {
+  //   name: 'AX Manager',          // → ~/Applications/AX Manager.app
+  //   title: '🐈‍⬛ AX Manager',      // ghostty window title (default: name)
+  //   emoji: '🐈‍⬛',                 // Raycast icon (default: the title's emoji)
+  //   icon: '~/icons/ax.png',      // .icns or .png (.png is converted); .app icon
+  //   macosIcon: 'retro',          // ghostty built-in macos-icon
+  //   ghostty: {                   // extra raw `key = value` ghostty lines
+  //     background: '#0d1117',
+  //     'background-opacity': '0.92',
+  //   },
+  //   // bundleId: 'com.me.ax',    // default: com.ghostty.custom.<box-dotted>
+  // },
+
+  // Machine-wide settings for the `clabox init` Ghostty-app builder. Shared by
+  // every `app` box — handy to set once in a shared preset. Env overrides:
+  // CLABOX_GHOSTTY_APP, CLABOX_APPS_DIR, CLABOX_SIGN_ID,
+  // CLABOX_GHOSTTY_BASE_CONFIG, CLABOX_CLABOX_BIN.
+  appBuilder: {
+    ghosttyApp: '/Applications/Ghostty.app', // donor app to clone
+    appsDir: '~/Applications', // where built apps land
+    signId: null, // codesign identity; null → ad-hoc (`codesign -s -`)
+    baseGhosttyConfig: null, // optional leading `config-file = …`
+    claboxBin: null, // clabox path baked into `command`; null → autodetect
+  },
 };

package/docs/guideline.md

@@ -31,16 +31,26 @@ Guidelines for clabox — run Claude Code in a sandbox for super-safe YOLO mode,
 
 ```
 src/
-├── index.ts              # public API aggregator — re-exports config / profile / run
-├── cli.ts                # CLI entry (yargs): run / generate / profile → lib/cli.js (bin)
+├── index.ts              # public API aggregator — re-exports config / profile / run / init
+├── cli.ts                # CLI entry (yargs): run / generate / profile / init → lib/cli.js (bin)
 ├── sandbox/
 │   ├── profile.ts        # pure SBPL builder: buildProfile, detectPackagePaths,
 │   │                     #   subpath/literal/regex/globalName/ipcName/reEscape helpers
 │   └── run.ts            # I/O: profilePath, generateProfile, runClaude (sandbox-exec launch)
+├── init/
+│   ├── aliases.ts        # pure: aliasName, buildIndex, buildWrapper, buildAliasFiles
+│   ├── ghostty.ts        # pure: buildGhosttyConfig, buildCommand, buildLauncherSource,
+│   │                     #   appBundlePath, bundleId
+│   ├── raycast.ts        # pure: buildRaycastCommand, raycastIcon
+│   ├── app.ts            # I/O (macOS): buildApp, canBuildApps (clone Ghostty.app + sign)
+│   └── scaffold.ts       # I/O: discoverProfiles, runInit (scan configs → scripts + apps + raycast)
 └── utils/
-    └── config.ts         # defaultConfig, expandHome, mergeConfig, findConfigFile, loadConfig
+    └── config.ts         # defaultConfig, expandHome, mergeConfig, findConfigFile, loadConfig,
+                          #   configsDir/resolveBox/listBoxes (named-box resolution)
 tests/
-└── profile.test.ts       # bun:test — unit (profile text) + functional (real sandbox-exec)
+├── profile.test.ts       # bun:test — unit (profile text) + functional (real sandbox-exec)
+├── init.test.ts          # bun:test — alias/ghostty text + scaffold & app boxes (tmp-dir fs)
+└── box.test.ts           # bun:test — named-box resolution (tmp-dir fs)
 lib/                      # build output (tsdown) — gitignored
 docs/
 ├── guideline.md          # this file
@@ -63,6 +73,9 @@ bun run dev                   # tsdown --watch
 # Run
 bun run cli                   # bun run src/cli.ts  (pass args after `--`)
 bun run generate              # bun run src/cli.ts generate (build a profile, print its path)
+bun run cli -- init           # aliases per box + build Ghostty apps for `app` boxes
+bun run cli -- init --no-apps # aliases only (skip the Ghostty-app build)
+bun run cli -- init --app "AX Manager"  # (re)build just one app box
 
 # Testing
 bun run test                  # lint + types + unit + size (the full gate)
@@ -95,24 +108,37 @@ clabox run  →  loadConfig()  →  buildProfile()  →  <TMPDIR>/…sb
 ### `utils/config.ts`
 Builds the effective config in three layers (later wins): `defaultConfig` → env vars → a JS config file. `findConfigFile(explicit?)` looks up the explicit path (the `--config` CLI flag, falling back to `CLABOX_CONFIG`) → `./clabox.config.mjs` / `./clabox.config.js` → `~/.config/clabox/config.mjs`; the `--config` flag wins over `CLABOX_CONFIG`. `loadConfig(explicit?)` forwards that path, dynamically imports the file and accepts either a plain object (merged via `mergeConfig`, a deep merge over the defaults) or a function `(defaults) => config`. `expandHome()` expands a leading `~`. Exports the `Config`/`BotConfig`/`PathRules`/`LoadedConfig` types.
 
+**Named boxes.** `configsDir()` returns the global box dir (`~/.config/clabox/configs`, overridable via `CLABOX_CONFIGS_DIR`). `resolveBox(name, dir?)` maps a name to its config file there, preferring `<name>.config.mjs` over a bare `<name>.mjs` and throwing (with the available boxes listed) when none exists; a `_`-prefixed name is refused (it's a shared partial, not a box), so `-b` matches exactly what `listBoxes` advertises. `listBoxes(dir?)` returns the sorted, de-duplicated box names, skipping `_`-prefixed shared partials (e.g. `_presets.mjs`). The CLI's `-b`/`--box <name>` flag resolves the name and feeds the path to `loadConfig` as the explicit config (so `-b` wins over `--config`).
+
 ### `sandbox/profile.ts` (pure)
 Assembles the SBPL profile text from typed helpers (`subpath`, `literal`, `regex`, `globalName`, `ipcName`, `reEscape`) — no I/O beyond `fs.existsSync` for autodetection. `detectPackagePaths()` finds installed package managers (Homebrew `/opt/homebrew` or `/usr/local/Homebrew`, `~/.local`, Nix `/nix/store`) to grant read/exec. `buildProfile(config, { projectDir, detectedPaths })` returns the full profile and sanity-checks it carries `(version 1)`.
 
 ### `sandbox/run.ts` (I/O)
-`profilePath()` returns the deterministic `$TMPDIR/clabox-<dir>-<hash>.sb` path. `generateProfile()` requires `sandbox-exec`, builds the profile and writes it. `runClaude()` resolves the `claude` binary (config → PATH → `~/.local/bin/claude`), forces the bot git identity + hardening env (`buildEnvArgs`), sets the terminal title, and execs `sh -c 'ulimit -u N; exec sandbox-exec -f <sb> env … claude …'`, returning the exit code.
+`profilePath()` returns the deterministic `$TMPDIR/clabox-<dir>-<hash>.sb` path. `resolveProjectDir(config)` returns the effective project dir — `config.cwd` (with `~` expanded) when set, else `process.cwd()` — and is what `generateProfile`/`runClaude` default to. `generateProfile()` requires `sandbox-exec`, builds the profile and writes it. `runClaude()` resolves the project dir + `claude` binary (config → PATH → `~/.local/bin/claude`), forces the bot git identity + hardening env (`buildEnvArgs`, with `config.env` appended last so it wins), sets the terminal title, and execs `sh -c 'ulimit -u N; exec sandbox-exec -f <sb> env … claude …'` **in the resolved project dir** (`spawnSync` `cwd`), returning the exit code.
+
+### `init/aliases.ts` (pure) + `init/scaffold.ts` (I/O)
+`clabox init` turns a directory of box configs into ready-to-use shell commands. `aliases.ts` is pure text: `aliasName(profile)` yields `clabox-<name>`; `buildIndex()` renders the source-able `index.sh` (a `_clabox_run` helper that runs `CLABOX_CONFIGS_DIR=<configsDir> clabox -b "$1"` plus one function per box); `buildWrapper()` renders a standalone `.sh` that sources `index.sh` and calls one function; `buildAliasFiles()` returns the full file set. There is **one command per box** — yolo vs. safe is decided by the box's own preset (`claudeArgs`), not by a `-safe` alias. `scaffold.ts` does the I/O: `discoverProfiles(configsDir)` returns the sorted box names via `listBoxes` (both `<name>.mjs`/`<name>.config.mjs`, `_`-partials skipped; throws if the dir is missing or has no boxes), and `runInit({ baseDir, buildApps, only })` (async) resolves `<baseDir>/configs` + `<baseDir>/scripts` (default `<cwd>/__`), prunes its own prior artifacts (`index.sh`, `clabox-*.sh`), then writes the new ones `chmod +x`. Absolute paths are baked in so the scripts run from any cwd. It returns `{ profiles, written, apps, ghosttyConfigs, warnings, … }`.
+
+### `init/ghostty.ts` + `init/raycast.ts` (pure) + `init/app.ts` (I/O) — standalone Ghostty apps
+A box becomes a real macOS app by carrying an `app` object (`AppConfig`: `name`, `title?`, `emoji?`, `icon?`, `macosIcon?`, `ghostty?`, `bundleId?`). When `runInit` runs with `buildApps` (the default), it `loadConfig`s each box and, for every box with an `app`, writes `<baseDir>/ghostty/<name>.config`, a `<baseDir>/raycast/<name>.sh` Raycast command, and clones a `.app`. `ghostty.ts` is pure text: `buildGhosttyConfig()` renders the config (a `command = zsh -lic 'cd <cwd> && CLABOX_CONFIGS_DIR=<dir> <claboxBin> -b <name>; exec zsh'` — a **login + interactive** zsh so the GUI-launched app inherits the user's PATH (`/etc/zprofile`→`path_helper` for Homebrew, `~/.zshrc` for fnm/nvm/volta); a bare `bash -c` gets only launchd's minimal PATH and can't find `node` for clabox's `#!/usr/bin/env node` shebang — plus `title`/`macos-icon`/extra `app.ghostty` lines and an optional leading `config-file`); `buildLauncherSource()` renders a tiny C launcher that finds `ghostty.real` next to itself and re-execs it with `--config-file=<config>` baked in; `appBundlePath()`/`bundleId()` derive the bundle path/id. `raycast.ts` renders the Raycast script command (`buildRaycastCommand()`: `@raycast.*` metadata + `open <appPath>`; `raycastIcon()` picks `app.emoji`, else the title's leading emoji, else 👻). `app.ts` is the macOS-only I/O (replaces the old `ghostty-app-builder.sh`): `canBuildApps(builder)` gates on darwin + donor app + `cc`; `buildApp()` extracts the donor's entitlements, `cp -R` clones Ghostty.app into `<appsDir>/<name>.app`, patches `Info.plist` (identity + Sparkle off), swaps the binary for the compiled launcher, installs the icon (`.icns` copy or `.png`→`sips`+`iconutil`, plus `plutil -remove CFBundleIconName` — Ghostty's plist references an icon inside its compiled `Assets.car`, which macOS prefers over the loose `.icns`, so the name must be dropped for our icon to take effect), and `codesign`s (`appBuilder.signId`, else ad-hoc `-`). Machine-wide build settings live in `config.appBuilder` (`ghosttyApp`, `appsDir`, `signId`, `baseGhosttyConfig`, `claboxBin`). Builds are best-effort: a non-buildable host or a thrown build records a `warning` and the aliases (plus the ghostty config + raycast script) are still emitted. `init` prunes its own `<baseDir>/ghostty/*.config` and `<baseDir>/raycast/*.sh` on a full run (not under `--app`, which would orphan other apps' artifacts); built `.app` bundles are **not** auto-deleted.
 
 ### `cli.ts`
-The yargs CLI (`scriptName('clabox')`). Commands: `run [claudeArgs..]` (default), `generate`, `profile`. `unknown-options-as-args` keeps unknown flags as positionals so they pass straight through to `claude` (e.g. `--dangerously-skip-permissions`). The one clabox-owned flag is `--config <path>` (a JS config file that overrides `CLABOX_CONFIG`), forwarded to `loadConfig()` by `run` and `generate`.
+The yargs CLI (`scriptName('clabox')`). Commands: `run [claudeArgs..]` (default), `generate`, `profile`, `init`. `unknown-options-as-args` keeps unknown flags as positionals so they pass straight through to `claude` (e.g. `--dangerously-skip-permissions`). clabox-owned flags: `--config <path>` (a JS config file that overrides `CLABOX_CONFIG`) and `-b`/`--box <name>` (a named box from the global configs dir; resolved via `resolveBox` and winning over `--config`) — both forwarded to `loadConfig()` by `run` and `generate` through the `explicitConfig(argv)` helper. (`-b` deliberately avoids `-p`/`-c`/`-r`/`-d`/`-v`, which are claude's own `--print`/`--continue`/`--resume`/`--debug`/`--verbose`.) `init` takes `--dir <path>` (the base dir holding `configs/` and `scripts/`, default `./__`), `--no-apps` (skip the Ghostty-app build), and `--app <box|name>` ((re)build a single app box, by box name or `app.name`).
 
 ### What the profile allows and denies
 - **Read-only:** system dirs (`/System`, `/usr`, `/bin`, `/sbin`, `/Library/Frameworks`), Command Line Tools / Xcode, tzdata, system + user `Library/Preferences`, detected package paths.
-- **Read-write:** the project dir (CWD), the Claude config dir (`configDir`), `/tmp`, `/private/tmp`, `/private/var/folders/…`, `~/Library/Keychains` (OAuth refresh), plus `paths.readWrite`.
+- **Read-write:** the project dir (`config.cwd` if set, else the shell CWD), the Claude config dir (`configDir`), `/tmp`, `/private/tmp`, `/private/var/folders/…`, `~/Library/Keychains` (OAuth refresh), plus `paths.readWrite`.
 - **Network:** `(allow network*)` when `network: true` (default).
-- **Explicit deny — wins over the allows:** `denyHome` (`~/Documents`, `~/Desktop`, …), `denyDotConfigs` (`~/.aws`, `~/.gnupg`, `~/.kube`, `~/.docker`, `~/.config`) with a carve-out for `~/.config/git`, and personal SSH keys `~/.ssh/id_*`, `*.pem`, `*.key`. Only the bot key subdir (`bot.sshDir`) is readable.
+- **Two deny tiers** (Seatbelt evaluates rules in order — the *last* match wins — so placement is deliberate):
+  - **Soft privacy deny (overridable):** `denyHome` (`~/Documents`, `~/Desktop`, …) and `paths.deny`, emitted *before* the extra `readOnly`/`readWrite` and the project dir. An explicit grant therefore overrides it — handy for a project that lives under `~/Documents`, or a debug box that wants `readOnly: ['/']` to roam the disk.
+  - **Hard secret deny (always wins):** `denyDotConfigs` (`~/.aws`, `~/.gnupg`, `~/.kube`, `~/.docker`, `~/.config`) and personal SSH keys `~/.ssh/id_*`, `*.pem`, `*.key`, emitted as the **very last file rule** — after every allow, the extra paths and the project dir. No `readOnly`/`readWrite` grant can re-expose these. Only the bot key subdir (`bot.sshDir`, not matched by the patterns) stays readable. (The `~/.config/git` RO carve-out is shadowed by the hard deny on `~/.config`; git still reads `~/.gitconfig` outside `~/.config`.)
 
 ### Git/ssh bot identity
 `ulimit -u <ulimitProcs>` (fork-bomb guard, `0` to disable); `GIT_AUTHOR_*` / `GIT_COMMITTER_*` from `bot.name`/`bot.email`; if `bot.sshDir/id_ed25519` exists, `GIT_SSH_COMMAND` is pinned to it (`IdentitiesOnly=yes`, `IdentityAgent=none`); gpg signing disabled; `NPM_CONFIG_USERCONFIG=/dev/null`; `DISABLE_AUTOUPDATER=1`.
 
+### Passing environment variables
+`sandbox-exec` restricts files and network, not the environment, and `runClaude` spawns through `/bin/sh` without an `env` option — so the sandboxed `claude` **inherits the parent shell env** (e.g. `export GITHUB_TOKEN=… && clabox`). For a declarative alternative, `config.env` (a `KEY=VALUE` map) is appended **last** in `buildEnvArgs`, so it layers over both the inherited env and the built-in hardening vars and a colliding key wins. Don't hard-code secrets in a repo-committed `clabox.config.mjs` (the project dir is mounted RW and readable from inside): read them from `process.env`, or keep the config in `~/.config/clabox/config.mjs`. Anything in the env is readable by `claude` and, with `network: true`, exfiltratable.
+
 ## Lint
 
 Biome (`biome.json`), scoped to `src/**/*.ts` + `tests/**/*.ts`:
@@ -136,10 +162,10 @@ Both workflows run on `macos-latest` so the functional tests can exercise the re
 ## Package Exports
 
 ```typescript
-import { loadConfig, buildProfile, runClaude } from 'clabox';        // lib/index.js
+import { loadConfig, buildProfile, runClaude, runInit } from 'clabox'; // lib/index.js
 import { loadConfig, defaultConfig, mergeConfig } from 'clabox/config'; // lib/utils/config.js
 import { buildProfile, detectPackagePaths } from 'clabox/profile';   // lib/sandbox/profile.js
-import { generateProfile, profilePath, runClaude } from 'clabox/run'; // lib/sandbox/run.js
+import { generateProfile, profilePath, resolveProjectDir, runClaude } from 'clabox/run'; // lib/sandbox/run.js
 // CLI entry: clabox/cli (lib/cli.js) — also the `clabox` bin
 ```
 
@@ -148,11 +174,18 @@ import { generateProfile, profilePath, runClaude } from 'clabox/run'; // lib/san
 | Variable | Purpose | Default |
 |---|---|---|
 | `CLAUDE_CONFIG_DIR` | Claude config/profile dir (multi-account); passed through to `claude` | `~/.claude` |
+| `CLABOX_CWD` | working dir to run `claude` in (also the RW project dir); `~` expanded | — (the shell CWD) |
 | `CLABOX_CLAUDE_BIN` | path to the `claude` binary | PATH, then `~/.local/bin/claude` |
 | `CLABOX_BOT_NAME` / `CLABOX_BOT_EMAIL` | git identity inside the sandbox | `claudeBOT` / `bot@example.com` |
 | `CLABOX_BOT_SSH_DIR` | bot key dir (`id_ed25519`, `config`) | `~/.ssh/claudebot` |
 | `CLABOX_CONFIG` | path to the JS config file (the `--config` flag overrides it) | — |
+| `CLABOX_CONFIGS_DIR` | global dir of named boxes for `-b`/`--box <name>` (`<name>.config.mjs`) | `~/.config/clabox/configs` |
 | `CLABOX_HOOKS_DIR` | hooks dir (RO + exec inside the sandbox) | — (off) |
+| `CLABOX_GHOSTTY_APP` | donor app cloned by `init` for `app` boxes (`config.appBuilder.ghosttyApp`) | `/Applications/Ghostty.app` |
+| `CLABOX_APPS_DIR` | where `init` writes built `.app`s (`config.appBuilder.appsDir`) | `~/Applications` |
+| `CLABOX_SIGN_ID` | codesign identity for built apps (`config.appBuilder.signId`); unset → ad-hoc | — |
+| `CLABOX_GHOSTTY_BASE_CONFIG` | leading `config-file = …` in generated Ghostty configs | — |
+| `CLABOX_CLABOX_BIN` | `clabox` path baked into the Ghostty `command` (`config.appBuilder.claboxBin`) | autodetect |
 | `CLABOX_DEBUG` | print profile/config/dir diagnostics on launch | — |
 | `TMPDIR` | where the generated profile is stored | `/tmp` |
 

package/lib/aliases-DKGcMHHe.js

@@ -0,0 +1,60 @@
+import path from "node:path";
+//#region src/init/aliases.ts
+/** The `clabox-<name>` command name for a box. */
+function aliasName(profile) {
+	return `clabox-${profile}`;
+}
+/** Build the source-able `index.sh` defining one function per box. */
+function buildIndex(profiles, { configsDir, scriptsDir }) {
+	const indexPath = path.join(scriptsDir, "index.sh");
+	const usage = profiles.map((p) => `#   ${aliasName(p)}`);
+	const defs = profiles.map((p) => `${aliasName(p)}() { _clabox_run ${p} "$@"; }`);
+	return `${[
+		"#!/usr/bin/env bash",
+		"# Generated by `clabox init` — do not edit; rerun it after changing the configs dir.",
+		"#",
+		"# Source this from ~/.zshrc or ~/.bashrc:",
+		`#   source ${indexPath}`,
+		"#",
+		"# Commands (run from any cwd). yolo vs. safe is set by each box's preset:",
+		...usage,
+		"",
+		"_clabox_run() {",
+		`  CLABOX_CONFIGS_DIR="${configsDir}" clabox -b "$1" "\${@:2}"`,
+		"}",
+		"",
+		...defs
+	].join("\n")}\n`;
+}
+/** Build a standalone wrapper script that sources `index.sh` and calls one fn. */
+function buildWrapper(fnName, indexPath) {
+	return `${[
+		"#!/usr/bin/env bash",
+		"# Generated by `clabox init`.",
+		"set -euo pipefail",
+		`source "${indexPath}"`,
+		`${fnName} "$@"`
+	].join("\n")}\n`;
+}
+/** All files `clabox init` writes: the `index.sh` plus a wrapper per box. */
+function buildAliasFiles(profiles, paths) {
+	const indexPath = path.join(paths.scriptsDir, "index.sh");
+	const files = [{
+		path: indexPath,
+		content: buildIndex(profiles, paths),
+		executable: true
+	}];
+	for (const p of profiles) {
+		const fn = aliasName(p);
+		files.push({
+			path: path.join(paths.scriptsDir, `${fn}.sh`),
+			content: buildWrapper(fn, indexPath),
+			executable: true
+		});
+	}
+	return files;
+}
+//#endregion
+export { buildWrapper as i, buildAliasFiles as n, buildIndex as r, aliasName as t };
+
+//# sourceMappingURL=aliases-DKGcMHHe.js.map

package/lib/aliases-DKGcMHHe.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"aliases-DKGcMHHe.js","names":[],"sources":["../src/init/aliases.ts"],"sourcesContent":["// Pure builder for the shell aliases emitted by `clabox init`.\n//\n// For each box config (`<name>.mjs` / `<name>.config.mjs`) it produces one\n// command `clabox-<name>` that runs that box. Whether it runs yolo or asks for\n// confirmation is decided by the box's own preset (its `claudeArgs`), not here.\n// Plus an `index.sh` defining them all as shell functions to `source`.\n\nimport path from 'node:path';\n\n/** A file to be written by `clabox init`. */\nexport interface InitFile {\n  /** Absolute path to write. */\n  path: string;\n  /** File contents. */\n  content: string;\n  /** Whether to `chmod +x` after writing. */\n  executable: boolean;\n}\n\n/** Absolute locations for the generated artifacts. */\nexport interface AliasPaths {\n  /** Dir holding the box config files. */\n  configsDir: string;\n  /** Dir to emit `index.sh` and the per-box wrappers into. */\n  scriptsDir: string;\n}\n\n/** The `clabox-<name>` command name for a box. */\nexport function aliasName(profile: string): string {\n  return `clabox-${profile}`;\n}\n\n/** Build the source-able `index.sh` defining one function per box. */\nexport function buildIndex(profiles: string[], { configsDir, scriptsDir }: AliasPaths): string {\n  const indexPath = path.join(scriptsDir, 'index.sh');\n  const usage = profiles.map((p) => `#   ${aliasName(p)}`);\n  const defs = profiles.map((p) => `${aliasName(p)}() { _clabox_run ${p} \"$@\"; }`);\n  return `${[\n    '#!/usr/bin/env bash',\n    '# Generated by `clabox init` — do not edit; rerun it after changing the configs dir.',\n    '#',\n    '# Source this from ~/.zshrc or ~/.bashrc:',\n    `#   source ${indexPath}`,\n    '#',\n    \"# Commands (run from any cwd). yolo vs. safe is set by each box's preset:\",\n    ...usage,\n    '',\n    '_clabox_run() {',\n    // Point `-b` at this dir so resolveBox picks the right .mjs/.config.mjs file.\n    `  CLABOX_CONFIGS_DIR=\"${configsDir}\" clabox -b \"$1\" \"\\${@:2}\"`,\n    '}',\n    '',\n    ...defs,\n  ].join('\\n')}\\n`;\n}\n\n/** Build a standalone wrapper script that sources `index.sh` and calls one fn. */\nexport function buildWrapper(fnName: string, indexPath: string): string {\n  return `${[\n    '#!/usr/bin/env bash',\n    '# Generated by `clabox init`.',\n    'set -euo pipefail',\n    `source \"${indexPath}\"`,\n    `${fnName} \"$@\"`,\n  ].join('\\n')}\\n`;\n}\n\n/** All files `clabox init` writes: the `index.sh` plus a wrapper per box. */\nexport function buildAliasFiles(profiles: string[], paths: AliasPaths): InitFile[] {\n  const indexPath = path.join(paths.scriptsDir, 'index.sh');\n  const files: InitFile[] = [\n    { path: indexPath, content: buildIndex(profiles, paths), executable: true },\n  ];\n  for (const p of profiles) {\n    const fn = aliasName(p);\n    files.push({\n      path: path.join(paths.scriptsDir, `${fn}.sh`),\n      content: buildWrapper(fn, indexPath),\n      executable: true,\n    });\n  }\n  return files;\n}\n"],"mappings":";;;AA4BA,SAAgB,UAAU,SAAyB;CACjD,OAAO,UAAU;AACnB;;AAGA,SAAgB,WAAW,UAAoB,EAAE,YAAY,cAAkC;CAC7F,MAAM,YAAY,KAAK,KAAK,YAAY,UAAU;CAClD,MAAM,QAAQ,SAAS,KAAK,MAAM,OAAO,UAAU,CAAC,GAAG;CACvD,MAAM,OAAO,SAAS,KAAK,MAAM,GAAG,UAAU,CAAC,EAAE,mBAAmB,EAAE,SAAS;CAC/E,OAAO,GAAG;EACR;EACA;EACA;EACA;EACA,cAAc;EACd;EACA;EACA,GAAG;EACH;EACA;EAEA,yBAAyB,WAAW;EACpC;EACA;EACA,GAAG;CACL,CAAC,CAAC,KAAK,IAAI,EAAE;AACf;;AAGA,SAAgB,aAAa,QAAgB,WAA2B;CACtE,OAAO,GAAG;EACR;EACA;EACA;EACA,WAAW,UAAU;EACrB,GAAG,OAAO;CACZ,CAAC,CAAC,KAAK,IAAI,EAAE;AACf;;AAGA,SAAgB,gBAAgB,UAAoB,OAA+B;CACjF,MAAM,YAAY,KAAK,KAAK,MAAM,YAAY,UAAU;CACxD,MAAM,QAAoB,CACxB;EAAE,MAAM;EAAW,SAAS,WAAW,UAAU,KAAK;EAAG,YAAY;CAAK,CAC5E;CACA,KAAK,MAAM,KAAK,UAAU;EACxB,MAAM,KAAK,UAAU,CAAC;EACtB,MAAM,KAAK;GACT,MAAM,KAAK,KAAK,MAAM,YAAY,GAAG,GAAG,IAAI;GAC5C,SAAS,aAAa,IAAI,SAAS;GACnC,YAAY;EACd,CAAC;CACH;CACA,OAAO;AACT"}

package/lib/aliases-DXyz-ufw.d.ts

@@ -0,0 +1,31 @@
+//#region src/init/aliases.d.ts
+/** A file to be written by `clabox init`. */
+interface InitFile {
+  /** Absolute path to write. */
+  path: string;
+  /** File contents. */
+  content: string;
+  /** Whether to `chmod +x` after writing. */
+  executable: boolean;
+}
+/** Absolute locations for the generated artifacts. */
+interface AliasPaths {
+  /** Dir holding the box config files. */
+  configsDir: string;
+  /** Dir to emit `index.sh` and the per-box wrappers into. */
+  scriptsDir: string;
+}
+/** The `clabox-<name>` command name for a box. */
+declare function aliasName(profile: string): string;
+/** Build the source-able `index.sh` defining one function per box. */
+declare function buildIndex(profiles: string[], {
+  configsDir,
+  scriptsDir
+}: AliasPaths): string;
+/** Build a standalone wrapper script that sources `index.sh` and calls one fn. */
+declare function buildWrapper(fnName: string, indexPath: string): string;
+/** All files `clabox init` writes: the `index.sh` plus a wrapper per box. */
+declare function buildAliasFiles(profiles: string[], paths: AliasPaths): InitFile[];
+//#endregion
+export { buildIndex as a, buildAliasFiles as i, InitFile as n, buildWrapper as o, aliasName as r, AliasPaths as t };
+//# sourceMappingURL=aliases-DXyz-ufw.d.ts.map

package/lib/app-CQmESEdh.js

@@ -0,0 +1,254 @@
+import { i as expandHome } from "./config-BQ44iVWT.js";
+import { a as bundleId, i as buildLauncherSource, t as appBundlePath } from "./ghostty-DcMEZ6Ey.js";
+import path from "node:path";
+import { execFileSync } from "node:child_process";
+import fs from "node:fs";
+import os from "node:os";
+//#region src/init/app.ts
+function run(cmd, args) {
+	execFileSync(cmd, args, { stdio: [
+		"ignore",
+		"ignore",
+		"pipe"
+	] });
+}
+function has(bin) {
+	try {
+		execFileSync("command", ["-v", bin], {
+			shell: "/bin/sh",
+			stdio: "ignore"
+		});
+		return true;
+	} catch {
+		return false;
+	}
+}
+/** True when the host can build apps (macOS with the donor app + a C compiler). */
+function canBuildApps(builder) {
+	if (process.platform !== "darwin") return {
+		ok: false,
+		reason: "not macOS"
+	};
+	if (!fs.existsSync(expandHome(builder.ghosttyApp))) return {
+		ok: false,
+		reason: `Ghostty not found at ${builder.ghosttyApp}`
+	};
+	if (!has("cc")) return {
+		ok: false,
+		reason: "no C compiler (cc) — install Xcode CLT"
+	};
+	return { ok: true };
+}
+/** Extract the donor app's entitlements to a tmp file, or null if it has none. */
+function extractEntitlements(ghosttyApp, tmpDir) {
+	let xml;
+	try {
+		xml = execFileSync("codesign", [
+			"-d",
+			"--entitlements",
+			"-",
+			"--xml",
+			ghosttyApp
+		], {
+			encoding: "utf8",
+			stdio: [
+				"ignore",
+				"pipe",
+				"ignore"
+			]
+		});
+	} catch {
+		return null;
+	}
+	const start = xml.indexOf("<?xml");
+	if (start < 0) return null;
+	const file = path.join(tmpDir, "entitlements.xml");
+	fs.writeFileSync(file, xml.slice(start));
+	return file;
+}
+/** Name of the icon resource referenced by the bundle (default Ghostty.icns). */
+function iconResourceName(plist) {
+	try {
+		const name = execFileSync("plutil", [
+			"-extract",
+			"CFBundleIconFile",
+			"raw",
+			plist
+		], {
+			encoding: "utf8",
+			stdio: [
+				"ignore",
+				"pipe",
+				"ignore"
+			]
+		}).trim();
+		return name.endsWith(".icns") ? name : `${name}.icns`;
+	} catch {
+		return "Ghostty.icns";
+	}
+}
+/** Convert a PNG into a multi-resolution .icns at `out`. */
+function pngToIcns(png, out, tmpDir) {
+	const iconset = path.join(tmpDir, "icon.iconset");
+	fs.mkdirSync(iconset, { recursive: true });
+	for (const size of [
+		16,
+		32,
+		128,
+		256,
+		512
+	]) {
+		run("sips", [
+			"-z",
+			`${size}`,
+			`${size}`,
+			png,
+			"--out",
+			path.join(iconset, `icon_${size}x${size}.png`)
+		]);
+		const d = size * 2;
+		run("sips", [
+			"-z",
+			`${d}`,
+			`${d}`,
+			png,
+			"--out",
+			path.join(iconset, `icon_${size}x${size}@2x.png`)
+		]);
+	}
+	run("iconutil", [
+		"-c",
+		"icns",
+		iconset,
+		"-o",
+		out
+	]);
+}
+/** Install the box icon into the cloned bundle, if `app.icon` is set. */
+function installIcon(app, appPath, tmpDir) {
+	if (!app.icon) return;
+	const icon = expandHome(app.icon);
+	if (!fs.existsSync(icon)) throw new Error(`icon not found: ${app.icon}`);
+	const plist = path.join(appPath, "Contents", "Info.plist");
+	const dest = path.join(appPath, "Contents", "Resources", iconResourceName(plist));
+	if (icon.endsWith(".icns")) fs.copyFileSync(icon, dest);
+	else if (icon.endsWith(".png")) pngToIcns(icon, dest, tmpDir);
+	else throw new Error(`unsupported icon type (need .icns/.png): ${app.icon}`);
+	try {
+		run("plutil", [
+			"-remove",
+			"CFBundleIconName",
+			plist
+		]);
+	} catch {}
+}
+/**
+* Build the standalone Ghostty app for a box. Throws on any failure (the caller
+* decides whether to abort or carry on with the other boxes).
+*/
+function buildApp(opts) {
+	const { app, builder, boxName, configPath } = opts;
+	const check = canBuildApps(builder);
+	if (!check.ok) throw new Error(`cannot build app: ${check.reason}`);
+	const ghosttyApp = expandHome(builder.ghosttyApp);
+	const appsDir = expandHome(builder.appsDir);
+	const appPath = appBundlePath(appsDir, app);
+	const plist = path.join(appPath, "Contents", "Info.plist");
+	const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), "clabox-app-"));
+	try {
+		const entitlements = extractEntitlements(ghosttyApp, tmpDir);
+		fs.mkdirSync(appsDir, { recursive: true });
+		fs.rmSync(appPath, {
+			recursive: true,
+			force: true
+		});
+		run("cp", [
+			"-R",
+			ghosttyApp,
+			appPath
+		]);
+		run("plutil", [
+			"-replace",
+			"CFBundleIdentifier",
+			"-string",
+			bundleId(boxName, app),
+			plist
+		]);
+		run("plutil", [
+			"-replace",
+			"CFBundleName",
+			"-string",
+			app.name,
+			plist
+		]);
+		run("plutil", [
+			"-replace",
+			"CFBundleDisplayName",
+			"-string",
+			app.name,
+			plist
+		]);
+		run("plutil", [
+			"-replace",
+			"CFBundleExecutable",
+			"-string",
+			"ghostty",
+			plist
+		]);
+		run("plutil", [
+			"-replace",
+			"SUEnableAutomaticChecks",
+			"-bool",
+			"NO",
+			plist
+		]);
+		try {
+			run("plutil", [
+				"-replace",
+				"SUFeedURL",
+				"-string",
+				"",
+				plist
+			]);
+		} catch {}
+		const bin = path.join(appPath, "Contents", "MacOS", "ghostty");
+		fs.renameSync(bin, `${bin}.real`);
+		const src = path.join(tmpDir, "launcher.c");
+		fs.writeFileSync(src, buildLauncherSource(configPath));
+		run("cc", [
+			"-o",
+			bin,
+			src
+		]);
+		installIcon(app, appPath, tmpDir);
+		const signId = builder.signId;
+		const entArgs = entitlements ? ["--entitlements", entitlements] : [];
+		const idArgs = signId ? ["--sign", signId] : ["--sign", "-"];
+		run("codesign", [
+			"--force",
+			...idArgs,
+			...entArgs,
+			`${bin}.real`
+		]);
+		run("codesign", [
+			"--force",
+			"--deep",
+			...idArgs,
+			...entArgs,
+			appPath
+		]);
+		return {
+			appPath,
+			signed: signId ? "identity" : "adhoc"
+		};
+	} finally {
+		fs.rmSync(tmpDir, {
+			recursive: true,
+			force: true
+		});
+	}
+}
+//#endregion
+export { canBuildApps as n, installIcon as r, buildApp as t };
+
+//# sourceMappingURL=app-CQmESEdh.js.map

package/lib/app-CQmESEdh.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"app-CQmESEdh.js","names":[],"sources":["../src/init/app.ts"],"sourcesContent":["// I/O for the `clabox init` Ghostty-app builder (macOS-only).\n//\n// Clones Ghostty.app into `<appsDir>/<name>.app`, swaps the binary for a tiny\n// compiled launcher that bakes in `--config-file=<config>`, sets the icon,\n// disables Sparkle, and re-signs. Mirrors the old ghostty-app-builder.sh. The\n// pure text builders live in init/ghostty.ts.\n\nimport { execFileSync } from 'node:child_process';\nimport fs from 'node:fs';\nimport os from 'node:os';\nimport path from 'node:path';\nimport { type AppBuilderConfig, type AppConfig, expandHome } from '../utils/config.js';\nimport { appBundlePath, buildLauncherSource, bundleId } from './ghostty.js';\n\n/** Inputs for {@link buildApp}. */\nexport interface BuildAppOptions {\n  /** The `-b` box name (drives the default bundle id). */\n  boxName: string;\n  app: AppConfig;\n  builder: AppBuilderConfig;\n  /** Absolute path to the already-written Ghostty config to bake in. */\n  configPath: string;\n}\n\n/** Result of a successful {@link buildApp}. */\nexport interface BuildAppResult {\n  appPath: string;\n  signed: 'identity' | 'adhoc';\n}\n\nfunction run(cmd: string, args: string[]): void {\n  execFileSync(cmd, args, { stdio: ['ignore', 'ignore', 'pipe'] });\n}\n\nfunction has(bin: string): boolean {\n  try {\n    execFileSync('command', ['-v', bin], { shell: '/bin/sh', stdio: 'ignore' });\n    return true;\n  } catch {\n    return false;\n  }\n}\n\n/** True when the host can build apps (macOS with the donor app + a C compiler). */\nexport function canBuildApps(builder: AppBuilderConfig): { ok: boolean; reason?: string } {\n  if (process.platform !== 'darwin') return { ok: false, reason: 'not macOS' };\n  if (!fs.existsSync(expandHome(builder.ghosttyApp))) {\n    return { ok: false, reason: `Ghostty not found at ${builder.ghosttyApp}` };\n  }\n  if (!has('cc')) return { ok: false, reason: 'no C compiler (cc) — install Xcode CLT' };\n  return { ok: true };\n}\n\n/** Extract the donor app's entitlements to a tmp file, or null if it has none. */\nfunction extractEntitlements(ghosttyApp: string, tmpDir: string): string | null {\n  let xml: string;\n  try {\n    xml = execFileSync('codesign', ['-d', '--entitlements', '-', '--xml', ghosttyApp], {\n      encoding: 'utf8',\n      stdio: ['ignore', 'pipe', 'ignore'],\n    });\n  } catch {\n    return null;\n  }\n  const start = xml.indexOf('<?xml');\n  if (start < 0) return null;\n  const file = path.join(tmpDir, 'entitlements.xml');\n  fs.writeFileSync(file, xml.slice(start));\n  return file;\n}\n\n/** Name of the icon resource referenced by the bundle (default Ghostty.icns). */\nfunction iconResourceName(plist: string): string {\n  try {\n    const name = execFileSync('plutil', ['-extract', 'CFBundleIconFile', 'raw', plist], {\n      encoding: 'utf8',\n      stdio: ['ignore', 'pipe', 'ignore'],\n    }).trim();\n    return name.endsWith('.icns') ? name : `${name}.icns`;\n  } catch {\n    return 'Ghostty.icns';\n  }\n}\n\n/** Convert a PNG into a multi-resolution .icns at `out`. */\nfunction pngToIcns(png: string, out: string, tmpDir: string): void {\n  const iconset = path.join(tmpDir, 'icon.iconset');\n  fs.mkdirSync(iconset, { recursive: true });\n  for (const size of [16, 32, 128, 256, 512]) {\n    run('sips', [\n      '-z',\n      `${size}`,\n      `${size}`,\n      png,\n      '--out',\n      path.join(iconset, `icon_${size}x${size}.png`),\n    ]);\n    const d = size * 2;\n    run('sips', [\n      '-z',\n      `${d}`,\n      `${d}`,\n      png,\n      '--out',\n      path.join(iconset, `icon_${size}x${size}@2x.png`),\n    ]);\n  }\n  run('iconutil', ['-c', 'icns', iconset, '-o', out]);\n}\n\n/** Install the box icon into the cloned bundle, if `app.icon` is set. */\nexport function installIcon(app: AppConfig, appPath: string, tmpDir: string): void {\n  if (!app.icon) return;\n  const icon = expandHome(app.icon);\n  if (!fs.existsSync(icon)) throw new Error(`icon not found: ${app.icon}`);\n  const plist = path.join(appPath, 'Contents', 'Info.plist');\n  const dest = path.join(appPath, 'Contents', 'Resources', iconResourceName(plist));\n  if (icon.endsWith('.icns')) fs.copyFileSync(icon, dest);\n  else if (icon.endsWith('.png')) pngToIcns(icon, dest, tmpDir);\n  else throw new Error(`unsupported icon type (need .icns/.png): ${app.icon}`);\n\n  // Ghostty ships a compiled asset catalog (Assets.car) and a `CFBundleIconName`\n  // pointing into it, which macOS prefers over the loose `CFBundleIconFile`\n  // .icns we just replaced — so our icon would be ignored. Drop the asset-catalog\n  // reference so macOS falls back to the .icns. (May be absent on other donors.)\n  try {\n    run('plutil', ['-remove', 'CFBundleIconName', plist]);\n  } catch {\n    // donor app may not define CFBundleIconName — ignore\n  }\n}\n\n/**\n * Build the standalone Ghostty app for a box. Throws on any failure (the caller\n * decides whether to abort or carry on with the other boxes).\n */\nexport function buildApp(opts: BuildAppOptions): BuildAppResult {\n  const { app, builder, boxName, configPath } = opts;\n  const check = canBuildApps(builder);\n  if (!check.ok) throw new Error(`cannot build app: ${check.reason}`);\n\n  const ghosttyApp = expandHome(builder.ghosttyApp);\n  const appsDir = expandHome(builder.appsDir);\n  const appPath = appBundlePath(appsDir, app);\n  const plist = path.join(appPath, 'Contents', 'Info.plist');\n  const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), 'clabox-app-'));\n\n  try {\n    const entitlements = extractEntitlements(ghosttyApp, tmpDir);\n\n    // Full clone (cp -R keeps bundle symlinks/frameworks intact).\n    fs.mkdirSync(appsDir, { recursive: true });\n    fs.rmSync(appPath, { recursive: true, force: true });\n    run('cp', ['-R', ghosttyApp, appPath]);\n\n    // Identity.\n    run('plutil', ['-replace', 'CFBundleIdentifier', '-string', bundleId(boxName, app), plist]);\n    run('plutil', ['-replace', 'CFBundleName', '-string', app.name, plist]);\n    run('plutil', ['-replace', 'CFBundleDisplayName', '-string', app.name, plist]);\n    run('plutil', ['-replace', 'CFBundleExecutable', '-string', 'ghostty', plist]);\n\n    // Disable Sparkle auto-update (would clobber the clone).\n    run('plutil', ['-replace', 'SUEnableAutomaticChecks', '-bool', 'NO', plist]);\n    try {\n      run('plutil', ['-replace', 'SUFeedURL', '-string', '', plist]);\n    } catch {\n      // donor app may not define SUFeedURL — ignore\n    }\n\n    // Swap the binary for a launcher that prepends --config-file.\n    const bin = path.join(appPath, 'Contents', 'MacOS', 'ghostty');\n    fs.renameSync(bin, `${bin}.real`);\n    const src = path.join(tmpDir, 'launcher.c');\n    fs.writeFileSync(src, buildLauncherSource(configPath));\n    run('cc', ['-o', bin, src]);\n\n    installIcon(app, appPath, tmpDir);\n\n    // Re-sign: inner real binary first, then the whole bundle.\n    const signId = builder.signId;\n    const entArgs = entitlements ? ['--entitlements', entitlements] : [];\n    const idArgs = signId ? ['--sign', signId] : ['--sign', '-'];\n    run('codesign', ['--force', ...idArgs, ...entArgs, `${bin}.real`]);\n    run('codesign', ['--force', '--deep', ...idArgs, ...entArgs, appPath]);\n\n    return { appPath, signed: signId ? 'identity' : 'adhoc' };\n  } finally {\n    fs.rmSync(tmpDir, { recursive: true, force: true });\n  }\n}\n"],"mappings":";;;;;;;AA8BA,SAAS,IAAI,KAAa,MAAsB;CAC9C,aAAa,KAAK,MAAM,EAAE,OAAO;EAAC;EAAU;EAAU;CAAM,EAAE,CAAC;AACjE;AAEA,SAAS,IAAI,KAAsB;CACjC,IAAI;EACF,aAAa,WAAW,CAAC,MAAM,GAAG,GAAG;GAAE,OAAO;GAAW,OAAO;EAAS,CAAC;EAC1E,OAAO;CACT,QAAQ;EACN,OAAO;CACT;AACF;;AAGA,SAAgB,aAAa,SAA6D;CACxF,IAAI,QAAQ,aAAa,UAAU,OAAO;EAAE,IAAI;EAAO,QAAQ;CAAY;CAC3E,IAAI,CAAC,GAAG,WAAW,WAAW,QAAQ,UAAU,CAAC,GAC/C,OAAO;EAAE,IAAI;EAAO,QAAQ,wBAAwB,QAAQ;CAAa;CAE3E,IAAI,CAAC,IAAI,IAAI,GAAG,OAAO;EAAE,IAAI;EAAO,QAAQ;CAAyC;CACrF,OAAO,EAAE,IAAI,KAAK;AACpB;;AAGA,SAAS,oBAAoB,YAAoB,QAA+B;CAC9E,IAAI;CACJ,IAAI;EACF,MAAM,aAAa,YAAY;GAAC;GAAM;GAAkB;GAAK;GAAS;EAAU,GAAG;GACjF,UAAU;GACV,OAAO;IAAC;IAAU;IAAQ;GAAQ;EACpC,CAAC;CACH,QAAQ;EACN,OAAO;CACT;CACA,MAAM,QAAQ,IAAI,QAAQ,OAAO;CACjC,IAAI,QAAQ,GAAG,OAAO;CACtB,MAAM,OAAO,KAAK,KAAK,QAAQ,kBAAkB;CACjD,GAAG,cAAc,MAAM,IAAI,MAAM,KAAK,CAAC;CACvC,OAAO;AACT;;AAGA,SAAS,iBAAiB,OAAuB;CAC/C,IAAI;EACF,MAAM,OAAO,aAAa,UAAU;GAAC;GAAY;GAAoB;GAAO;EAAK,GAAG;GAClF,UAAU;GACV,OAAO;IAAC;IAAU;IAAQ;GAAQ;EACpC,CAAC,CAAC,CAAC,KAAK;EACR,OAAO,KAAK,SAAS,OAAO,IAAI,OAAO,GAAG,KAAK;CACjD,QAAQ;EACN,OAAO;CACT;AACF;;AAGA,SAAS,UAAU,KAAa,KAAa,QAAsB;CACjE,MAAM,UAAU,KAAK,KAAK,QAAQ,cAAc;CAChD,GAAG,UAAU,SAAS,EAAE,WAAW,KAAK,CAAC;CACzC,KAAK,MAAM,QAAQ;EAAC;EAAI;EAAI;EAAK;EAAK;CAAG,GAAG;EAC1C,IAAI,QAAQ;GACV;GACA,GAAG;GACH,GAAG;GACH;GACA;GACA,KAAK,KAAK,SAAS,QAAQ,KAAK,GAAG,KAAK,KAAK;EAC/C,CAAC;EACD,MAAM,IAAI,OAAO;EACjB,IAAI,QAAQ;GACV;GACA,GAAG;GACH,GAAG;GACH;GACA;GACA,KAAK,KAAK,SAAS,QAAQ,KAAK,GAAG,KAAK,QAAQ;EAClD,CAAC;CACH;CACA,IAAI,YAAY;EAAC;EAAM;EAAQ;EAAS;EAAM;CAAG,CAAC;AACpD;;AAGA,SAAgB,YAAY,KAAgB,SAAiB,QAAsB;CACjF,IAAI,CAAC,IAAI,MAAM;CACf,MAAM,OAAO,WAAW,IAAI,IAAI;CAChC,IAAI,CAAC,GAAG,WAAW,IAAI,GAAG,MAAM,IAAI,MAAM,mBAAmB,IAAI,MAAM;CACvE,MAAM,QAAQ,KAAK,KAAK,SAAS,YAAY,YAAY;CACzD,MAAM,OAAO,KAAK,KAAK,SAAS,YAAY,aAAa,iBAAiB,KAAK,CAAC;CAChF,IAAI,KAAK,SAAS,OAAO,GAAG,GAAG,aAAa,MAAM,IAAI;MACjD,IAAI,KAAK,SAAS,MAAM,GAAG,UAAU,MAAM,MAAM,MAAM;MACvD,MAAM,IAAI,MAAM,4CAA4C,IAAI,MAAM;CAM3E,IAAI;EACF,IAAI,UAAU;GAAC;GAAW;GAAoB;EAAK,CAAC;CACtD,QAAQ,CAER;AACF;;;;;AAMA,SAAgB,SAAS,MAAuC;CAC9D,MAAM,EAAE,KAAK,SAAS,SAAS,eAAe;CAC9C,MAAM,QAAQ,aAAa,OAAO;CAClC,IAAI,CAAC,MAAM,IAAI,MAAM,IAAI,MAAM,qBAAqB,MAAM,QAAQ;CAElE,MAAM,aAAa,WAAW,QAAQ,UAAU;CAChD,MAAM,UAAU,WAAW,QAAQ,OAAO;CAC1C,MAAM,UAAU,cAAc,SAAS,GAAG;CAC1C,MAAM,QAAQ,KAAK,KAAK,SAAS,YAAY,YAAY;CACzD,MAAM,SAAS,GAAG,YAAY,KAAK,KAAK,GAAG,OAAO,GAAG,aAAa,CAAC;CAEnE,IAAI;EACF,MAAM,eAAe,oBAAoB,YAAY,MAAM;EAG3D,GAAG,UAAU,SAAS,EAAE,WAAW,KAAK,CAAC;EACzC,GAAG,OAAO,SAAS;GAAE,WAAW;GAAM,OAAO;EAAK,CAAC;EACnD,IAAI,MAAM;GAAC;GAAM;GAAY;EAAO,CAAC;EAGrC,IAAI,UAAU;GAAC;GAAY;GAAsB;GAAW,SAAS,SAAS,GAAG;GAAG;EAAK,CAAC;EAC1F,IAAI,UAAU;GAAC;GAAY;GAAgB;GAAW,IAAI;GAAM;EAAK,CAAC;EACtE,IAAI,UAAU;GAAC;GAAY;GAAuB;GAAW,IAAI;GAAM;EAAK,CAAC;EAC7E,IAAI,UAAU;GAAC;GAAY;GAAsB;GAAW;GAAW;EAAK,CAAC;EAG7E,IAAI,UAAU;GAAC;GAAY;GAA2B;GAAS;GAAM;EAAK,CAAC;EAC3E,IAAI;GACF,IAAI,UAAU;IAAC;IAAY;IAAa;IAAW;IAAI;GAAK,CAAC;EAC/D,QAAQ,CAER;EAGA,MAAM,MAAM,KAAK,KAAK,SAAS,YAAY,SAAS,SAAS;EAC7D,GAAG,WAAW,KAAK,GAAG,IAAI,MAAM;EAChC,MAAM,MAAM,KAAK,KAAK,QAAQ,YAAY;EAC1C,GAAG,cAAc,KAAK,oBAAoB,UAAU,CAAC;EACrD,IAAI,MAAM;GAAC;GAAM;GAAK;EAAG,CAAC;EAE1B,YAAY,KAAK,SAAS,MAAM;EAGhC,MAAM,SAAS,QAAQ;EACvB,MAAM,UAAU,eAAe,CAAC,kBAAkB,YAAY,IAAI,CAAC;EACnE,MAAM,SAAS,SAAS,CAAC,UAAU,MAAM,IAAI,CAAC,UAAU,GAAG;EAC3D,IAAI,YAAY;GAAC;GAAW,GAAG;GAAQ,GAAG;GAAS,GAAG,IAAI;EAAM,CAAC;EACjE,IAAI,YAAY;GAAC;GAAW;GAAU,GAAG;GAAQ,GAAG;GAAS;EAAO,CAAC;EAErE,OAAO;GAAE;GAAS,QAAQ,SAAS,aAAa;EAAQ;CAC1D,UAAU;EACR,GAAG,OAAO,QAAQ;GAAE,WAAW;GAAM,OAAO;EAAK,CAAC;CACpD;AACF"}

package/lib/app-DzQ5yZfD.d.ts

@@ -0,0 +1,32 @@
+import { n as AppConfig, t as AppBuilderConfig } from "./config-DQWueb4a.js";
+
+//#region src/init/app.d.ts
+/** Inputs for {@link buildApp}. */
+interface BuildAppOptions {
+  /** The `-b` box name (drives the default bundle id). */
+  boxName: string;
+  app: AppConfig;
+  builder: AppBuilderConfig;
+  /** Absolute path to the already-written Ghostty config to bake in. */
+  configPath: string;
+}
+/** Result of a successful {@link buildApp}. */
+interface BuildAppResult {
+  appPath: string;
+  signed: 'identity' | 'adhoc';
+}
+/** True when the host can build apps (macOS with the donor app + a C compiler). */
+declare function canBuildApps(builder: AppBuilderConfig): {
+  ok: boolean;
+  reason?: string;
+};
+/** Install the box icon into the cloned bundle, if `app.icon` is set. */
+declare function installIcon(app: AppConfig, appPath: string, tmpDir: string): void;
+/**
+ * Build the standalone Ghostty app for a box. Throws on any failure (the caller
+ * decides whether to abort or carry on with the other boxes).
+ */
+declare function buildApp(opts: BuildAppOptions): BuildAppResult;
+//#endregion
+export { installIcon as a, canBuildApps as i, BuildAppResult as n, buildApp as r, BuildAppOptions as t };
+//# sourceMappingURL=app-DzQ5yZfD.d.ts.map