sandbox-vibe 0.1.0

package/dist/cli.mjs

@@ -0,0 +1,1005 @@
+#!/usr/bin/env node
+
+// src/cli.ts
+import { Command } from "commander";
+import { readFileSync as readFileSync3 } from "fs";
+import { homedir as homedir2 } from "os";
+import { dirname as dirname2, join as join6 } from "path";
+import { fileURLToPath as fileURLToPath2 } from "url";
+
+// src/config.ts
+import { readFileSync, unlinkSync, writeFileSync } from "fs";
+import { join } from "path";
+var CONFIG_FILE_NAME = "config.json";
+var STACKS = [
+  "none",
+  "php",
+  "dotnet",
+  "python",
+  "go",
+  "rust"
+];
+var DEFAULT_PLUGINS = [
+  "security-guidance@claude-plugins-official",
+  "commit-commands@claude-plugins-official",
+  "code-review@claude-plugins-official",
+  "pr-review-toolkit@claude-plugins-official",
+  "claude-md-management@claude-plugins-official",
+  "hookify@claude-plugins-official",
+  "feature-dev@claude-plugins-official",
+  "superpowers@superpowers-dev"
+];
+var DEFAULT_MARKETPLACES = [
+  "anthropics/claude-plugins-official",
+  "obra/superpowers"
+];
+var DEFAULT_RESOURCES = {
+  cpus: 4,
+  memoryGB: 4,
+  pids: 256,
+  tmpfsMB: 512
+};
+var PLUGIN_PATTERN = /^[A-Za-z0-9][A-Za-z0-9._-]*@[A-Za-z0-9][A-Za-z0-9._/-]*$/;
+var MARKETPLACE_PATTERN = /^[A-Za-z0-9][A-Za-z0-9._-]*\/[A-Za-z0-9][A-Za-z0-9._-]*$/;
+var MCP_NAME_PATTERN = /^[A-Za-z0-9][A-Za-z0-9_-]*$/;
+function validatePluginRef(value) {
+  if (!PLUGIN_PATTERN.test(value)) {
+    return "must match name@marketplace using letters, digits, '.', '_', '-' (no spaces or shell metacharacters)";
+  }
+  return true;
+}
+function validateMarketplaceRef(value) {
+  if (!MARKETPLACE_PATTERN.test(value)) {
+    return "must match owner/repo using letters, digits, '.', '_', '-' (no spaces or shell metacharacters)";
+  }
+  return true;
+}
+function validateMcpName(value) {
+  if (!MCP_NAME_PATTERN.test(value)) {
+    return "must contain only letters, digits, '_' and '-'";
+  }
+  return true;
+}
+function validateMcpUrl(value) {
+  if (/[\r\n\t]/.test(value)) {
+    return "URL must not contain newline, carriage return, or tab";
+  }
+  let parsed;
+  try {
+    parsed = new URL(value);
+  } catch {
+    return "must be a valid URL";
+  }
+  if (parsed.protocol !== "http:" && parsed.protocol !== "https:") {
+    return "URL must use http:// or https://";
+  }
+  if (parsed.username !== "" || parsed.password !== "") {
+    return "URL must not contain basic-auth credentials (user:pass@); use Authorization headers instead";
+  }
+  return true;
+}
+function validateHostPath(value) {
+  if (/[\r\n]/.test(value)) {
+    return "path must not contain newline or carriage return";
+  }
+  if (value.includes(":")) {
+    return "path must not contain ':'";
+  }
+  if (!value.startsWith("/")) {
+    return "path must be absolute (start with '/')";
+  }
+  return true;
+}
+function validateContainerPath(value) {
+  if (/[\r\n]/.test(value)) {
+    return "path must not contain newline or carriage return";
+  }
+  if (value.includes(":")) {
+    return "path must not contain ':'";
+  }
+  if (!value.startsWith("/")) {
+    return "container path must be absolute (start with '/')";
+  }
+  return true;
+}
+function loadConfig(vibeDir) {
+  const configPath = join(vibeDir, CONFIG_FILE_NAME);
+  const raw = readFileSync(configPath, "utf-8");
+  const parsed = JSON.parse(raw);
+  validateConfig(parsed);
+  return parsed;
+}
+function saveConfig(vibeDir, config) {
+  const configPath = join(vibeDir, CONFIG_FILE_NAME);
+  try {
+    unlinkSync(configPath);
+  } catch {
+  }
+  writeFileSync(
+    configPath,
+    JSON.stringify(config, null, 2) + "\n",
+    "utf-8"
+  );
+}
+function validateConfig(value) {
+  if (typeof value !== "object" || value === null || Array.isArray(value)) {
+    throw new Error("config.json: expected an object at the root.");
+  }
+  const cfg = value;
+  if (cfg.schemaVersion !== 1) {
+    throw new Error(
+      `config.json: unsupported schemaVersion ${String(cfg.schemaVersion)}; expected 1.`
+    );
+  }
+  if (typeof cfg.workspacePath !== "string" || cfg.workspacePath.length === 0) {
+    throw new Error("config.json: workspacePath must be a non-empty string.");
+  }
+  const wsCheck = validateHostPath(cfg.workspacePath);
+  if (wsCheck !== true) {
+    throw new Error(`config.json: workspacePath ${wsCheck}.`);
+  }
+  if (typeof cfg.marker !== "string" || cfg.marker.length === 0) {
+    throw new Error("config.json: marker must be a non-empty string.");
+  }
+  if (!/^bootstrap-[a-f0-9]{16}(-r\d+)?$/.test(cfg.marker)) {
+    throw new Error(
+      "config.json: marker must match pattern 'bootstrap-<16 hex chars>' or with optional '-r<N>' suffix."
+    );
+  }
+  if (typeof cfg.stack !== "string" || !STACKS.includes(cfg.stack)) {
+    throw new Error(
+      `config.json: stack must be one of ${STACKS.join("/")}; got ${String(cfg.stack)}.`
+    );
+  }
+  if (!Array.isArray(cfg.plugins) || cfg.plugins.some((p) => typeof p !== "string")) {
+    throw new Error("config.json: plugins must be an array of strings.");
+  }
+  for (const p of cfg.plugins) {
+    const r = validatePluginRef(p);
+    if (r !== true) {
+      throw new Error(`config.json: plugin '${String(p)}' invalid \u2014 ${r}.`);
+    }
+  }
+  if (!Array.isArray(cfg.marketplaces) || cfg.marketplaces.some((m) => typeof m !== "string")) {
+    throw new Error("config.json: marketplaces must be an array of strings.");
+  }
+  for (const m of cfg.marketplaces) {
+    const r = validateMarketplaceRef(m);
+    if (r !== true) {
+      throw new Error(`config.json: marketplace '${String(m)}' invalid \u2014 ${r}.`);
+    }
+  }
+  if (!Array.isArray(cfg.mcps) || !cfg.mcps.every(isMcp)) {
+    throw new Error(
+      "config.json: mcps must be an array of { name: string, transport: 'http'|'sse', url: string }."
+    );
+  }
+  for (const m of cfg.mcps) {
+    const nameCheck = validateMcpName(m.name);
+    if (nameCheck !== true) {
+      throw new Error(`config.json: mcps[].name '${m.name}' invalid \u2014 ${nameCheck}.`);
+    }
+    const urlCheck = validateMcpUrl(m.url);
+    if (urlCheck !== true) {
+      throw new Error(`config.json: mcps[].url '${m.url}' invalid \u2014 ${urlCheck}.`);
+    }
+  }
+  if (!Array.isArray(cfg.additionalMounts) || !cfg.additionalMounts.every(isAdditionalMount)) {
+    throw new Error(
+      "config.json: additionalMounts must be an array of { hostPath: string, containerPath: string, readonly: boolean }."
+    );
+  }
+  for (const m of cfg.additionalMounts) {
+    const hostCheck = validateHostPath(m.hostPath);
+    if (hostCheck !== true) {
+      throw new Error(
+        `config.json: additionalMounts[].hostPath '${m.hostPath}' invalid \u2014 ${hostCheck}.`
+      );
+    }
+    const containerCheck = validateContainerPath(m.containerPath);
+    if (containerCheck !== true) {
+      throw new Error(
+        `config.json: additionalMounts[].containerPath '${m.containerPath}' invalid \u2014 ${containerCheck}.`
+      );
+    }
+  }
+  if (!isResources(cfg.resources)) {
+    throw new Error(
+      "config.json: resources must be { cpus, memoryGB, pids, tmpfsMB } with positive numbers (pids and tmpfsMB must be integers)."
+    );
+  }
+}
+function isMcp(value) {
+  if (typeof value !== "object" || value === null) return false;
+  const obj = value;
+  return typeof obj.name === "string" && typeof obj.url === "string" && (obj.transport === "http" || obj.transport === "sse");
+}
+function isAdditionalMount(value) {
+  if (typeof value !== "object" || value === null) return false;
+  const obj = value;
+  return typeof obj.hostPath === "string" && typeof obj.containerPath === "string" && typeof obj.readonly === "boolean";
+}
+function isResources(value) {
+  if (typeof value !== "object" || value === null) return false;
+  const obj = value;
+  return typeof obj.cpus === "number" && Number.isFinite(obj.cpus) && obj.cpus > 0 && typeof obj.memoryGB === "number" && Number.isFinite(obj.memoryGB) && obj.memoryGB > 0 && typeof obj.pids === "number" && Number.isInteger(obj.pids) && obj.pids > 0 && typeof obj.tmpfsMB === "number" && Number.isInteger(obj.tmpfsMB) && obj.tmpfsMB > 0;
+}
+
+// src/log.ts
+var PREFIX = "[sandbox-vibe]";
+function log(message) {
+  console.log(`${PREFIX} ${message}`);
+}
+function logError(message) {
+  console.error(`${PREFIX} ${message}`);
+}
+
+// src/paths.ts
+import { statSync } from "fs";
+import { join as join2, resolve } from "path";
+var SANDBOX_VIBE_DIR = ".sandbox-vibe";
+function findSandboxVibeDir(cwd = process.cwd()) {
+  const candidate = resolve(cwd, SANDBOX_VIBE_DIR);
+  try {
+    if (statSync(candidate).isDirectory()) return candidate;
+  } catch {
+  }
+  return null;
+}
+function sandboxVibePath(cwd, ...parts) {
+  return join2(cwd, SANDBOX_VIBE_DIR, ...parts);
+}
+
+// src/render.ts
+import { createHash } from "crypto";
+import { readFile, unlink, writeFile } from "fs/promises";
+import { basename, dirname, join as join3 } from "path";
+import { fileURLToPath } from "url";
+var TEMPLATES_DIR = join3(
+  dirname(fileURLToPath(import.meta.url)),
+  "templates"
+);
+var TEMPLATE_FILES = {
+  baseDockerfile: {
+    template: "Dockerfile.sandbox.tpl",
+    output: "Dockerfile.sandbox"
+  },
+  baseCompose: {
+    template: "docker-compose.sandbox.yml.tpl",
+    output: "docker-compose.sandbox.yml"
+  },
+  overrideDockerfile: {
+    template: "Dockerfile.sandbox.override.tpl",
+    output: "Dockerfile.sandbox.override"
+  },
+  overrideCompose: {
+    template: "docker-compose.override.yml.tpl",
+    output: "docker-compose.override.yml"
+  }
+};
+async function renderTemplate(templateName, vars) {
+  const tplPath = join3(TEMPLATES_DIR, templateName);
+  const tpl = await readFile(tplPath, "utf-8");
+  const lookup = (key) => getRequiredVar(vars, key, templateName);
+  const afterCommentMarkers = tpl.replace(
+    /^[ \t]*# vibe-render:(\w+)[ \t]*$/gm,
+    (_match, key) => lookup(key)
+  );
+  return afterCommentMarkers.replace(
+    /\$\{(\w+)\}/g,
+    (_match, key) => lookup(key)
+  );
+}
+function getRequiredVar(vars, key, templateName) {
+  const value = vars[key];
+  if (value === void 0) {
+    throw new Error(`Template ${templateName}: missing variable '${key}'.`);
+  }
+  return value;
+}
+async function writeRendered(destDir, outputName, content) {
+  const target = join3(destDir, outputName);
+  try {
+    await unlink(target);
+  } catch {
+  }
+  await writeFile(target, content, "utf-8");
+}
+function computeMarker(config) {
+  const canonical = JSON.stringify({
+    plugins: [...config.plugins].sort(),
+    marketplaces: [...config.marketplaces].sort(),
+    mcps: [...config.mcps].map((m) => ({ name: m.name, transport: m.transport, url: m.url })).sort((a, b) => a.name.localeCompare(b.name))
+  });
+  const hash = createHash("sha256").update(canonical).digest("hex").slice(0, 16);
+  return `bootstrap-${hash}`;
+}
+function computeProjectSlug(config) {
+  const raw = basename(config.workspacePath).toLowerCase();
+  const cleaned = raw.replace(/[^a-z0-9-]+/g, "-").replace(/^-+|-+$/g, "");
+  const safeBase = cleaned.length > 0 ? cleaned : "vibe";
+  const pathHash = createHash("sha256").update(config.workspacePath).digest("hex").slice(0, 8);
+  return `${safeBase}-${pathHash}`;
+}
+function renderVolumesBlock(config, projectSlug) {
+  const lines = [
+    `      - ${projectSlug}-sandbox-home:/home/sandbox`,
+    `      - ${config.workspacePath}:/workspace`
+  ];
+  for (const m of config.additionalMounts) {
+    const ro = m.readonly ? ":ro" : "";
+    lines.push(`      - ${m.hostPath}:${m.containerPath}${ro}`);
+  }
+  return lines.join("\n");
+}
+function renderAdditionalDirsBlock(config) {
+  const dirs = ["/workspace"];
+  for (const m of config.additionalMounts) {
+    dirs.push(m.containerPath);
+  }
+  return JSON.stringify(dirs, null, 2).replace(/\n/g, "\n            ");
+}
+function renderEnabledPluginsBlock(config) {
+  const obj = {};
+  for (const p of config.plugins) obj[p] = true;
+  return JSON.stringify(obj, null, 2).replace(/\n/g, "\n          ");
+}
+function renderMarketplacesBlock(config) {
+  if (config.marketplaces.length === 0) {
+    return "";
+  }
+  return config.marketplaces.map(
+    (m) => `          claude plugin marketplace add ${m} >>"$$BOOT_LOG" 2>&1`
+  ).join("\n");
+}
+function renderPluginLoopBlock(config) {
+  if (config.plugins.length === 0) {
+    return `            ""`;
+  }
+  return config.plugins.map((p, idx) => {
+    const continuation = idx === config.plugins.length - 1 ? "" : " \\";
+    return `            "${p}"${continuation}`;
+  }).join("\n");
+}
+function renderMcpsBlock(config) {
+  if (config.mcps.length === 0) {
+    return "";
+  }
+  const lines = config.mcps.map(
+    (m) => `          claude mcp add ${m.name} --scope user --transport ${m.transport} ${m.url} >>"$$BOOT_LOG" 2>&1`
+  );
+  return "\n" + lines.join("\n") + "\n";
+}
+function renderStackBlock(stack) {
+  switch (stack) {
+    case "none":
+      return "# (no extra stack selected)";
+    case "php":
+      return [
+        "# PHP intelephense (php-lsp plugin)",
+        "RUN npm install -g intelephense"
+      ].join("\n");
+    case "dotnet":
+      return [
+        "# C# / .NET csharp-ls (csharp-lsp plugin)",
+        "RUN apt-get update \\",
+        " && apt-get install -y --no-install-recommends wget ca-certificates libicu72 \\",
+        " && rm -rf /var/lib/apt/lists/* \\",
+        " && wget -qO /tmp/dotnet-install.sh https://dot.net/v1/dotnet-install.sh \\",
+        " && chmod +x /tmp/dotnet-install.sh \\",
+        " && /tmp/dotnet-install.sh --channel 10.0 --install-dir /usr/share/dotnet \\",
+        " && ln -s /usr/share/dotnet/dotnet /usr/local/bin/dotnet \\",
+        " && rm /tmp/dotnet-install.sh \\",
+        " && DOTNET_NOLOGO=1 DOTNET_CLI_TELEMETRY_OPTOUT=1 \\",
+        "    dotnet tool install --tool-path /usr/local/bin csharp-ls"
+      ].join("\n");
+    case "python":
+      return [
+        "# Python pyright (pyright-lsp plugin)",
+        "RUN apt-get update \\",
+        " && apt-get install -y --no-install-recommends python3-pip \\",
+        " && rm -rf /var/lib/apt/lists/* \\",
+        " && npm install -g pyright"
+      ].join("\n");
+    case "go":
+      return [
+        "# Go gopls (gopls-lsp plugin)",
+        "RUN apt-get update \\",
+        " && apt-get install -y --no-install-recommends golang-go \\",
+        " && rm -rf /var/lib/apt/lists/* \\",
+        " && GOBIN=/usr/local/bin go install golang.org/x/tools/gopls@latest \\",
+        " && chmod a+rx /usr/local/bin/gopls"
+      ].join("\n");
+    case "rust":
+      return [
+        "# Rust rust-analyzer (rust-analyzer-lsp plugin)",
+        "RUN apt-get update \\",
+        " && apt-get install -y --no-install-recommends rustup \\",
+        " && rm -rf /var/lib/apt/lists/* \\",
+        " && rustup-init -y --default-toolchain stable --no-modify-path \\",
+        " && /root/.cargo/bin/rustup component add rust-analyzer \\",
+        " && cp /root/.cargo/bin/rust-analyzer /usr/local/bin/rust-analyzer \\",
+        " && chmod a+rx /usr/local/bin/rust-analyzer"
+      ].join("\n");
+  }
+}
+async function renderAll(destDir, config) {
+  const baseDockerfile = await renderTemplate(
+    TEMPLATE_FILES.baseDockerfile.template,
+    {}
+  );
+  await writeRendered(
+    destDir,
+    TEMPLATE_FILES.baseDockerfile.output,
+    baseDockerfile
+  );
+  const baseCompose = await renderTemplate(
+    TEMPLATE_FILES.baseCompose.template,
+    {
+      cpus: String(config.resources.cpus),
+      memoryGB: String(config.resources.memoryGB),
+      pids: String(config.resources.pids),
+      tmpfsMB: String(config.resources.tmpfsMB)
+    }
+  );
+  await writeRendered(
+    destDir,
+    TEMPLATE_FILES.baseCompose.output,
+    baseCompose
+  );
+  const overrideDockerfile = await renderTemplate(
+    TEMPLATE_FILES.overrideDockerfile.template,
+    {
+      stackBlock: renderStackBlock(config.stack)
+    }
+  );
+  await writeRendered(
+    destDir,
+    TEMPLATE_FILES.overrideDockerfile.output,
+    overrideDockerfile
+  );
+  const projectSlug = computeProjectSlug(config);
+  const overrideCompose = await renderTemplate(
+    TEMPLATE_FILES.overrideCompose.template,
+    {
+      volumesBlock: renderVolumesBlock(config, projectSlug),
+      additionalDirsBlock: renderAdditionalDirsBlock(config),
+      enabledPluginsBlock: renderEnabledPluginsBlock(config),
+      marketplacesBlock: renderMarketplacesBlock(config),
+      pluginLoopBlock: renderPluginLoopBlock(config),
+      mcpsBlock: renderMcpsBlock(config),
+      marker: config.marker,
+      projectSlug
+    }
+  );
+  await writeRendered(
+    destDir,
+    TEMPLATE_FILES.overrideCompose.output,
+    overrideCompose
+  );
+}
+
+// src/commands/bumpMarker.ts
+async function bumpMarker() {
+  const cwd = process.cwd();
+  const vibeDir = findSandboxVibeDir(cwd);
+  if (!vibeDir) {
+    throw new Error(
+      `No ${SANDBOX_VIBE_DIR}/ found. Run sandbox-vibe init first.`
+    );
+  }
+  const config = loadConfig(vibeDir);
+  const previous = config.marker;
+  config.marker = nextMarker(previous);
+  await renderAll(vibeDir, config);
+  saveConfig(vibeDir, config);
+  log(`Marker: ${previous} -> ${config.marker}`);
+  log("Re-bootstrap on next up.");
+}
+function nextMarker(current) {
+  const match = /^(.*)-r(\d+)$/.exec(current);
+  if (!match) return `${current}-r1`;
+  const [, base = "", numStr = "0"] = match;
+  return `${base}-r${Number.parseInt(numStr, 10) + 1}`;
+}
+
+// src/commands/init.ts
+import {
+  existsSync,
+  lstatSync,
+  mkdirSync,
+  readFileSync as readFileSync2,
+  realpathSync,
+  unlinkSync as unlinkSync2,
+  writeFileSync as writeFileSync2
+} from "fs";
+import { basename as basename2, join as join4, resolve as resolve2 } from "path";
+
+// src/prompts.ts
+import {
+  input,
+  select,
+  confirm,
+  checkbox,
+  Separator
+} from "@inquirer/prompts";
+function isAbortError(err) {
+  if (!(err instanceof Error)) return false;
+  return err.name === "ExitPromptError" || err.name === "AbortPromptError";
+}
+
+// src/sensitive-paths.ts
+import { homedir } from "os";
+var SENSITIVE_SYSTEM_PATHS = [
+  "/",
+  "/etc",
+  "/private/etc",
+  "/root",
+  "/var",
+  "/private/var",
+  "/sys",
+  "/proc",
+  "/usr",
+  "/boot",
+  "/dev"
+];
+var SENSITIVE_HOME_SUBDIRS = [
+  ".ssh",
+  ".aws",
+  ".gnupg",
+  ".docker",
+  ".kube",
+  ".config/gh",
+  ".npmrc"
+];
+function isSensitivePath(absolutePath) {
+  if (SENSITIVE_SYSTEM_PATHS.includes(absolutePath)) return true;
+  for (const sys of SENSITIVE_SYSTEM_PATHS) {
+    if (sys !== "/" && absolutePath.startsWith(`${sys}/`)) return true;
+  }
+  const home = homedir();
+  for (const suffix of SENSITIVE_HOME_SUBDIRS) {
+    const sensitive = `${home}/${suffix}`;
+    if (absolutePath === sensitive || absolutePath.startsWith(`${sensitive}/`)) {
+      return true;
+    }
+  }
+  return false;
+}
+
+// src/commands/init.ts
+var STACK_CHOICES = [
+  { name: "none", value: "none" },
+  { name: "php (intelephense)", value: "php" },
+  { name: "dotnet (csharp-ls)", value: "dotnet" },
+  { name: "python (pyright)", value: "python" },
+  { name: "go (gopls)", value: "go" },
+  { name: "rust (rust-analyzer)", value: "rust" }
+];
+async function confirmSensitiveMount(absolutePath) {
+  log(
+    `WARNING: '${absolutePath}' looks like a system or credentials path. Mounting it exposes its contents to the Claude agent inside the container.`
+  );
+  return confirm({
+    message: "Mount this path anyway?",
+    default: false
+  });
+}
+async function init(opts = {}) {
+  const cwd = process.cwd();
+  const existingDir = findSandboxVibeDir(cwd);
+  if (existingDir && !opts.force) {
+    if (opts.nonInteractive) {
+      throw new Error(
+        `${SANDBOX_VIBE_DIR}/ already exists. Use --force to overwrite.`
+      );
+    }
+    const overwrite = await confirm({
+      message: `${SANDBOX_VIBE_DIR}/ already exists. Overwrite?`,
+      default: false
+    });
+    if (!overwrite) {
+      log("Aborted by user.");
+      return;
+    }
+  }
+  const config = opts.nonInteractive ? buildDefaultConfig(cwd) : await runWizard(cwd);
+  config.marker = computeMarker(config);
+  const destDir = sandboxVibePath(cwd);
+  try {
+    if (lstatSync(destDir).isSymbolicLink()) {
+      throw new Error(
+        `${destDir} is a symbolic link; refusing to follow. Replace it with a regular directory and re-run.`
+      );
+    }
+  } catch (err) {
+    if (err instanceof Error && err.message.startsWith(`${destDir} is a symbolic link`)) {
+      throw err;
+    }
+  }
+  mkdirSync(destDir, { recursive: true });
+  await renderAll(destDir, config);
+  saveConfig(destDir, config);
+  if (!opts.nonInteractive) {
+    await maybeUpdateGitignore(cwd);
+  }
+  log(`Wrote ${SANDBOX_VIBE_DIR}/ with marker ${config.marker}.`);
+  log("Run 'sandbox-vibe up' to start the sandbox.");
+}
+function buildDefaultConfig(cwd) {
+  return {
+    schemaVersion: 1,
+    workspacePath: cwd,
+    additionalMounts: [],
+    resources: { ...DEFAULT_RESOURCES },
+    stack: "none",
+    plugins: [...DEFAULT_PLUGINS],
+    marketplaces: [...DEFAULT_MARKETPLACES],
+    mcps: [],
+    marker: ""
+  };
+}
+async function runWizard(cwd) {
+  const workspacePath = await promptHostPath(
+    "Workspace path (mounted as /workspace)",
+    cwd
+  );
+  const additionalMounts = await promptAdditionalMounts();
+  const stack = await select({
+    message: "Stack for LSP support",
+    choices: STACK_CHOICES,
+    default: "none"
+  });
+  const plugins = await checkbox({
+    message: "Plugins to enable",
+    choices: DEFAULT_PLUGINS.map((p) => ({
+      name: p,
+      value: p,
+      checked: true
+    }))
+  });
+  const mcps = await promptMcps();
+  const useDefaults = await confirm({
+    message: `Use default resources (${DEFAULT_RESOURCES.cpus} CPU, ${DEFAULT_RESOURCES.memoryGB}G mem, ${DEFAULT_RESOURCES.pids} PIDs, ${DEFAULT_RESOURCES.tmpfsMB}M tmpfs)?`,
+    default: true
+  });
+  const resources = useDefaults ? { ...DEFAULT_RESOURCES } : await promptResources();
+  return {
+    schemaVersion: 1,
+    workspacePath,
+    additionalMounts,
+    resources,
+    stack,
+    plugins,
+    marketplaces: [...DEFAULT_MARKETPLACES],
+    mcps,
+    marker: ""
+  };
+}
+async function promptHostPath(message, defaultValue) {
+  while (true) {
+    const raw = await input({
+      message,
+      default: defaultValue,
+      validate: (value) => {
+        const absolute2 = resolve2(value);
+        const formatCheck = validateHostPath(absolute2);
+        if (formatCheck !== true) return formatCheck;
+        if (!existsSync(absolute2)) return `Path does not exist: ${absolute2}`;
+        return true;
+      }
+    });
+    const absolute = resolve2(raw);
+    let real;
+    try {
+      real = realpathSync(absolute);
+    } catch {
+      log(`Cannot resolve real path for ${absolute}; please pick another.`);
+      continue;
+    }
+    if (isSensitivePath(real)) {
+      const ok = await confirmSensitiveMount(real);
+      if (!ok) {
+        log("Aborted mount; please pick another path.");
+        continue;
+      }
+    }
+    return real;
+  }
+}
+async function promptAdditionalMounts() {
+  const mounts = [];
+  let addMore = await confirm({
+    message: "Add sibling mounts?",
+    default: false
+  });
+  while (addMore) {
+    const hostPath = await promptHostPath("Host path (absolute)");
+    const defaultContainerPath = `/workspace/${basename2(hostPath)}`;
+    const containerPath = await input({
+      message: "Container path",
+      default: defaultContainerPath,
+      validate: (value) => validateContainerPath(value)
+    });
+    const readonly = await confirm({
+      message: "Read-only?",
+      default: false
+    });
+    mounts.push({ hostPath, containerPath, readonly });
+    addMore = await confirm({
+      message: "Add another mount?",
+      default: false
+    });
+  }
+  return mounts;
+}
+async function promptMcps() {
+  const mcps = [];
+  const addMcp = await confirm({
+    message: "Add MCP servers?",
+    default: false
+  });
+  if (!addMcp) return mcps;
+  let more = true;
+  while (more) {
+    const name = await input({
+      message: "MCP name",
+      default: "context7",
+      validate: (value) => validateMcpName(value)
+    });
+    const url = await input({
+      message: "MCP URL",
+      default: name === "context7" ? "https://mcp.context7.com/mcp" : "",
+      validate: (value) => validateMcpUrl(value)
+    });
+    mcps.push({ name, transport: "http", url });
+    more = await confirm({
+      message: "Add another MCP?",
+      default: false
+    });
+  }
+  return mcps;
+}
+async function promptResources() {
+  const cpus = await promptPositiveNumber(
+    "CPU limit (count)",
+    DEFAULT_RESOURCES.cpus,
+    false
+  );
+  const memoryGB = await promptPositiveNumber(
+    "Memory limit (GB)",
+    DEFAULT_RESOURCES.memoryGB,
+    false
+  );
+  const pids = await promptPositiveNumber(
+    "PID limit",
+    DEFAULT_RESOURCES.pids,
+    true
+  );
+  const tmpfsMB = await promptPositiveNumber(
+    "tmpfs /tmp size (MB)",
+    DEFAULT_RESOURCES.tmpfsMB,
+    true
+  );
+  return { cpus, memoryGB, pids, tmpfsMB };
+}
+async function promptPositiveNumber(message, defaultValue, integer) {
+  const raw = await input({
+    message,
+    default: String(defaultValue),
+    validate: (v) => {
+      const n = Number(v);
+      if (!Number.isFinite(n) || n <= 0) return "must be > 0";
+      if (integer && !Number.isInteger(n)) return "must be an integer";
+      return true;
+    }
+  });
+  return Number(raw);
+}
+async function maybeUpdateGitignore(cwd) {
+  const gitignorePath = join4(cwd, ".gitignore");
+  const entry = `/${SANDBOX_VIBE_DIR}/`;
+  let isSymlink = false;
+  let exists = false;
+  try {
+    const st = lstatSync(gitignorePath);
+    exists = true;
+    isSymlink = st.isSymbolicLink();
+  } catch {
+  }
+  if (isSymlink) {
+    throw new Error(
+      `.gitignore at ${gitignorePath} is a symbolic link; refusing to follow. Replace it with a regular file and re-run.`
+    );
+  }
+  if (!exists) {
+    const create = await confirm({
+      message: `No .gitignore found. Create one with '${entry}'?`,
+      default: true
+    });
+    if (create) {
+      writeGitignoreSafely(gitignorePath, entry + "\n");
+      log("Created .gitignore.");
+    }
+    return;
+  }
+  const content = readFileSync2(gitignorePath, "utf-8");
+  if (content.split(/\r?\n/).some((line) => line.trim() === entry)) {
+    return;
+  }
+  const add = await confirm({
+    message: `Add '${entry}' to .gitignore?`,
+    default: true
+  });
+  if (add) {
+    const trailing = content.endsWith("\n") ? "" : "\n";
+    writeGitignoreSafely(gitignorePath, content + trailing + entry + "\n");
+    log("Updated .gitignore.");
+  }
+}
+function writeGitignoreSafely(gitignorePath, content) {
+  try {
+    unlinkSync2(gitignorePath);
+  } catch {
+  }
+  writeFileSync2(gitignorePath, content, "utf-8");
+}
+
+// src/docker.ts
+import { ExecaError, execa } from "execa";
+import { join as join5 } from "path";
+async function assertDockerAvailable() {
+  try {
+    await execa("docker", ["info"], {
+      timeout: 3e3,
+      stdio: "ignore"
+    });
+  } catch (err) {
+    if (err instanceof ExecaError && err.timedOut) {
+      throw new Error(
+        "Docker daemon did not respond within 3 seconds. Is Docker Desktop / colima running?"
+      );
+    }
+    throw new Error(
+      "Docker daemon not reachable. Start Docker Desktop / colima and retry."
+    );
+  }
+  let composeVersion;
+  try {
+    const result = await execa("docker", ["compose", "version", "--short"], {
+      timeout: 3e3
+    });
+    composeVersion = result.stdout.trim();
+  } catch (err) {
+    if (err instanceof ExecaError && err.timedOut) {
+      throw new Error(
+        "`docker compose version` did not respond within 3 seconds."
+      );
+    }
+    throw new Error(
+      "Requires Docker Compose v2 (docker compose). Could not detect version."
+    );
+  }
+  const normalized = composeVersion.startsWith("v") ? composeVersion.slice(1) : composeVersion;
+  const majorPart = normalized.split(".")[0] ?? "";
+  const major = Number.parseInt(majorPart, 10);
+  if (!Number.isFinite(major) || major < 2) {
+    throw new Error(
+      `Requires Docker Compose v2 or newer. Found '${composeVersion}'; please upgrade.`
+    );
+  }
+}
+function composeFlags(vibeDir) {
+  return [
+    "compose",
+    "-f",
+    join5(vibeDir, "docker-compose.sandbox.yml"),
+    "-f",
+    join5(vibeDir, "docker-compose.override.yml")
+  ];
+}
+async function composeBuild(vibeDir) {
+  await execa(
+    "docker",
+    [
+      "compose",
+      "-f",
+      join5(vibeDir, "docker-compose.sandbox.yml"),
+      "build"
+    ],
+    { stdio: "inherit" }
+  );
+  await execa("docker", [...composeFlags(vibeDir), "build"], {
+    stdio: "inherit"
+  });
+}
+async function composeRun(vibeDir) {
+  await execa(
+    "docker",
+    [...composeFlags(vibeDir), "run", "--rm", "sandbox"],
+    {
+      stdio: "inherit"
+    }
+  );
+}
+
+// src/commands/up.ts
+async function up() {
+  const cwd = process.cwd();
+  const vibeDir = findSandboxVibeDir(cwd);
+  if (!vibeDir) {
+    throw new Error(
+      `No ${SANDBOX_VIBE_DIR}/ found in current directory. Run 'sandbox-vibe init' first or cd into the project root.`
+    );
+  }
+  await assertDockerAvailable();
+  log("Building images...");
+  await composeBuild(vibeDir);
+  log("Starting Claude REPL...");
+  await composeRun(vibeDir);
+}
+
+// src/cli.ts
+var PKG_PATH = join6(
+  dirname2(fileURLToPath2(import.meta.url)),
+  "..",
+  "package.json"
+);
+function getVersion() {
+  try {
+    const pkg = JSON.parse(readFileSync3(PKG_PATH, "utf-8"));
+    return pkg.version;
+  } catch {
+    return "0.0.0";
+  }
+}
+var program = new Command();
+program.name("sandbox-vibe").description(
+  "Plug-and-play Docker sandbox for Claude Code with idempotent plugin and MCP bootstrap and security limits enforced by default."
+).version(getVersion(), "-v, --version", "output the current version");
+program.command("init").description(
+  "Generate the .sandbox-vibe/ directory in the current project."
+).option(
+  "-f, --force",
+  "overwrite an existing .sandbox-vibe/ without confirmation"
+).option(
+  "--non-interactive",
+  "skip the wizard and use defaults (suitable for CI)"
+).action(
+  async (opts) => {
+    await init({
+      force: opts.force,
+      nonInteractive: opts.nonInteractive
+    });
+  }
+);
+program.command("up").description("Build the sandbox images and drop into the Claude REPL.").action(async () => {
+  await up();
+});
+program.command("bump-marker").description(
+  "Increment the bootstrap marker to force re-bootstrap on next up."
+).action(async () => {
+  await bumpMarker();
+});
+try {
+  await program.parseAsync(process.argv);
+} catch (err) {
+  if (isAbortError(err)) {
+    log("Aborted.");
+    process.exit(0);
+  }
+  logError(describeError(err));
+  process.exit(1);
+}
+function describeError(err) {
+  let raw;
+  if (err instanceof Error) {
+    const maybeExeca = err;
+    raw = typeof maybeExeca.shortMessage === "string" ? maybeExeca.shortMessage : err.message;
+  } else {
+    raw = `Unknown error: ${String(err)}`;
+  }
+  const home = homedir2();
+  return home.length > 0 ? raw.replaceAll(home, "~") : raw;
+}
+//# sourceMappingURL=cli.mjs.map