sandhop 0.1.0

package/dist/cli/args.js

@@ -0,0 +1,82 @@
+import { PROVIDER_IDS } from "../providers/index.js";
+import { CloudflaredTransport } from "../transports/cloudflared.js";
+import { PublicTransport } from "../transports/public.js";
+export const readFlag = (argv, name) => {
+    const index = argv.indexOf(name);
+    if (index < 0)
+        return undefined;
+    const value = argv[index + 1];
+    if (!value)
+        throw new Error(`${name} requires a value`);
+    return value;
+};
+const readRequiredFlag = (argv, name) => {
+    const value = readFlag(argv, name);
+    if (value === undefined)
+        throw new Error(`${name} is required`);
+    return value;
+};
+export const readAgent = (value) => {
+    if (value === undefined)
+        return undefined;
+    if (value === "claude-code" || value === "codex")
+        return value;
+    throw new Error(`Unknown agent ${value}`);
+};
+const readRequiredAgent = (value) => {
+    const agent = readAgent(value);
+    if (agent === undefined)
+        throw new Error("--agent is required");
+    return agent;
+};
+export const readTransport = (value) => {
+    if (value === undefined)
+        return "public";
+    if (value === "public" || value === "cloudflared")
+        return value;
+    throw new Error("--tunnel must be 'public' or 'cloudflared'");
+};
+const readOptionalTransport = (value) => value === undefined ? undefined : readTransport(value);
+const isProviderId = (value) => PROVIDER_IDS.includes(value);
+export const readProvider = (value) => {
+    if (value === undefined)
+        return "e2b";
+    if (isProviderId(value))
+        return value;
+    throw new Error(`--provider must be one of: ${PROVIDER_IDS.join(", ")}`);
+};
+const readOptionalProvider = (value) => value === undefined ? undefined : readProvider(value);
+const readCmd = (value) => {
+    if (value === "list" || value === "kill" || value === "setup")
+        return value;
+    return "push";
+};
+export const parseArgs = (argv, cwd) => {
+    const cmd = readCmd(argv[0]);
+    return {
+        cmd,
+        agent: readAgent(readFlag(argv, "--agent")),
+        session: readFlag(argv, "--session"),
+        killId: cmd === "kill" ? argv[1] : undefined,
+        cwd: readFlag(argv, "--cwd") ?? cwd,
+        provider: readOptionalProvider(readFlag(argv, "--provider")),
+        transport: readOptionalTransport(argv.includes("--tunnel") ? readFlag(argv, "--tunnel") : undefined),
+        profile: !argv.includes("--no-profile"),
+    };
+};
+export const parseEnrichArgs = (argv) => ({
+    sandboxId: readRequiredFlag(argv, "--sandbox-id"),
+    agent: readRequiredAgent(readRequiredFlag(argv, "--agent")),
+    cwd: readRequiredFlag(argv, "--cwd"),
+    provider: readProvider(readRequiredFlag(argv, "--provider")),
+    profile: !argv.includes("--no-profile"),
+    strict: argv.includes("--strict"),
+});
+export const buildTransport = (args, hostEnv) => {
+    if (args.transport !== "cloudflared")
+        return new PublicTransport();
+    return new CloudflaredTransport({
+        token: hostEnv.CLOUDFLARE_TUNNEL_TOKEN,
+        hostname: hostEnv.CLOUDFLARE_TUNNEL_HOSTNAME,
+    });
+};

package/dist/cli/config.js

@@ -0,0 +1,34 @@
+import { chmodSync, existsSync, mkdirSync, readFileSync, writeFileSync, } from "node:fs";
+import { joinPath } from "../core/paths.js";
+const DIR_MODE = 0o700;
+const FILE_MODE = 0o600;
+export const configDir = (home) => joinPath(process.env["XDG_CONFIG_HOME"] ?? joinPath(home, ".config"), "sandhop");
+export const configPath = (home) => joinPath(configDir(home), "config.json");
+export const loadConfig = (home) => {
+    const path = configPath(home);
+    if (!existsSync(path))
+        return null;
+    return JSON.parse(readFileSync(path, "utf8"));
+};
+export const saveConfig = (home, cfg) => {
+    const dir = configDir(home);
+    mkdirSync(dir, { recursive: true, mode: DIR_MODE });
+    chmodSync(dir, DIR_MODE);
+    const path = configPath(home);
+    writeFileSync(path, `${JSON.stringify(cfg, null, 2)}\n`, { mode: FILE_MODE });
+    chmodSync(path, FILE_MODE);
+};
+const setMissing = (env, key, value) => {
+    if (env[key] === undefined)
+        env[key] = value;
+};
+export const applyConfigToEnv = (cfg, env) => {
+    for (const [key, value] of Object.entries(cfg.credentials))
+        setMissing(env, key, value);
+    setMissing(env, "SANDHOP_PROVIDER", cfg.defaultProvider);
+    setMissing(env, "SANDHOP_TRANSPORT", cfg.transport);
+    if (cfg.cloudflare?.token !== undefined)
+        setMissing(env, "CLOUDFLARE_TUNNEL_TOKEN", cfg.cloudflare.token);
+    if (cfg.cloudflare?.hostname !== undefined)
+        setMissing(env, "CLOUDFLARE_TUNNEL_HOSTNAME", cfg.cloudflare.hostname);
+};

package/dist/cli/enrich.js

@@ -0,0 +1,50 @@
+import { pathToFileURL } from "node:url";
+import { pickAgent } from "../agents/index.js";
+import { BootstrapService, } from "../core/services/bootstrap.js";
+import { EnrichmentService, } from "../core/services/enrichment.js";
+import { McpCodeService } from "../core/services/mcp-code.js";
+import { ProfileService } from "../core/services/profile.js";
+import { ReinstallService } from "../core/services/reinstall.js";
+import { SecretsService } from "../core/services/secrets.js";
+import { ScriptCaptureService } from "../core/services/scripts.js";
+import { TransferService } from "../core/services/transfer.js";
+import { buildProvider } from "../providers/index.js";
+import { parseEnrichArgs } from "./args.js";
+import { buildHost } from "./host.js";
+const hasFailedStep = (steps) => steps.some((step) => !step.ok);
+const isStrict = (strict) => strict || process.env["SANDHOP_STRICT"] === "1";
+const buildEnrichmentServices = (host, agent, sandbox) => ({
+    sandbox,
+    transfer: new TransferService(host, sandbox),
+    profile: new ProfileService(host, agent),
+    mcpCode: new McpCodeService(host, agent),
+    reinstall: new ReinstallService(host, agent),
+    secrets: new SecretsService(host, agent),
+    scripts: new ScriptCaptureService(host),
+    bootstrap: new BootstrapService(agent),
+});
+export const runEnrichment = async (args, host, sandbox) => {
+    const agent = pickAgent(args.agent);
+    return new EnrichmentService(agent, buildEnrichmentServices(host, agent, sandbox)).run(args.cwd, args.profile);
+};
+export const runEnrich = async (argv) => {
+    const args = parseEnrichArgs(argv);
+    const host = buildHost();
+    const sandbox = await buildProvider(args.provider, host).connect(args.sandboxId);
+    return {
+        strict: args.strict,
+        steps: await runEnrichment(args, host, sandbox),
+    };
+};
+export const runEnrichCli = async (argv) => {
+    try {
+        const result = await runEnrich(argv);
+        return isStrict(result.strict) && hasFailedStep(result.steps) ? 1 : 0;
+    }
+    catch (error) {
+        console.error(error instanceof Error ? error.message : String(error));
+        return 1;
+    }
+};
+if (process.argv[1] && import.meta.url === pathToFileURL(process.argv[1]).href)
+    runEnrichCli(process.argv.slice(2)).then((code) => process.exit(code));

package/dist/cli/host.js

@@ -0,0 +1,7 @@
+import { NodeHost } from "../host/node.js";
+export const buildHost = () => {
+    const home = process.env["HOME"];
+    if (home === undefined)
+        throw new Error("HOME is required");
+    return new NodeHost(process.env, home);
+};

package/dist/cli/install-command.js

@@ -0,0 +1,35 @@
+import { existsSync, mkdirSync, writeFileSync } from "node:fs";
+import { joinPath } from "../core/paths.js";
+export const CLAUDE_COMMAND = `---
+description: Teleport this Claude Code session to a cloud sandbox (sandhop)
+allowed-tools: Bash
+---
+
+Run \`sandhop push\` in the current working directory. Surface the SANDHOP_URL and
+SANDHOP_AUTH from its output prominently so the user can open the web terminal.
+`;
+export const CODEX_PROMPT = `---
+description: Teleport this Codex session to a cloud sandbox (sandhop)
+---
+
+Run the shell command \`sandhop push\` in the current working directory and show me the
+resulting SANDHOP_URL and SANDHOP_AUTH so I can open the web terminal.
+`;
+export const installCommands = (home) => {
+    const installed = [];
+    const claudeDir = joinPath(home, ".claude");
+    if (existsSync(claudeDir)) {
+        const commandsDir = joinPath(claudeDir, "commands");
+        mkdirSync(commandsDir, { recursive: true });
+        writeFileSync(joinPath(commandsDir, "sandhop.md"), CLAUDE_COMMAND);
+        installed.push("Claude Code");
+    }
+    const codexDir = joinPath(home, ".codex");
+    if (existsSync(codexDir)) {
+        const promptsDir = joinPath(codexDir, "prompts");
+        mkdirSync(promptsDir, { recursive: true });
+        writeFileSync(joinPath(promptsDir, "sandhop.md"), CODEX_PROMPT);
+        installed.push("Codex");
+    }
+    return installed;
+};

package/dist/cli/main.js

@@ -0,0 +1,110 @@
+import { fileURLToPath, pathToFileURL } from "node:url";
+import { detectAgents, pickAgent, selectDefaultAgent, } from "../agents/index.js";
+import { CredentialError } from "../core/errors.js";
+import { AuthService } from "../core/services/auth.js";
+import { BootstrapService } from "../core/services/bootstrap.js";
+import { SecretsService } from "../core/services/secrets.js";
+import { SessionService } from "../core/services/session.js";
+import { TeleportService } from "../core/services/teleport.js";
+import { VersionService } from "../core/services/version.js";
+import { buildProvider } from "../providers/index.js";
+import { buildTransport, parseArgs, readProvider, readTransport, } from "./args.js";
+import { applyConfigToEnv, loadConfig, } from "./config.js";
+import { buildHost } from "./host.js";
+import { runSetup } from "./setup.js";
+const withRuntimeDefaults = (args, host) => {
+    const config = loadConfig(host.home);
+    if (config !== null)
+        applyConfigToEnv(config, host.env);
+    return {
+        ...args,
+        provider: args.provider ?? readProvider(host.env["SANDHOP_PROVIDER"]),
+        transport: args.transport ?? readTransport(host.env["SANDHOP_TRANSPORT"]),
+    };
+};
+const runPush = async (args, host, onProgress) => {
+    const provider = buildProvider(args.provider, host);
+    const detected = args.agent === undefined ? detectAgents(host, args.cwd) : undefined;
+    let agent;
+    if (args.agent === undefined) {
+        if (detected === undefined)
+            throw new Error("Agent detection failed");
+        agent = selectDefaultAgent(detected);
+    }
+    else {
+        agent = pickAgent(args.agent);
+    }
+    const sessions = agent.matchSession(host, args.cwd);
+    if (sessions.length === 0)
+        throw new Error(args.agent === undefined
+            ? `No Claude Code or Codex session found for ${args.cwd}`
+            : `No ${agent.id} session found for ${args.cwd}`);
+    if (detected !== undefined && detected.length > 1)
+        console.error(`Multiple agents found; using ${agent.id}`);
+    const service = new TeleportService(provider, agent, {
+        host,
+        session: new SessionService(host, agent),
+        secrets: new SecretsService(host, agent),
+        auth: new AuthService(host, agent),
+        version: new VersionService(host, agent),
+        bootstrap: new BootstrapService(agent),
+    });
+    const result = await service.run(args.cwd, {
+        sessionId: args.session,
+        transport: buildTransport(args, host.env),
+        timeoutMs: 3_600_000,
+        onProgress,
+    });
+    console.log(`SANDHOP_URL ${result.url}`);
+    console.log(`SANDHOP_AUTH ${result.user}:${result.pass}`);
+    console.log(`SANDHOP_ENRICHING ${result.sandboxId}`);
+    console.log("enrichment running in background (profile, skills, MCP servers)");
+    const enrichPath = fileURLToPath(new URL("./enrich.js", import.meta.url));
+    host.spawnDetached(process.execPath, [
+        enrichPath,
+        "--sandbox-id",
+        result.sandboxId,
+        "--agent",
+        agent.id,
+        "--cwd",
+        args.cwd,
+        "--provider",
+        args.provider,
+        ...(args.profile ? [] : ["--no-profile"]),
+    ], { cwd: args.cwd, env: process.env });
+};
+export const main = async (argv) => {
+    const args = parseArgs(argv, process.cwd());
+    if (args.cmd === "setup") {
+        await runSetup(buildHost());
+        return;
+    }
+    const host = buildHost();
+    const runtimeArgs = withRuntimeDefaults(args, host);
+    if (args.cmd === "list") {
+        const provider = buildProvider(runtimeArgs.provider, host);
+        for (const sandbox of await provider.list())
+            console.log(`${sandbox.id}\t${sandbox.startedAt.toISOString()}`);
+        return;
+    }
+    if (args.cmd === "kill") {
+        const provider = buildProvider(runtimeArgs.provider, host);
+        if (args.killId === undefined)
+            throw new Error("kill requires a sandbox id");
+        console.log((await provider.destroy(args.killId)) ? "killed" : "not found");
+        return;
+    }
+    await runPush(runtimeArgs, host, (msg) => console.error(msg));
+    process.exit(0);
+};
+const formatCliError = (error) => {
+    const message = error instanceof Error ? error.message : String(error);
+    if (error instanceof CredentialError)
+        return `${message}\nRun \`sandhop setup\` to configure a provider.`;
+    return message;
+};
+if (process.argv[1] && import.meta.url === pathToFileURL(process.argv[1]).href)
+    main(process.argv.slice(2)).catch((error) => {
+        console.error(formatCliError(error));
+        process.exit(1);
+    });

package/dist/cli/setup.js

@@ -0,0 +1,169 @@
+import { confirm, intro, isCancel, multiselect, note, outro, password, select, text, } from "@clack/prompts";
+import { PROVIDER_IDS, PROVIDER_INFO, } from "../providers/index.js";
+import { loadConfig, saveConfig, } from "./config.js";
+import { installCommands } from "./install-command.js";
+const cancelSetup = () => {
+    outro("Cancelled");
+    return null;
+};
+const readPrompt = (value) => isCancel(value) ? cancelSetup() : value;
+const existingCredential = (host, stored, env) => {
+    const envValue = host.env[env];
+    if (envValue !== undefined)
+        return envValue;
+    if (stored === null)
+        return undefined;
+    return stored.credentials[env];
+};
+const selectedInitialProviders = (host, stored) => {
+    const selected = PROVIDER_IDS.filter((id) => PROVIDER_INFO[id].credentials.some((field) => existingCredential(host, stored, field.env) !== undefined));
+    return selected.length === 0 ? ["e2b"] : selected;
+};
+const credentialMessage = (info, field, existing) => existing === undefined
+    ? `${field.label} (${info.docsUrl})`
+    : field.required
+        ? `${field.label} (${info.docsUrl}; stored value present, leave blank to keep)`
+        : `${field.label} (${info.docsUrl}; optional, clear to omit)`;
+const validateRequired = (field, existing) => (value) => {
+    if (!field.required)
+        return undefined;
+    if (value !== undefined && value.length > 0)
+        return undefined;
+    if (existing !== undefined)
+        return undefined;
+    return `${field.label} is required`;
+};
+const askCredential = async (host, stored, info, field) => {
+    const existing = existingCredential(host, stored, field.env);
+    const message = credentialMessage(info, field, existing);
+    const value = readPrompt(field.secret
+        ? await password({
+            message,
+            mask: "*",
+            validate: validateRequired(field, existing),
+        })
+        : await text({
+            message,
+            initialValue: existing,
+            validate: validateRequired(field, existing),
+        }));
+    if (value === null)
+        return null;
+    if (value !== undefined && value.length > 0)
+        return value;
+    if (field.required && existing !== undefined)
+        return existing;
+    return undefined;
+};
+const askCloudflareValue = async (label, stored, secret) => {
+    const field = { env: label, label, secret, required: true };
+    const message = stored === undefined
+        ? label
+        : `${label} (stored value present, leave blank to keep)`;
+    const value = readPrompt(secret
+        ? await password({
+            message,
+            mask: "*",
+            validate: validateRequired(field, stored),
+        })
+        : await text({
+            message,
+            initialValue: stored,
+            validate: validateRequired(field, stored),
+        }));
+    if (value === null)
+        return null;
+    if (value !== undefined && value.length > 0)
+        return value;
+    if (stored !== undefined)
+        return stored;
+    throw new Error(`${label} is required`);
+};
+export const runSetup = async (host) => {
+    const stored = loadConfig(host.home);
+    intro("sandhop setup");
+    const providers = readPrompt(await multiselect({
+        message: "Configure sandbox provider credentials",
+        options: PROVIDER_IDS.map((id) => ({
+            value: id,
+            label: PROVIDER_INFO[id].label,
+            hint: PROVIDER_INFO[id].docsUrl,
+        })),
+        initialValues: selectedInitialProviders(host, stored),
+        required: true,
+    }));
+    if (providers === null)
+        return;
+    const firstProvider = providers[0];
+    if (firstProvider === undefined)
+        throw new Error("At least one provider is required");
+    const credentials = {};
+    for (const provider of providers) {
+        const info = PROVIDER_INFO[provider];
+        for (const field of info.credentials) {
+            const value = await askCredential(host, stored, info, field);
+            if (value === null)
+                return;
+            if (value !== undefined)
+                credentials[field.env] = value;
+        }
+    }
+    const storedDefaultProvider = stored?.defaultProvider;
+    const defaultProvider = readPrompt(await select({
+        message: "Default provider",
+        options: providers.map((id) => ({
+            value: id,
+            label: PROVIDER_INFO[id].label,
+        })),
+        initialValue: storedDefaultProvider !== undefined &&
+            providers.includes(storedDefaultProvider)
+            ? storedDefaultProvider
+            : firstProvider,
+    }));
+    if (defaultProvider === null)
+        return;
+    const transport = readPrompt(await select({
+        message: "Transport",
+        options: [
+            { value: "public", label: "public (provider URL + basic auth)" },
+            { value: "cloudflared", label: "cloudflared tunnel" },
+        ],
+        initialValue: stored?.transport,
+    }));
+    if (transport === null)
+        return;
+    let cloudflare;
+    if (transport === "cloudflared") {
+        const namedTunnel = readPrompt(await confirm({
+            message: "named tunnel (Access-gated)?",
+            initialValue: stored?.cloudflare !== undefined,
+        }));
+        if (namedTunnel === null)
+            return;
+        if (namedTunnel) {
+            const token = await askCloudflareValue("Cloudflare tunnel token", stored?.cloudflare?.token, true);
+            if (token === null)
+                return;
+            const hostname = await askCloudflareValue("Cloudflare tunnel hostname", stored?.cloudflare?.hostname, false);
+            if (hostname === null)
+                return;
+            cloudflare = { token, hostname };
+        }
+    }
+    saveConfig(host.home, {
+        defaultProvider,
+        transport,
+        cloudflare,
+        credentials,
+    });
+    const installed = installCommands(host.home);
+    note([
+        `Configured providers: ${providers.map((id) => PROVIDER_INFO[id].label).join(", ")}`,
+        `Default provider: ${PROVIDER_INFO[defaultProvider].label}`,
+        `Transport: ${transport}`,
+        installed.length === 0
+            ? "No Claude Code or Codex home detected; install /sandhop after opening an agent."
+            : `Installed /sandhop to: ${installed.join(", ")}`,
+    ].join("\n"), "Summary");
+    outro("Open Claude Code or Codex in a project and type /sandhop to teleport.");
+};

package/dist/core/encode.js

@@ -0,0 +1 @@
+export const projectDirName = (cwd) => cwd.replace(/[^A-Za-z0-9]/g, "-");

package/dist/core/env.js

@@ -0,0 +1,5 @@
+export const collectEnvRefs = (text) => [
+    ...text.matchAll(/(?:\$\{([A-Z][A-Z0-9_]*)\}|\$([A-Z][A-Z0-9_]*)|process\.env\.([A-Z][A-Z0-9_]*))/g),
+]
+    .map((match) => match[1] ?? match[2] ?? match[3])
+    .filter((name) => name !== undefined);

package/dist/core/errors.js

@@ -0,0 +1,11 @@
+export class CredentialError extends Error {
+}
+export const formatErrorText = (error) => {
+    if (!(error instanceof Error))
+        return String(error);
+    const cause = error.cause;
+    if (cause === undefined)
+        return error.message;
+    return `${error.message}\n${formatErrorText(cause)}`;
+};
+export const formatErrorStack = (error) => error instanceof Error ? (error.stack ?? error.message) : String(error);

package/dist/core/json.js

@@ -0,0 +1 @@
+export const isRecord = (value) => typeof value === "object" && value !== null && !Array.isArray(value);

package/dist/core/manifest.js

@@ -0,0 +1,12 @@
+import { projectDirName } from "./encode.js";
+export const buildManifest = (args) => {
+    return {
+        agent: args.agent,
+        cliVersion: args.cliVersion,
+        remoteProj: args.cwd,
+        remoteEnc: projectDirName(args.cwd),
+        sessionId: args.sessionId,
+        transcriptName: args.transcriptName,
+        ts: args.ts,
+    };
+};

package/dist/core/mcp-timeout.js

@@ -0,0 +1,2 @@
+export const MCP_STARTUP_TIMEOUT_SEC = 120;
+export const MCP_TIMEOUT_MS = MCP_STARTUP_TIMEOUT_SEC * 1000;

package/dist/core/paths.js

@@ -0,0 +1,51 @@
+import { posix } from "node:path";
+export const SANDBOX_HOME = "/home/user";
+export const dirname = posix.dirname;
+export const basename = posix.basename;
+export const joinPath = (dir, path) => {
+    if (dir === ".")
+        return path;
+    if (dir === "/")
+        return `/${path}`;
+    return `${dir}/${path}`;
+};
+export const normalizePath = (path) => {
+    const absolute = path.startsWith("/");
+    const parts = [];
+    for (const part of path.split("/")) {
+        if (part === "" || part === ".")
+            continue;
+        if (part === "..") {
+            parts.pop();
+            continue;
+        }
+        parts.push(part);
+    }
+    const normalized = parts.join("/");
+    if (absolute)
+        return `/${normalized}`;
+    return normalized;
+};
+export const expandHome = (path, home) => path
+    .replace(/^~/, home)
+    .replaceAll("${HOME}", home)
+    .replaceAll("$HOME", home);
+export const sandboxExpandHome = (path) => expandHome(path, SANDBOX_HOME);
+export const expandEnv = (value, home, env) => expandHome(value, home).replace(/\$\{([A-Z][A-Z0-9_]*)\}|\$([A-Z][A-Z0-9_]*)/g, (token, braced, bare) => {
+    const name = braced ?? bare;
+    if (name === undefined)
+        return token;
+    const envValue = env[name];
+    return envValue === undefined ? token : envValue;
+});
+export const makeTempPath = (name) => `/tmp/sandhop-${Date.now()}-${name}`;
+export const uniqueSorted = (values) => [...new Set(values)].sort();
+export const listSkillNames = (host, skillsRoot) => {
+    if (!host.exists(skillsRoot))
+        return [];
+    return uniqueSorted(host
+        .walk(skillsRoot)
+        .map((path) => path.slice(skillsRoot.length + 1))
+        .filter((path) => path.length > 0)
+        .map((path) => path.split("/")[0]));
+};

package/dist/core/ports/agent.js

@@ -0,0 +1 @@
+export {};

package/dist/core/ports/host.js

@@ -0,0 +1 @@
+export {};

package/dist/core/ports/provider.js

@@ -0,0 +1 @@
+export {};

package/dist/core/ports/transport.js

@@ -0,0 +1 @@
+export {};

package/dist/core/rand.js

@@ -0,0 +1,6 @@
+const TOKEN_ALPHABET = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_";
+export const randomToken = (length) => {
+    const bytes = new Uint8Array(length);
+    globalThis.crypto.getRandomValues(bytes);
+    return [...bytes].map((byte) => TOKEN_ALPHABET[byte & 63]).join("");
+};

package/dist/core/sandbox-scripts.js

@@ -0,0 +1,54 @@
+import { CLAUDE_JSON_PATH } from "../agents/claude-paths.js";
+export const buildClaudePreSeedScript = (remoteProj) => [
+    'const fs=require("fs")',
+    `const f=process.env.HOME+${JSON.stringify(`/${CLAUDE_JSON_PATH}`)}`,
+    'const j=fs.existsSync(f)?JSON.parse(fs.readFileSync(f,"utf8")):{}',
+    "j.hasCompletedOnboarding=true",
+    'if(!Object.hasOwn(j,"projects"))j.projects={}',
+    `j.projects[${JSON.stringify(remoteProj)}]={hasTrustDialogAccepted:true,hasCompletedProjectOnboarding:true}`,
+    'if(process.env.ANTHROPIC_API_KEY){if(!Object.hasOwn(j,"customApiKeyResponses"))j.customApiKeyResponses={};j.customApiKeyResponses.approved=[process.env.ANTHROPIC_API_KEY.slice(-20)];j.customApiKeyResponses.rejected=[]}',
+    "fs.writeFileSync(f,JSON.stringify(j))",
+].join(";");
+export const buildCodexPreSeedScript = (remoteProj) => [
+    'const fs=require("fs")',
+    'const f=process.env.HOME+"/.codex/config.toml"',
+    `const project=${JSON.stringify(remoteProj)}`,
+    'const projectHeader="[projects."+JSON.stringify(project)+"]"',
+    'const root=["approval_policy = \\"never\\"","sandbox_mode = \\"danger-full-access\\"","cli_auth_credentials_store = \\"file\\""]',
+    "const rootKey=/^(approval_policy|sandbox_mode|cli_auth_credentials_store)\\s*=/",
+    'let lines=fs.existsSync(f)?fs.readFileSync(f,"utf8").split(/\\r?\\n/):[]',
+    'if(lines.length===1&&lines[0]==="")lines=[]',
+    "let table=false",
+    "const kept=[]",
+    "for(const line of lines){if(/^\\s*\\[/.test(line))table=true;if(!table&&rootKey.test(line.trim()))continue;kept.push(line)}",
+    "const withoutProject=[]",
+    "for(let i=0;i<kept.length;i++){if(kept[i].trim()===projectHeader){i++;while(i<kept.length&&!/^\\s*\\[/.test(kept[i]))i++;i--}else withoutProject.push(kept[i])}",
+    'while(withoutProject[withoutProject.length-1]==="")withoutProject.pop()',
+    "const firstTable=withoutProject.findIndex(line=>/^\\s*\\[/.test(line))",
+    "const beforeRoot=firstTable===-1?withoutProject:withoutProject.slice(0,firstTable)",
+    "const afterRoot=firstTable===-1?[]:withoutProject.slice(firstTable)",
+    "const out=[...beforeRoot]",
+    'if(out.length>0&&out[out.length-1]!=="")out.push("")',
+    "out.push(...root)",
+    'if(afterRoot.length>0)out.push("",...afterRoot)',
+    'out.push("",projectHeader,"trust_level = \\"trusted\\"")',
+    'fs.mkdirSync(process.env.HOME+"/.codex",{recursive:true})',
+    'fs.writeFileSync(f,out.join("\\n")+"\\n")',
+].join(";");
+export const buildPruneMcpTablesScript = (path) => [
+    'const fs=require("fs")',
+    `const f=${JSON.stringify(path)}.replace("$HOME",process.env.HOME)`,
+    'const lines=fs.readFileSync(f,"utf8").split(/\\r?\\n/)',
+    "const out=[]",
+    "let skip=false",
+    "for(const line of lines){if(/^\\s*\\[mcp_servers(?:\\.|\\])/.test(line)){skip=true;continue}if(skip&&/^\\s*\\[/.test(line))skip=false;if(!skip)out.push(line)}",
+    'fs.writeFileSync(f,out.join("\\n").replace(/\\n*$/,"\\n"))',
+].join(";");
+export const buildMergeClaudeMcpScript = (path, content) => [
+    'const fs=require("fs")',
+    `const f=${JSON.stringify(path)}.replace("$HOME",process.env.HOME)`,
+    `const s=JSON.parse(${JSON.stringify(content)})`,
+    'const j=fs.existsSync(f)?JSON.parse(fs.readFileSync(f,"utf8")):{}',
+    "j.mcpServers=s",
+    'fs.writeFileSync(f,JSON.stringify(j,null,2)+"\\n")',
+].join(";");