PyPI - dev-bubble - Versions diffs - 0.7.8__tar.gz → 0.7.10__tar.gz - Mend

dev-bubble 0.7.8tar.gz → 0.7.10tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (131) hide show

{dev_bubble-0.7.8 → dev_bubble-0.7.10}/.claude/CLAUDE.md RENAMED Viewed

@@ -139,15 +139,15 @@ The auth proxy (`auth_proxy.py`) provides repo-scoped GitHub authentication with
 **gh CLI flow:** `gh` configured with `http_unix_socket: /bubble/gh-proxy.sock` (via `GH_CONFIG_DIR=/etc/bubble/gh`) → sends requests through Unix socket → proxy validates token from `Authorization` header → enforces access level (REST repo-scoping, GraphQL mutation filtering) → adds real token → forwards to `https://api.github.com`.
-**GraphQL validation** (`graphql_validator.py`): GraphQL access is controlled by two independent axes — `graphql_read` and `graphql_write` — each supporting `whitelisted`, `unrestricted`, or `none` modes. The default is `whitelisted` for both. In whitelisted mode, a lightweight tokenizer/parser validates structure (single operation, single top-level field, no aliases/directives, no fragments in mutations) and semantics. Read validation repo-scopes `repository` queries via variables, verifies `node` queries via pre-flight ownership checks, and checks second-level fields against an allowlist. Write validation checks mutations against an allowlist (createPullRequest, addComment, mergePullRequest, etc.) with repo-scoping via repositoryId comparison or pre-flight node ownership verification. Old tokens without `graphql_*` fields derive policies from the legacy `level` field for backward compatibility.
+**GraphQL validation** (`graphql_validator.py`): GraphQL access is controlled by two independent axes — `graphql_read` and `graphql_write` — each supporting `whitelisted`, `unrestricted`, or `none` modes. The default is `whitelisted` for both. In whitelisted mode, a lightweight tokenizer/parser validates structure (single operation, single top-level field, no aliases/directives, no fragments in mutations) and semantics. Read validation repo-scopes `repository` queries via variables, verifies `node` queries via pre-flight ownership checks, and checks second-level fields against an allowlist. Write validation checks mutations against an allowlist (createPullRequest, addComment, mergePullRequest, etc.) with repo-scoping via repositoryId comparison or pre-flight node ownership verification.
-**REST security:** REST paths validated against `/repos/{owner}/{repo}/...` (repo-scoped). REST level defaults to `LEVEL_GH_READWRITE` since path validation already constrains access. API redirects (e.g. CI log downloads) followed with hardened rules: GET/HEAD only, HTTPS only, allowlisted hosts, max 2 hops, auth headers stripped. GitHub 4xx errors are passed through to clients (not collapsed to 502).
+**REST security:** REST paths validated against `/repos/{owner}/{repo}/...` (repo-scoped). All HTTP methods are allowed when REST access is enabled, since path validation already constrains access to the scoped repo. API redirects (e.g. CI log downloads) followed with hardened rules: GET/HEAD only, HTTPS only, allowlisted hosts, max 2 hops, auth headers stripped. GitHub 4xx errors are passed through to clients (not collapsed to 502).
 **Local bubbles:** Exposed via Incus proxy devices — TCP for git, Unix socket for gh (`listen=unix:/bubble/gh-proxy.sock`).
 **Remote/cloud bubbles:** SSH reverse tunnel forwards the local proxy port. Incus proxy devices on the remote expose both TCP and Unix socket endpoints.
-**Token management:** Per-container tokens in `~/.bubble/auth-tokens.json` map to `{container, owner, repo, level, graphql_read, graphql_write}`. Tokens are cleaned up on `bubble pop`. The daemon is managed via launchd/systemd.
+**Token management:** Per-container tokens in `~/.bubble/auth-tokens.json` map to `{container, owner, repo, rest_api, graphql_read, graphql_write}`. Tokens are cleaned up on `bubble pop`. The daemon is managed via launchd/systemd.
 ### Security Model
 The `user` account has no sudo and a locked password. Network allowlisting is applied on container creation. SSH keys are injected via `incus file push` (not shell interpolation). All user-supplied values in shell commands are quoted with `shlex.quote()`. Each container mounts only its specific bare repo, not the entire git store.

{dev_bubble-0.7.8/dev_bubble.egg-info → dev_bubble-0.7.10}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: dev-bubble
-Version: 0.7.8
+Version: 0.7.10
 Summary: Containerized development environments powered by Incus
 Author-email: Kim Morrison <kim@tqft.net>
 License-Expression: Apache-2.0
@@ -43,7 +43,7 @@ We assume that you work using VSCode, emacs, or neovim, and that you collaborate
 ```bash
 # Install
-uv tool install dev-bubble
+uv tool install git+https://github.com/kim-em/bubble.git
 # Open a bubble for a GitHub PR — just paste the URL, and you get a containerized VSCode window!
 bubble https://github.com/leanprover-community/mathlib4/pull/35219
@@ -124,11 +124,9 @@ bubble pop mathlib4-pr-35219
 ## Development Install
 ```bash
-# Install from GitHub
-uv tool install git+https://github.com/kim-em/bubble.git
-# For development
-uv pip install -e '.[dev]'
+# Install from a local clone (editable — always uses latest code)
+git clone https://github.com/kim-em/bubble.git
+uv tool install --force --editable bubble
 ```
 ## How It Works
@@ -263,10 +261,10 @@ bubble mathlib4/issues/42
 Claude is instructed to read the issue, implement a fix on the `issue-<number>` branch, and open a PR. This turns `bubble 42` (for an issue) into an autonomous coding agent workflow.
-You can also provide a custom prompt for any bubble via the `BUBBLE_CLAUDE_PROMPT` environment variable:
+You can also provide a custom prompt for any bubble via the `BUBBLE_AI_PROMPT` environment variable:
 ```bash
-BUBBLE_CLAUDE_PROMPT="Refactor the parser module" bubble leanprover/lean4
+BUBBLE_AI_PROMPT="Refactor the parser module" bubble leanprover/lean4
 ```
 Requirements: Claude Code must be installed in the container (see tool settings above), the `gh` CLI must be available on the host (for fetching issue/PR metadata), and the default VS Code editor must be used. With `--shell` or `--no-interactive`, the prompt is not injected. If `gh` is unavailable or the API call fails, bubble proceeds without injecting a prompt.

{dev_bubble-0.7.8 → dev_bubble-0.7.10}/README.md RENAMED Viewed

@@ -9,7 +9,7 @@ We assume that you work using VSCode, emacs, or neovim, and that you collaborate
 ```bash
 # Install
-uv tool install dev-bubble
+uv tool install git+https://github.com/kim-em/bubble.git
 # Open a bubble for a GitHub PR — just paste the URL, and you get a containerized VSCode window!
 bubble https://github.com/leanprover-community/mathlib4/pull/35219
@@ -90,11 +90,9 @@ bubble pop mathlib4-pr-35219
 ## Development Install
 ```bash
-# Install from GitHub
-uv tool install git+https://github.com/kim-em/bubble.git
-# For development
-uv pip install -e '.[dev]'
+# Install from a local clone (editable — always uses latest code)
+git clone https://github.com/kim-em/bubble.git
+uv tool install --force --editable bubble
 ```
 ## How It Works
@@ -229,10 +227,10 @@ bubble mathlib4/issues/42
 Claude is instructed to read the issue, implement a fix on the `issue-<number>` branch, and open a PR. This turns `bubble 42` (for an issue) into an autonomous coding agent workflow.
-You can also provide a custom prompt for any bubble via the `BUBBLE_CLAUDE_PROMPT` environment variable:
+You can also provide a custom prompt for any bubble via the `BUBBLE_AI_PROMPT` environment variable:
 ```bash
-BUBBLE_CLAUDE_PROMPT="Refactor the parser module" bubble leanprover/lean4
+BUBBLE_AI_PROMPT="Refactor the parser module" bubble leanprover/lean4
 ```
 Requirements: Claude Code must be installed in the container (see tool settings above), the `gh` CLI must be available on the host (for fetching issue/PR metadata), and the default VS Code editor must be used. With `--shell` or `--no-interactive`, the prompt is not injected. If `gh` is unavailable or the API call fails, bubble proceeds without injecting a prompt.

{dev_bubble-0.7.8 → dev_bubble-0.7.10}/SPEC.md RENAMED Viewed

@@ -56,7 +56,7 @@ equivalent to `bubble open <url>`.
 | `-b`, `--new-branch` | string | | Create a new branch |
 | `--base` | string | | Base branch for `-b` |
 | `--mount` | string (repeatable) | | Mount host dir into container |
-| `--claude-config/--no-claude-config` | flag | enabled | Mount ~/.claude config read-only |
+| `--ai-config/--no-ai-config` | flag | enabled | Mount AI provider configs read-only |
 | `--claude-credentials/--no-claude-credentials` | flag | enabled | Mount Claude credentials |
 | `--codex-credentials/--no-codex-credentials` | flag | enabled | Mount Codex credentials |
 | `--ssh HOST` | string | | Run on remote host |
@@ -339,9 +339,16 @@ of the versioned image for next time.
 > compromised container could write poisoned `.olean` files that subsequent
 > containers would pick up via `lake exe cache get`. The cache is *not* shared
 > with `lake exe cache` run on the host — only bubble containers are affected.
-> Set `shared-cache` to `off` (via `bubble security set shared-cache off`) to
-> mount the cache read-only and prevent future poisoning. If you suspect the
-> cache has already been compromised, delete `~/.bubble/mathlib-cache/`.
+> Three modes are available via `bubble security set shared-cache`:
+> - `on` (default): shared read-write — fastest, but vulnerable to cache
+>   poisoning across containers
+> - `overlay`: shared cache mounted read-only with a per-container writable
+>   overlayfs layer — fast reads from the shared cache with isolated writes
+>   that don't affect other containers (recommended for security-conscious use)
+> - `off`: shared cache mounted read-only — prevents future poisoning
+>
+> If you suspect the cache has already been compromised, delete
+> `~/.bubble/mathlib-cache/`.
 **Post-clone behavior:**
 - Pre-populate Lake dependencies from `lake-manifest.json` (see 2.4)
@@ -670,6 +677,7 @@ Each tool has:
 | `elan` | 10 | `elan` | — |
 | `claude` | 50 | `claude` | `api.anthropic.com` |
 | `codex` | 50 | `codex` | `api.openai.com` |
+| `gh` | 50 | `gh` | — |
 | `vscode` | 90 | `code` | VS Code marketplace domains |
 | `emacs` | 90 | `emacs` | — |
 | `neovim` | 90 | `nvim` | — |
@@ -701,6 +709,10 @@ versions from a `pins.json` file.
 **`bubble tools set TOOL yes|no|auto`** — configure a tool.
+**VS Code extension auto-install:** When both `claude` and `vscode` tools are
+enabled, the Claude Code VS Code extension (`anthropic.claude-code`) is
+pre-installed in the base image.
 ### 6.4 Drift detection
 A content-aware hash of the enabled tool set (tool names + script contents +
@@ -912,7 +924,7 @@ validation already confirmed the repo exists).
 ### 10.1 Claude Code config mounting
-When `--claude-config` is enabled (default), mount specific items from
+When `--ai-config` is enabled (default), mount specific items from
 `~/.claude/` into `/home/user/.claude/` read-only:
 - `CLAUDE.md`, `settings.json`, `skills/`, `keybindings.json`, `commands/`
@@ -922,6 +934,12 @@ Credential files (`.credentials.json`) are mounted by default. Disable with
 **Symlink safety:** Reject symlinks that escape `~/.claude/` to prevent
 exposing arbitrary host files.
+**Settings pre-population:** During container finalization, `~/.claude.json` is
+written in all containers (not just those with AI task injection). Allowlisted
+settings (theme, onboarding state) are copied from the host, project trust is
+pre-configured for the container's project directory, and
+`hasCompletedOnboarding` is set to skip the first-run wizard.
 ### 10.2 Codex config mounting
 Similar to Claude. Config: `config.toml` (read-only). Credentials: `auth.json`
@@ -941,27 +959,33 @@ Similar to Claude. Config: `config.toml` (read-only). Credentials: `auth.json`
 ### 10.4 GitHub auth proxy
 An HTTP reverse proxy on the host provides GitHub authentication without
-exposing the host's token. Git and REST API requests are repo-scoped;
-GraphQL requests are operation-validated (queries vs mutations) but not
-repo-scoped — see access levels below.
+exposing the host's token. The access level is controlled by the unified
+`github` security setting, which picks one level from a graduated escalation
+ladder (see Security section).
 **Port:** 7654 (default, configurable).
-**Flow:**
-1. Container git is configured with `url.insteadOf` to route HTTPS through the proxy
-2. Container sends request with `X-Bubble-Token` header
-3. Proxy validates token against `~/.bubble/auth-tokens.json` (mode 0600)
-4. For git/REST: proxy checks path matches the allowed `owner/repo`. For GraphQL: proxy validates operation type (queries allowed at level 3, mutations require level 4) but does not scope to a specific repo
-5. Proxy adds `Authorization: token <real-token>` header
-6. Proxy forwards to `https://github.com`
-7. Response returned to container
+**Git flow:** Container git → `url.insteadOf` rewrites to
+`http://127.0.0.1:7654/git/...` → proxy validates `X-Bubble-Token` header →
+checks path matches allowed `owner/repo` → adds `Authorization` header →
+forwards to `https://github.com` → returns response.
+**gh CLI flow:** `gh` configured with `http_unix_socket: /bubble/gh-proxy.sock`
+(via `GH_CONFIG_DIR=/etc/bubble/gh`) → sends requests through Unix socket →
+proxy validates token → enforces access level (REST repo-scoping, GraphQL
+allowlist validation) → adds real token → forwards to `https://api.github.com`.
 **Token format:** `~/.bubble/auth-tokens.json`
 ```json
 {
-  "hex_token": {"container": "name", "owner": "owner", "repo": "repo"}
+  "hex_token": {
+    "container": "name",
+    "owner": "owner",
+    "repo": "repo",
+    "graphql_read": "whitelisted",
+    "graphql_write": "whitelisted"
+  }
 }
-```
 **Allowed paths (git smart HTTP only):**
 - `GET /git/{owner}/{repo}[.git]/info/refs?service=git-upload-pack`
@@ -969,33 +993,53 @@ repo-scoped — see access levels below.
 - `POST /git/{owner}/{repo}[.git]/git-upload-pack`
 - `POST /git/{owner}/{repo}[.git]/git-receive-pack`
-**Access levels (per-container):**
-| Level | Description | Scope |
-|-------|-------------|-------|
-| 1 | Git smart HTTP only (push/pull) | Repo-scoped |
-| 2 | Git + REST API read-only | Repo-scoped (REST paths validated against `/repos/{owner}/{repo}/...`) |
-| 3 (default) | Git + gh read-only (REST read + GraphQL queries) | Git and REST are repo-scoped; **GraphQL is account-wide** — queries can read any data the host token can access |
-| 4 | Git + gh read-write (REST + GraphQL + mutations) | Git and REST are repo-scoped; **GraphQL queries and mutations are account-wide** |
-> **Note:** GitHub's GraphQL API does not support path-based scoping.
-> At the default level 3, a container can query any repository, org membership,
-> or user data readable by the host token. To restrict containers to git-only
-> access, use `bubble security set github-api off`.
+**Access levels** (set via `bubble security set github <level>`):
+| `github` level | Behavior |
+|----------------|----------|
+| `off` | No GitHub access at all |
+| `basic` | Git push/pull only (proxy rewrites, repo-scoped) |
+| `rest` | + repo-scoped REST API |
+| `allowlist-read-graphql` | + allowlisted read-only GraphQL queries |
+| `allowlist-write-graphql` (default) | + allowlisted GraphQL mutations |
+| `write-graphql` | + arbitrary GraphQL, no allowlist filtering |
+| `direct` | Inject the raw token into the container, no proxy |
+**`direct` mode:** The host's `GH_TOKEN` and `GITHUB_TOKEN` environment
+variables are injected into the container via `/etc/profile.d`. No proxy is
+used — git and `gh` connect directly to GitHub. Network allowlisting permits
+direct GitHub access (iptables allows `github.com`).
+**GraphQL validation** (`allowlist-read-graphql` and `allowlist-write-graphql`
+levels): GraphQL access is controlled by two independent axes — `graphql_read`
+and `graphql_write` — each supporting `whitelisted`, `unrestricted`, or `none`
+modes. In whitelisted mode, a lightweight tokenizer/parser validates structure
+(single operation, single top-level field, no aliases/directives, no fragments
+in mutations) and semantics. Read validation repo-scopes `repository` queries
+via variables and verifies `node` queries via pre-flight ownership checks.
+Write validation checks mutations against an allowlist with repo-scoping via
+repositoryId comparison or pre-flight node ownership verification.
+**REST security:** REST paths validated against `/repos/{owner}/{repo}/...`
+(repo-scoped). API redirects (e.g., CI log downloads) followed with hardened
+rules: GET/HEAD only, HTTPS only, allowlisted hosts
+(`*.blob.core.windows.net`, `*.githubusercontent.com`), max 2 hops, auth
+headers stripped. GitHub 4xx errors are passed through to clients.
 **Security:**
 - Path canonicalization: reject encoded separators, dot-segments, duplicate slashes
-- No redirect following (returns redirects as-is to prevent token leakage)
 - Pinned to `github.com:443` with TLS verification
 - Ignores `HTTPS_PROXY`/`ALL_PROXY` environment variables
 - Rate limited: 60/minute, 600/hour per container
 - Maximum request body: 256 MB
-**Local containers:** Exposed via Incus proxy device connecting host TCP port to
-container `127.0.0.1:7654`.
+**Local containers:** Exposed via Incus proxy devices — TCP for git, Unix
+socket for gh (`listen=unix:/bubble/gh-proxy.sock`).
-**Remote containers:** SSH reverse tunnel (`ssh -R 7654:127.0.0.1:7654 remote`)
-forwards the local proxy port to the remote host. Tunnel PID files in
-`~/.bubble/tunnels/`. One tunnel per remote host (shared across containers).
+**Remote containers:** SSH reverse tunnel forwards the local proxy port to the
+remote host. Incus proxy devices on the remote expose both TCP and Unix socket
+endpoints. Tunnel PID files in `~/.bubble/tunnels/`. One tunnel per remote
+host (shared across containers).
 **Daemon management:** launchd (`com.bubble.auth-proxy`) or systemd
 (`bubble-auth-proxy.service`).
@@ -1067,6 +1111,12 @@ location = "fsn1"
 server_name = "bubble-cloud"
 default = false
+[ai]
+preferred = "claude"
+autonomy = "plan"
+second_opinion = "auto"
+second_opinion_provider = "codex"
 [claude]
 credentials = true
@@ -1087,11 +1137,10 @@ Configuration is managed through dedicated subcommands rather than a generic
 get/set interface:
 - `bubble tools set TOOL yes|no|auto` — configure tool installation
-- `bubble claude credentials on|off` — toggle Claude credential mounting
-- `bubble codex credentials on|off` — toggle Codex credential mounting
+- `bubble ai credentials on|off [--provider claude|codex]` — toggle AI credential mounting
 - `bubble security set NAME on|off|auto` — configure security settings
 - `bubble config set KEY VALUE` — set security settings (alias)
-- `bubble config symlink-claude-projects` — symlink Claude projects directory
+- `bubble config symlink-ai-projects` — symlink AI projects directory
 ---
@@ -1099,19 +1148,18 @@ get/set interface:
 ### Security settings
-Every isolation-weakening feature is individually configurable with three
-values: `auto`, `on`, `off`.
+Most settings are individually configurable with three values: `auto`, `on`,
+`off`. The `github` setting uses graduated named levels (see auth proxy
+section) and `shared-cache` accepts an additional `overlay` value.
 | Setting | Auto default | Description |
 |---------|-------------|-------------|
-| `shared-cache` | on | Writable shared mounts (mathlib cache) — see [Lean 4 hook](#22-lean-4-hook) security note |
+| `shared-cache` | on | Writable shared mounts (mathlib cache) — `on`, `off`, or `overlay`. See [Lean 4 hook](#22-lean-4-hook) security note |
 | `user-mounts` | on | `--mount` flag support |
 | `git-manifest-trust` | on | Auto-clone Lake manifest dependencies |
 | `claude-credentials` | on | Mount Claude credentials into containers |
 | `codex-credentials` | on | Mount Codex credentials into containers |
-| `github-auth` | on | Repo-scoped GitHub auth via proxy (git push/pull) |
-| `github-api` | on | GitHub API access via auth proxy: REST is repo-scoped; **GraphQL queries are read-only but account-wide** (can read any repo the host token can access). Set to `off` for git-only, or `read-write` for mutations |
-| `github-token-inject` | off | Direct GitHub token injection (bypasses proxy) |
+| `github` | allowlist-write-graphql | Unified GitHub access level — graduated from `off` through `basic`, `rest`, `allowlist-read-graphql`, `allowlist-write-graphql`, `write-graphql`, to `direct` (see [auth proxy](#104-github-auth-proxy)) |
 | `relay` | on | Bubble-in-bubble relay |
 | `host-key-trust` | on | Disable SSH StrictHostKeyChecking |
@@ -1120,15 +1168,15 @@ user to `bubble security`. Suppressed by `BUBBLE_QUIET_SECURITY=1`.
 **Commands:**
 - `bubble security` — show full security posture
-- `bubble security set NAME on|off|auto` — set individual setting
+- `bubble security set NAME VALUE` — set individual setting (most accept `on|off|auto`; `github` accepts named levels; `shared-cache` also accepts `overlay`)
 - `bubble security permissive` — set all to `on`
 - `bubble security lockdown` — set all to `off`
 - `bubble security default` — reset all to `auto`
 **GitHub network access:** Direct GitHub network access (via iptables) is only
-allowed when `github-token-inject` is enabled (level 5). At all other auth
-levels (0–4), iptables blocks direct GitHub traffic and forces it through the
-auth proxy on loopback, which enforces repo-scoping and rate limits.
+allowed when `github` is set to `direct`. At all other levels, iptables blocks
+direct GitHub traffic and forces it through the auth proxy on loopback, which
+enforces rate limits and (for levels below `write-graphql`) repo-scoping.
 ---
@@ -1160,6 +1208,10 @@ container lifecycle, but a complete implementation should include them:
 - `bubble remote clear-default` — clear default remote host
 - `bubble remote status` — show remote configuration and list remote bubbles
 - `bubble gh status` — show GitHub authentication status
+- `bubble completion <shell>` — output shell completion script (`bash`, `zsh`, `fish`); `--install` writes to a persistent location
+- `bubble ai set autonomy read|plan|implement|pr|merge` — set AI autonomy level
+- `bubble ai set second-opinion auto|on|off` — toggle second-opinion provider
+- `bubble ai status` — show AI provider settings and credential status
 ---
@@ -1190,7 +1242,7 @@ container lifecycle, but a complete implementation should include them:
 | `~/.bubble/cloud_key` | SSH private key for cloud (ed25519, mode 0600) |
 | `~/.bubble/cloud_key.pub` | SSH public key for cloud |
 | `~/.bubble/known_hosts` | SSH known_hosts for cloud |
-| `~/.bubble/claude-projects/` | Claude session state for containers |
+| `~/.bubble/ai-projects/` | AI provider session state for containers |
 | `~/.ssh/config.d/bubble` | Auto-managed SSH config entries |
 ---

{dev_bubble-0.7.8 → dev_bubble-0.7.10}/bubble/__init__.py RENAMED Viewed

@@ -1,3 +1,3 @@
 """bubble: Containerized development environments."""
-__version__ = "0.7.8"
+__version__ = "0.7.10"

dev_bubble-0.7.8/bubble/claude.py → dev_bubble-0.7.10/bubble/ai.py RENAMED Viewed

@@ -1,20 +1,52 @@
-"""Claude Code integration for bubble containers."""
+"""AI provider integration for bubble containers.
+Handles prompt generation and task injection for the configured preferred
+AI provider (default: Claude Code). Provider-neutral where possible;
+provider-specific details (binary names, env vars, prompt file paths)
+are dispatched via the ``[ai] preferred`` config key.
+"""
 import json
 import re
 import shlex
 import subprocess
+from pathlib import Path
 from .config import DATA_DIR
 from .runtime.base import ContainerRuntime
-# Claude task command: reads prompt from file, runs Claude with skip-permissions,
-# then deletes the prompt file so reopening is clean.
-CLAUDE_TASK_COMMAND = (
-    "test -f .vscode/claude-prompt.txt && ANTHROPIC_API_KEY= CLAUDECODE="
-    ' claude --dangerously-skip-permissions "$(cat .vscode/claude-prompt.txt)"'
-    " && rm -f .vscode/claude-prompt.txt"
-)
+# Provider-specific task commands.
+# Each reads the prompt from .vscode/ai-prompt.txt, runs the AI tool
+# with autonomous permissions, then deletes the prompt file.
+_TASK_COMMANDS = {
+    "claude": (
+        "test -f .vscode/ai-prompt.txt && ANTHROPIC_API_KEY= CLAUDECODE="
+        ' claude --dangerously-skip-permissions "$(cat .vscode/ai-prompt.txt)"'
+        " && rm -f .vscode/ai-prompt.txt"
+    ),
+    "codex": (
+        "test -f .vscode/ai-prompt.txt &&"
+        ' codex --approval-mode full-auto "$(cat .vscode/ai-prompt.txt)"'
+        " && rm -f .vscode/ai-prompt.txt"
+    ),
+}
+SUPPORTED_PROVIDERS = frozenset(_TASK_COMMANDS)
+def _task_command_for(provider: str) -> str:
+    """Return the VS Code task shell command for the given AI provider.
+    Raises ``ValueError`` for unknown providers so typos are caught early.
+    """
+    try:
+        return _TASK_COMMANDS[provider]
+    except KeyError:
+        supported = ", ".join(sorted(SUPPORTED_PROVIDERS))
+        raise ValueError(f"Unknown AI provider {provider!r} (supported: {supported})") from None
+AI_TASK_COMMAND = _TASK_COMMANDS["claude"]
 TEMPLATES_DIR = DATA_DIR / "templates"
@@ -173,7 +205,7 @@ def generate_issue_prompt(
     second_opinion: str = "auto",
     config: dict | None = None,
 ) -> str | None:
-    """Fetch GitHub issue details and generate a Claude prompt.
+    """Fetch GitHub issue details and generate an AI prompt.
     Returns the prompt string, or None if the issue can't be fetched.
     Uses a custom template from ~/.bubble/templates/issue.txt if present,
@@ -235,7 +267,7 @@ def generate_issue_prompt(
 def generate_pr_prompt(owner: str, repo: str, pr_num: str, branch: str) -> str | None:
-    """Fetch GitHub PR details and generate a Claude prompt.
+    """Fetch GitHub PR details and generate an AI prompt.
     Returns the prompt string, or None if the PR can't be fetched.
     Uses a custom template from ~/.bubble/templates/pr.txt if present,
@@ -260,17 +292,92 @@ def generate_pr_prompt(owner: str, repo: str, pr_num: str, branch: str) -> str |
     )
-def inject_claude_task(
-    runtime: ContainerRuntime, container: str, project_dir: str, prompt: str, quiet: bool = False
+# Known-safe keys to copy from the host's ~/.claude.json.
+# Only cosmetic/UX settings — no credentials, MCP config, or host-specific paths.
+_CLAUDE_JSON_SAFE_KEYS = frozenset(
+    {
+        "theme",
+        "hasCompletedOnboarding",
+        "numStartups",
+        "preferredNotifChannel",
+        "autoUpdaterStatus",
+    }
+)
+def setup_claude_settings(
+    runtime: ContainerRuntime,
+    container: str,
+    project_dir: str,
+):
+    """Pre-populate ~/.claude.json in the container to skip the first-run wizard.
+    Copies allowlisted settings (theme, onboarding state, etc.) from the host's
+    ~/.claude.json if it exists. Always ensures hasCompletedOnboarding=True
+    and pre-trusts the project directory. This runs for ALL bubbles, not just
+    those with AI task injection.
+    Best-effort: failures are logged but do not abort bubble creation.
+    """
+    host_claude_json = Path.home() / ".claude.json"
+    # Extract only allowlisted keys from host settings
+    settings: dict = {}
+    if host_claude_json.is_file():
+        try:
+            host_data = json.loads(host_claude_json.read_text())
+            if isinstance(host_data, dict):
+                settings = {k: v for k, v in host_data.items() if k in _CLAUDE_JSON_SAFE_KEYS}
+        except (OSError, json.JSONDecodeError):
+            pass
+    # Ensure onboarding is marked complete
+    settings["hasCompletedOnboarding"] = True
+    n = settings.get("numStartups", 0)
+    settings["numStartups"] = (n if isinstance(n, int) else 0) + 1
+    # Pre-trust the project directory
+    settings["projects"] = {
+        project_dir: {"hasTrustDialogAccepted": True, "allowedTools": []},
+    }
+    # Write to container (best-effort — don't abort bubble creation on failure)
+    settings_json = shlex.quote(json.dumps(settings, indent=2))
+    try:
+        runtime.exec(
+            container,
+            ["su", "-", "user", "-c", f"printf '%s' {settings_json} > ~/.claude.json"],
+        )
+    except Exception:
+        from .output import detail
+        detail("Warning: could not pre-populate Claude Code settings.", err=True)
+def inject_ai_task(
+    runtime: ContainerRuntime,
+    container: str,
+    project_dir: str,
+    prompt: str,
+    config: dict | None = None,
+    quiet: bool = False,
 ):
-    """Inject Claude auto-start task into a container's VS Code configuration.
+    """Inject AI auto-start task into a container's VS Code configuration.
+    Dispatches to the configured preferred AI provider (default: Claude).
-    - Writes prompt to .vscode/claude-prompt.txt
-    - Creates/updates .vscode/tasks.json with Claude task (runOn: folderOpen)
+    - Writes prompt to .vscode/ai-prompt.txt
+    - Creates/updates .vscode/tasks.json with AI task (runOn: folderOpen)
     - Configures .vscode/settings.json for automatic tasks
     - Adds generated files to git exclude
-    - Pre-trusts the project directory in .claude.json
+    - Pre-trusts the project directory in the preferred provider's config
     """
+    provider = "claude"
+    if config:
+        provider = config.get("ai", {}).get("preferred", "claude")
+    task_command = _task_command_for(provider)
     q_dir = shlex.quote(project_dir)
     q_prompt = shlex.quote(prompt)
@@ -280,20 +387,21 @@ def inject_claude_task(
     # Write prompt to file
     runtime.exec(
         container,
-        ["su", "-", "user", "-c", f"printf '%s' {q_prompt} > {q_dir}/.vscode/claude-prompt.txt"],
+        ["su", "-", "user", "-c", f"printf '%s' {q_prompt} > {q_dir}/.vscode/ai-prompt.txt"],
     )
-    # Create or update tasks.json with Claude task
-    claude_task = {
-        "label": "Claude",
+    # Create or update tasks.json with AI task
+    ai_task = {
+        "label": "AI",
         "type": "shell",
-        "command": CLAUDE_TASK_COMMAND,
+        "command": task_command,
         "runOptions": {"runOn": "folderOpen"},
         "presentation": {"reveal": "always", "panel": "dedicated"},
     }
-    tasks_json_str = shlex.quote(json.dumps(claude_task))
+    tasks_json_str = shlex.quote(json.dumps(ai_task))
-    # Script: if tasks.json exists, add Claude task; otherwise create new file
+    # Script: if tasks.json exists, add AI task (removing old Claude and AI labels);
+    # otherwise create new file
     script = (
         f"cd {q_dir} && "
         f"if [ -f .vscode/tasks.json ]; then "
@@ -301,7 +409,7 @@ def inject_claude_task(
         f"import json,sys; "
         f"t=json.load(open('.vscode/tasks.json')); "
         f"t['tasks']=[x for x in t.get('tasks',[])"
-        f" if x.get('label')!='Claude']+[json.loads(sys.argv[1])]; "
+        f" if x.get('label') not in ('Claude','AI')]+[json.loads(sys.argv[1])]; "
         f"json.dump(t,open('.vscode/tasks.json','w'),indent=2)"
         f'" {tasks_json_str}; '
         f"else "
@@ -332,31 +440,16 @@ def inject_claude_task(
         f"cd {q_dir} && "
         f"GIT_DIR=$(git rev-parse --git-dir) && "
         f"mkdir -p $GIT_DIR/info && "
-        f"for f in .vscode/claude-prompt.txt .vscode/settings.json .vscode/tasks.json; do "
+        f"for f in .vscode/ai-prompt.txt .vscode/claude-prompt.txt"
+        f" .vscode/settings.json .vscode/tasks.json; do "
         f'  grep -qxF "$f" $GIT_DIR/info/exclude 2>/dev/null'
         f' || echo "$f" >> $GIT_DIR/info/exclude; '
         f"done"
     )
     runtime.exec(container, ["su", "-", "user", "-c", exclude_script])
-    # Pre-trust the project directory and skip onboarding in .claude.json
-    trust_script = (
-        f'python3 -c "'
-        f"import json,os; "
-        f"p=os.path.expanduser('~/.claude.json'); "
-        f"d=json.load(open(p)) if os.path.exists(p) else {{}}; "
-        f"d['hasCompletedOnboarding']=True; "
-        f"n=d.get('numStartups',0); d['numStartups']=(n if isinstance(n,int) else 0)+1; "
-        f"d.setdefault('projects',{{}}); "
-        f"proj=d['projects'].setdefault({shlex.quote(project_dir)!r},{{}}); "  # noqa: E501
-        f"proj['hasTrustDialogAccepted']=True; "
-        f"proj.setdefault('allowedTools',[]); "
-        f"json.dump(d,open(p,'w'),indent=2)"
-        f'"'
-    )
-    runtime.exec(container, ["su", "-", "user", "-c", trust_script])
     if not quiet:
         from .output import detail
-        detail("Claude Code task injected (will start on VS Code folder open).")
+        label = provider.capitalize()
+        detail(f"{label} task injected (will start on VS Code folder open).")

dev-bubble 0.7.8__tar.gz → 0.7.10__tar.gz

dev-bubble 0.7.8tar.gz → 0.7.10tar.gz