projectwrap 202604.1__tar.gz

projectwrap-202604.1/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2024 Fredrik Håård
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

projectwrap-202604.1/PKG-INFO

@@ -0,0 +1,279 @@
+Metadata-Version: 2.3
+Name: projectwrap
+Version: 202604.1
+Summary: Isolated project environments with bubblewrap sandboxing
+License: MIT
+Keywords: sandbox,bubblewrap,bwrap,isolation,development,security
+Author: Fredrik Håård
+Author-email: fredrik@haard.se
+Requires-Python: >=3.11,<4.0
+Classifier: Development Status :: 4 - Beta
+Classifier: Environment :: Console
+Classifier: Intended Audience :: Developers
+Classifier: License :: OSI Approved :: MIT License
+Classifier: Operating System :: POSIX :: Linux
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Programming Language :: Python :: 3.13
+Classifier: Topic :: Security
+Classifier: Topic :: System :: Systems Administration
+Project-URL: Homepage, https://github.com/haard/project-wrap
+Project-URL: Repository, https://github.com/haard/project-wrap
+Description-Content-Type: text/markdown
+
+# pwrap
+
+pwrap wraps project shell environments in bubblewrap sandboxes, and aims to
+_limit the blast radius_ of e.g. supply chain attacks and protect your production
+infrastructure from your sloppy side project.
+
+
+
+**Why**
+I got tired of my ad-hoc fish bwrap scripts, and I'm increasingly worried about supply chain attacks.
+
+If every side project feels like a potential vector — one [npm|pip|cargo] install away from pwned AWS credentials,
+and custom-wrapping with bwrap and some vault product feels too fragile or too much work, pwrap might help.
+
+**Status**
+pwrap _works_ but has not been tested by anyone but me, and has not been
+reviewed/audited by anyone except Opus 4.6 and codestral. pwrap comes with
+_absolutely no warranty_.
+
+
+**Does:**
+- Launches sandboxed shells with per-project filesystem isolation
+- Hides sensitive paths (credentials, configs, SSH keys) via tmpfs overlays
+- Exposes only what each project needs (whitelisting)
+- Mounts gocryptfs encrypted volumes inside isolated namespaces
+- Runs init scripts for env vars, venv activation, aliases
+
+**Doesn't do:**
+- Network filtering (it's all-or-nothing via `unshare_net`)
+- Container-level isolation (no cgroups, no seccomp, no resource limits)
+- Do package management or dependency resolution
+- Protect you from your own misconfiguration
+
+**Dependencies:** Python 3.11+ (stdlib only, no pip dependencies),
+[bubblewrap](https://github.com/containers/bubblewrap) for sandboxing,
+[gocryptfs](https://nuetzlich.net/gocryptfs/) for encrypted volumes.
+
+**Design principles:**
+- **Reviewable** — small codebase, no pip dependencies, no magic
+- **Fail fast** — invalid config is an error, not a warning
+- **Explicit over convenient** — no implicit defaults that hide security decisions
+- **Init scripts as the extension point** — env vars, venv, aliases all go there,
+  not in config schema
+
+## Installation
+
+pwrap has no pip dependencies — only the standard library. For a security tool,
+installing from source lets you audit what you're running:
+
+```bash
+git clone https://github.com/haard/projectwrap
+cd projectwrap
+pip install --no-deps .
+```
+
+Or from PyPI if you prefer convenience: `pipx install projectwrap`
+
+Check optional dependencies with `pwrap --check-deps`.
+
+## Quick Start
+
+```bash
+pwrap --new ~/projects/myproject    # creates config + init script
+# edit ~/.config/pwrap/myproject/project.toml and init script
+pwrap myproject                     # launch sandboxed shell
+```
+
+On first run, `--new` creates editable templates in `~/.config/pwrap/`. Edit them
+to set your defaults, then run `--new` again.
+
+## Examples
+
+### Basic sandboxed project
+
+`~/.config/pwrap/myproject/project.toml`:
+```toml
+[project]
+name = "myproject"
+dir = "~/projects/myproject"
+shell = "/usr/bin/fish"
+
+[sandbox]
+enabled = true
+blacklist = [
+    "~/.kube",
+    "~/.aws",
+    "~/.ssh",
+]
+whitelist = [
+    "~/.kube/myproject",
+    "~/.ssh/myproject_ed25519",
+    "~/.ssh/known_hosts",
+]
+```
+
+`~/.config/pwrap/myproject/init.fish`:
+```fish
+source .venv/bin/activate.fish
+set -gx KUBECONFIG ~/.kube/myproject/config
+set -gx GIT_SSH_COMMAND "ssh -i ~/.ssh/myproject_ed25519 -o IdentitiesOnly=yes"
+```
+
+The config directory (`~/.config/pwrap`) is always blacklisted automatically — code
+inside the sandbox cannot read other project configs.
+
+### Encrypted AI chat history
+
+Keep aichat/Claude chat history encrypted at rest, decrypted only inside the sandbox.
+Uses gocryptfs mounted in an isolated namespace (invisible on host).
+
+**Setup:**
+```bash
+# Initialize encrypted directory (once, prompts for password)
+mkdir -p ~/.config/pwrap/myproject/encrypted
+gocryptfs -init ~/.config/pwrap/myproject/encrypted
+```
+
+**Config** (`project.toml`):
+```toml
+[project]
+name = "myproject"
+dir = "~/projects/myproject"
+shell = "/usr/bin/fish"
+
+[sandbox]
+enabled = true
+
+[encrypted]
+cipherdir = "encrypted"
+mountpoint = "~/.local/share/aichat"
+```
+
+**Init script** (`init.fish`):
+```fish
+set -gx AICHAT_CONFIG_DIR ~/.local/share/aichat
+# For Claude Code:
+# set -gx CLAUDE_CONFIG_DIR ~/.local/share/claude
+```
+
+On `pwrap myproject`, gocryptfs prompts for the password, mounts the decrypted
+volume inside an isolated mount namespace, and launches the sandboxed shell.
+The decrypted files are invisible to host processes and disappear when the shell
+exits.
+
+If you enter the wrong password, gocryptfs re-prompts up to its own retry limit
+and then exits non-zero. pwrap aborts on that failure without launching the
+sandbox — no shell starts, no partial mount is left behind. Re-run `pwrap
+myproject` to try again.
+
+**`PWRAP_VAULT_DIR`**: inside any sandbox with an `[encrypted]` section, pwrap
+exports `PWRAP_VAULT_DIR` pointing at the mountpoint. Use it from init scripts
+or app configs to redirect history/state into the vault without hardcoding the
+path per project (e.g. `set savehist-file (expand-file-name "history" "$PWRAP_VAULT_DIR/emacs")`).
+
+**You will appear as root inside encrypted projects.** Mounting gocryptfs
+unprivileged requires `unshare --user --map-root-user`, so inside the sandbox
+`whoami` reports `root` and `id -u` reports `0`. This is a user-namespace
+remapping only — you have no real privileges on the host, cannot read
+root-owned files outside the namespace, and cannot escalate. Your real files
+(project dir, home bind-mounts, the vault mountpoint itself) remain owned by
+your real uid. Scripts that gate on `[ "$UID" = 0 ]` will misbehave; prefer
+`[ "$USER" = root ]` checks or, better, check the presence of
+`$PROJECT_WRAP` / `$PWRAP_VAULT_DIR`.
+
+**Multiple terminals** (`shared = false`, default): each terminal gets an
+independent gocryptfs mount. Writes to different files merge on next session;
+writes to the same file from two sessions may lose the first session's changes.
+pwrap warns and prompts for confirmation when a concurrent session is detected.
+
+**Shared mode** (`shared = true`): the first terminal becomes the **primary**
+session. It mounts gocryptfs, prints a vault token, and stays in the
+foreground of the terminal that launched it (no background daemon — the
+serve process is a normal child of your shell). Additional terminals running
+`pwrap myproject` prompt for the token and attach as children of the primary.
+Inside the sandbox, `echo $PWRAP_VAULT_TOKEN` retrieves the token. When the
+primary exits (shell exit, Ctrl-C, or closing its terminal), all attached
+terminals are terminated and the mount is released — keep the primary
+terminal open for the duration of the session.
+
+### GUI apps in sandbox (WSL2)
+
+To run emacs or other GUI apps inside the sandbox on WSL2:
+
+```toml
+[sandbox]
+writable = [
+    "/tmp/.X11-unix",           # X11 display socket
+    "/mnt/wslg/runtime-dir",   # Wayland + PulseAudio
+]
+```
+
+## Configuration
+
+`pwrap --new` generates a `project.toml` template with all options documented.
+The three config sections:
+
+| Section | Purpose |
+|---|---|
+| `[project]` | name, dir, shell |
+| `[sandbox]` | blacklist, whitelist, writable, namespace options |
+| `[encrypted]` | gocryptfs cipherdir, mountpoint, shared mode |
+
+Init scripts (`init.fish` or `init.sh`) run inside the sandbox for env vars,
+venv activation, aliases, and tool version switching.
+
+## Usage
+
+```bash
+pwrap                                      # list projects
+pwrap myproject                            # launch project
+pwrap -v myproject                         # verbose output
+pwrap --new ~/projects/myproject           # create config (name from dir)
+pwrap --new ~/projects/myproject custom    # create with explicit name
+pwrap --new --shell /bin/bash ~/projects/x # specify shell
+pwrap --check-deps                         # check optional dependencies
+pwrap --version                            # show version
+```
+
+## Security Defaults
+
+When sandboxing is enabled:
+
+- Home is **read-only**; only the project directory is writable
+- Config directory (`~/.config/pwrap`) is always blacklisted
+- PID and IPC namespaces are isolated
+- TIOCSTI injection blocked automatically on kernels < 6.2
+- XDG runtime directory isolated
+- Sandbox dies with parent process
+- Encrypted volumes mount in isolated namespace (invisible on host)
+- All paths in shell commands are quoted to prevent injection
+
+## Shell Completions
+
+```bash
+# Fish
+cp completions/project.fish ~/.config/fish/completions/pwrap.fish
+# Bash
+cp completions/project.bash /etc/bash_completion.d/pwrap
+# Zsh
+cp completions/_project ~/.local/share/zsh/site-functions/_pwrap
+```
+
+## Development
+
+```bash
+poetry install              # install with dev dependencies
+poetry run pytest           # run tests
+poetry run ruff check src/  # lint
+poetry run mypy src/        # type check
+```
+
+## License
+
+MIT
+

projectwrap-202604.1/README.md

@@ -0,0 +1,254 @@
+# pwrap
+
+pwrap wraps project shell environments in bubblewrap sandboxes, and aims to
+_limit the blast radius_ of e.g. supply chain attacks and protect your production
+infrastructure from your sloppy side project.
+
+
+
+**Why**
+I got tired of my ad-hoc fish bwrap scripts, and I'm increasingly worried about supply chain attacks.
+
+If every side project feels like a potential vector — one [npm|pip|cargo] install away from pwned AWS credentials,
+and custom-wrapping with bwrap and some vault product feels too fragile or too much work, pwrap might help.
+
+**Status**
+pwrap _works_ but has not been tested by anyone but me, and has not been
+reviewed/audited by anyone except Opus 4.6 and codestral. pwrap comes with
+_absolutely no warranty_.
+
+
+**Does:**
+- Launches sandboxed shells with per-project filesystem isolation
+- Hides sensitive paths (credentials, configs, SSH keys) via tmpfs overlays
+- Exposes only what each project needs (whitelisting)
+- Mounts gocryptfs encrypted volumes inside isolated namespaces
+- Runs init scripts for env vars, venv activation, aliases
+
+**Doesn't do:**
+- Network filtering (it's all-or-nothing via `unshare_net`)
+- Container-level isolation (no cgroups, no seccomp, no resource limits)
+- Do package management or dependency resolution
+- Protect you from your own misconfiguration
+
+**Dependencies:** Python 3.11+ (stdlib only, no pip dependencies),
+[bubblewrap](https://github.com/containers/bubblewrap) for sandboxing,
+[gocryptfs](https://nuetzlich.net/gocryptfs/) for encrypted volumes.
+
+**Design principles:**
+- **Reviewable** — small codebase, no pip dependencies, no magic
+- **Fail fast** — invalid config is an error, not a warning
+- **Explicit over convenient** — no implicit defaults that hide security decisions
+- **Init scripts as the extension point** — env vars, venv, aliases all go there,
+  not in config schema
+
+## Installation
+
+pwrap has no pip dependencies — only the standard library. For a security tool,
+installing from source lets you audit what you're running:
+
+```bash
+git clone https://github.com/haard/projectwrap
+cd projectwrap
+pip install --no-deps .
+```
+
+Or from PyPI if you prefer convenience: `pipx install projectwrap`
+
+Check optional dependencies with `pwrap --check-deps`.
+
+## Quick Start
+
+```bash
+pwrap --new ~/projects/myproject    # creates config + init script
+# edit ~/.config/pwrap/myproject/project.toml and init script
+pwrap myproject                     # launch sandboxed shell
+```
+
+On first run, `--new` creates editable templates in `~/.config/pwrap/`. Edit them
+to set your defaults, then run `--new` again.
+
+## Examples
+
+### Basic sandboxed project
+
+`~/.config/pwrap/myproject/project.toml`:
+```toml
+[project]
+name = "myproject"
+dir = "~/projects/myproject"
+shell = "/usr/bin/fish"
+
+[sandbox]
+enabled = true
+blacklist = [
+    "~/.kube",
+    "~/.aws",
+    "~/.ssh",
+]
+whitelist = [
+    "~/.kube/myproject",
+    "~/.ssh/myproject_ed25519",
+    "~/.ssh/known_hosts",
+]
+```
+
+`~/.config/pwrap/myproject/init.fish`:
+```fish
+source .venv/bin/activate.fish
+set -gx KUBECONFIG ~/.kube/myproject/config
+set -gx GIT_SSH_COMMAND "ssh -i ~/.ssh/myproject_ed25519 -o IdentitiesOnly=yes"
+```
+
+The config directory (`~/.config/pwrap`) is always blacklisted automatically — code
+inside the sandbox cannot read other project configs.
+
+### Encrypted AI chat history
+
+Keep aichat/Claude chat history encrypted at rest, decrypted only inside the sandbox.
+Uses gocryptfs mounted in an isolated namespace (invisible on host).
+
+**Setup:**
+```bash
+# Initialize encrypted directory (once, prompts for password)
+mkdir -p ~/.config/pwrap/myproject/encrypted
+gocryptfs -init ~/.config/pwrap/myproject/encrypted
+```
+
+**Config** (`project.toml`):
+```toml
+[project]
+name = "myproject"
+dir = "~/projects/myproject"
+shell = "/usr/bin/fish"
+
+[sandbox]
+enabled = true
+
+[encrypted]
+cipherdir = "encrypted"
+mountpoint = "~/.local/share/aichat"
+```
+
+**Init script** (`init.fish`):
+```fish
+set -gx AICHAT_CONFIG_DIR ~/.local/share/aichat
+# For Claude Code:
+# set -gx CLAUDE_CONFIG_DIR ~/.local/share/claude
+```
+
+On `pwrap myproject`, gocryptfs prompts for the password, mounts the decrypted
+volume inside an isolated mount namespace, and launches the sandboxed shell.
+The decrypted files are invisible to host processes and disappear when the shell
+exits.
+
+If you enter the wrong password, gocryptfs re-prompts up to its own retry limit
+and then exits non-zero. pwrap aborts on that failure without launching the
+sandbox — no shell starts, no partial mount is left behind. Re-run `pwrap
+myproject` to try again.
+
+**`PWRAP_VAULT_DIR`**: inside any sandbox with an `[encrypted]` section, pwrap
+exports `PWRAP_VAULT_DIR` pointing at the mountpoint. Use it from init scripts
+or app configs to redirect history/state into the vault without hardcoding the
+path per project (e.g. `set savehist-file (expand-file-name "history" "$PWRAP_VAULT_DIR/emacs")`).
+
+**You will appear as root inside encrypted projects.** Mounting gocryptfs
+unprivileged requires `unshare --user --map-root-user`, so inside the sandbox
+`whoami` reports `root` and `id -u` reports `0`. This is a user-namespace
+remapping only — you have no real privileges on the host, cannot read
+root-owned files outside the namespace, and cannot escalate. Your real files
+(project dir, home bind-mounts, the vault mountpoint itself) remain owned by
+your real uid. Scripts that gate on `[ "$UID" = 0 ]` will misbehave; prefer
+`[ "$USER" = root ]` checks or, better, check the presence of
+`$PROJECT_WRAP` / `$PWRAP_VAULT_DIR`.
+
+**Multiple terminals** (`shared = false`, default): each terminal gets an
+independent gocryptfs mount. Writes to different files merge on next session;
+writes to the same file from two sessions may lose the first session's changes.
+pwrap warns and prompts for confirmation when a concurrent session is detected.
+
+**Shared mode** (`shared = true`): the first terminal becomes the **primary**
+session. It mounts gocryptfs, prints a vault token, and stays in the
+foreground of the terminal that launched it (no background daemon — the
+serve process is a normal child of your shell). Additional terminals running
+`pwrap myproject` prompt for the token and attach as children of the primary.
+Inside the sandbox, `echo $PWRAP_VAULT_TOKEN` retrieves the token. When the
+primary exits (shell exit, Ctrl-C, or closing its terminal), all attached
+terminals are terminated and the mount is released — keep the primary
+terminal open for the duration of the session.
+
+### GUI apps in sandbox (WSL2)
+
+To run emacs or other GUI apps inside the sandbox on WSL2:
+
+```toml
+[sandbox]
+writable = [
+    "/tmp/.X11-unix",           # X11 display socket
+    "/mnt/wslg/runtime-dir",   # Wayland + PulseAudio
+]
+```
+
+## Configuration
+
+`pwrap --new` generates a `project.toml` template with all options documented.
+The three config sections:
+
+| Section | Purpose |
+|---|---|
+| `[project]` | name, dir, shell |
+| `[sandbox]` | blacklist, whitelist, writable, namespace options |
+| `[encrypted]` | gocryptfs cipherdir, mountpoint, shared mode |
+
+Init scripts (`init.fish` or `init.sh`) run inside the sandbox for env vars,
+venv activation, aliases, and tool version switching.
+
+## Usage
+
+```bash
+pwrap                                      # list projects
+pwrap myproject                            # launch project
+pwrap -v myproject                         # verbose output
+pwrap --new ~/projects/myproject           # create config (name from dir)
+pwrap --new ~/projects/myproject custom    # create with explicit name
+pwrap --new --shell /bin/bash ~/projects/x # specify shell
+pwrap --check-deps                         # check optional dependencies
+pwrap --version                            # show version
+```
+
+## Security Defaults
+
+When sandboxing is enabled:
+
+- Home is **read-only**; only the project directory is writable
+- Config directory (`~/.config/pwrap`) is always blacklisted
+- PID and IPC namespaces are isolated
+- TIOCSTI injection blocked automatically on kernels < 6.2
+- XDG runtime directory isolated
+- Sandbox dies with parent process
+- Encrypted volumes mount in isolated namespace (invisible on host)
+- All paths in shell commands are quoted to prevent injection
+
+## Shell Completions
+
+```bash
+# Fish
+cp completions/project.fish ~/.config/fish/completions/pwrap.fish
+# Bash
+cp completions/project.bash /etc/bash_completion.d/pwrap
+# Zsh
+cp completions/_project ~/.local/share/zsh/site-functions/_pwrap
+```
+
+## Development
+
+```bash
+poetry install              # install with dev dependencies
+poetry run pytest           # run tests
+poetry run ruff check src/  # lint
+poetry run mypy src/        # type check
+```
+
+## License
+
+MIT

projectwrap-202604.1/pyproject.toml

@@ -0,0 +1,57 @@
+[tool.poetry]
+name = "projectwrap"
+version = "202604.1"
+description = "Isolated project environments with bubblewrap sandboxing"
+readme = "README.md"
+license = "MIT"
+authors = ["Fredrik Håård <fredrik@haard.se>"]
+keywords = ["sandbox", "bubblewrap", "bwrap", "isolation", "development", "security"]
+classifiers = [
+    "Development Status :: 4 - Beta",
+    "Environment :: Console",
+    "Intended Audience :: Developers",
+    "License :: OSI Approved :: MIT License",
+    "Operating System :: POSIX :: Linux",
+    "Programming Language :: Python :: 3",
+    "Programming Language :: Python :: 3.11",
+    "Programming Language :: Python :: 3.12",
+    "Programming Language :: Python :: 3.13",
+    "Topic :: Security",
+    "Topic :: System :: Systems Administration",
+]
+packages = [{ include = "project_wrap", from = "src" }]
+
+[tool.poetry.dependencies]
+python = "^3.11"
+
+[tool.poetry.group.dev.dependencies]
+pytest = "^8.0"
+pytest-cov = "^4.0"
+ruff = "^0.4"
+mypy = "^1.0"
+
+[tool.poetry.scripts]
+pwrap = "project_wrap.cli:main"
+
+[tool.poetry.urls]
+Homepage = "https://github.com/haard/project-wrap"
+Repository = "https://github.com/haard/project-wrap"
+
+[build-system]
+requires = ["poetry-core>=1.0.0"]
+build-backend = "poetry.core.masonry.api"
+
+[tool.ruff]
+target-version = "py311"
+line-length = 100
+
+[tool.ruff.lint]
+select = ["E", "F", "I", "N", "W", "UP"]
+
+[tool.mypy]
+python_version = "3.11"
+strict = true
+
+[tool.pytest.ini_options]
+testpaths = ["tests"]
+addopts = "-v"

projectwrap-202604.1/src/project_wrap/__init__.py

@@ -0,0 +1,3 @@
+"""project-wrap: Isolated project environments with bubblewrap sandboxing."""
+
+__version__ = "202604.1"