#!/usr/bin/env bash
# Sandboxed wrapper for Claude Code using bubblewrap.
# Restricts filesystem access: DATA_DIR is writable, system is read-only.
#
# Usage: bwrap-claude <claude-command> [args...]
#   bwrap-claude claude -p --verbose ...
#   bwrap-claude claude-zai -p --verbose ...
#
# Requires: bubblewrap (apt install bubblewrap)

set -euo pipefail

DATA_DIR="${DATA_DIR:?DATA_DIR must be set}"

exec bwrap \
    --ro-bind / / \
    --tmpfs /tmp \
    --tmpfs /run \
    --tmpfs /root \
    --proc /proc \
    --dev /dev \
    --bind "$DATA_DIR" "$DATA_DIR" \
    --bind "$HOME/.claude" "$HOME/.claude" \
    --bind-try "$HOME/.claude-zai" "$HOME/.claude-zai" \
    --setenv HOME "$HOME" \
    --setenv DATA_DIR "$DATA_DIR" \
    --die-with-parent \
    --new-session \
    "$@"
