Mikhail Putilovskij
6ced154124
- harden Matrix onboarding/chat lifecycle after manual QA - refresh README and Matrix docs to match current behavior - add local ignores for runtime artifacts and include current planning/report docs Closes #7 Closes #9 Closes #14
29 lines
784 B
Bash
Executable file
29 lines
784 B
Bash
Executable file
#!/usr/bin/env bash
|
|
# Sandboxed wrapper for Claude Code using bubblewrap.
|
|
# Restricts filesystem access: DATA_DIR is writable, system is read-only.
|
|
#
|
|
# Usage: bwrap-claude <claude-command> [args...]
|
|
# bwrap-claude claude -p --verbose ...
|
|
# bwrap-claude claude-zai -p --verbose ...
|
|
#
|
|
# Requires: bubblewrap (apt install bubblewrap)
|
|
|
|
set -euo pipefail
|
|
|
|
DATA_DIR="${DATA_DIR:?DATA_DIR must be set}"
|
|
|
|
exec bwrap \
|
|
--ro-bind / / \
|
|
--tmpfs /tmp \
|
|
--tmpfs /run \
|
|
--tmpfs /root \
|
|
--proc /proc \
|
|
--dev /dev \
|
|
--bind "$DATA_DIR" "$DATA_DIR" \
|
|
--bind "$HOME/.claude" "$HOME/.claude" \
|
|
--bind-try "$HOME/.claude-zai" "$HOME/.claude-zai" \
|
|
--setenv HOME "$HOME" \
|
|
--setenv DATA_DIR "$DATA_DIR" \
|
|
--die-with-parent \
|
|
--new-session \
|
|
"$@"
|