claude/opencode bwrap quick & dirty

ccbw

#!/usr/bin/env bash

if ! secret-migrate; then
    echo "secret-migrate failed, exiting" >&2
    exit 1
fi

args=(
    --unshare-all
    --share-net
    --die-with-parent
    --new-session

    --ro-bind /opt/ /opt
    --ro-bind /etc/claude-code/ /etc/claude-code/
    --ro-bind /usr/ /usr
    --symlink usr/lib /lib
    --symlink usr/lib64 /lib64
    --symlink usr/bin /bin
    --symlink usr/sbin /sbin
    --ro-bind /etc/ld.so.conf /etc/ld.so.conf
    --ro-bind /etc/ld.so.conf.d /etc/ld.so.conf.d
    --ro-bind /etc/ld.so.cache /etc/ld.so.cache
    --proc /proc
    --dev /dev
#    --perms 1777 --tmpfs /dev/pts
    --perms 1777 --tmpfs /dev/shm
    --perms 1777 --tmpfs /tmp
    --perms 0755 --tmpfs /run

    --ro-bind /etc/resolv.conf /etc/resolv.conf
    --ro-bind /etc/hosts /etc/hosts
    --ro-bind /etc/nsswitch.conf /etc/nsswitch.conf
    --ro-bind /etc/passwd /etc/passwd
    --ro-bind /etc/group /etc/group
    --ro-bind /etc/localtime /etc/localtime

    --ro-bind /etc/ssl /etc/ssl
    --ro-bind-try /etc/ca-certificates /etc/ca-certificates

    --bind "$HOME/.sandbox-home/" "$HOME"
    --setenv HOME "$HOME"
    --chdir "$PWD"
    --bind "$PWD" "$PWD"

    --bind-try "$HOME/.gentoo/" "$HOME/.gentoo/"
    --bind-try "$HOME/.claude.json" "$HOME/.claude.json"
    --bind-try "$HOME/.claude/" "$HOME/.claude/"
    --bind-try "$HOME/sources/claude-hooks" "$HOME/sources/claude-hooks"

    --setenv TMPDIR /tmp
    --setenv PATH ~/.local/bin/:/opt/bin:/usr/local/bin:/usr/bin:/bin
)
# shift-enter trouble with tmux
# exec bwrap "${args[@]}" tmux new-session -A -s claude claude "$@"
exec bwrap "${args[@]}" claude "$@"