sandbox-runtime: init at 0.0.43 (#504139)

{

  lib,

  stdenv,

  buildNpmPackage,

  fetchFromGitHub,

  # runtime dependencies

  ripgrep,

  which,

  # linux-only

  bubblewrap,

  socat,

  versionCheckHook,

  nix-update-script,

}:

buildNpmPackage (finalAttrs: {

  pname = "sandbox-runtime";

  version = "0.0.43";

  src = fetchFromGitHub {

    owner = "anthropic-experimental";

    repo = "sandbox-runtime";

    tag = "v${finalAttrs.version}";

    hash = "sha256-DzsIWR4IreGkSUtaJ2v5kTrI2hbG9O2bozQkJYYZ8LM=";

  };

  postPatch =

    # Fix the `--version` flag.

    ''

      substituteInPlace src/cli.ts \

        --replace-fail "1.0.0" "${finalAttrs.version}"

    '';

  strictDeps = true;

  npmDepsHash = "sha256-UUxkaGF1kUhq7XShxAq33oQoLG/aM5p/4rpXIH4I+yE=";

  postFixup =

    let

      runtimeDeps = [

        ripgrep

        which

      ]

      ++ lib.optionals stdenv.hostPlatform.isLinux [

        bubblewrap

        socat

      ];

    in

    ''

      wrapProgram $out/bin/srt \

        --prefix PATH ${lib.makeBinPath runtimeDeps}

    '';

  nativeInstallCheckInputs = [

    versionCheckHook

  ];

  doInstallCheck = true;

  passthru.updateScript = nix-update-script { };

  meta = {

    description = "Lightweight sandboxing tool for enforcing filesystem and network restrictions on arbitrary processes at the OS level, without requiring a container";

    changelog = "https://github.com/anthropic-experimental/sandbox-runtime/releases/tag/${finalAttrs.src.tag}";

    homepage = "https://github.com/anthropic-experimental/sandbox-runtime";

    license = lib.licenses.asl20;

    maintainers = with lib.maintainers; [ GaetanLepage ];

    mainProgram = "srt";

    platforms = lib.platforms.linux ++ lib.platforms.darwin;

  };

})