Initial project setup with Nix flake and gitignore

Nix devshell with gh, bubblewrap sandbox, and yolo mode.
Gitignore for .claude, .wave internals, secrets.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

.gitignore

@@ -0,0 +1,11 @@
+.claude/*
+!.claude/commands/
+.archive/
+.idea/
+.wave/*
+!.wave/pipelines/
+!.wave/personas/
+!.wave/contracts/
+!.wave/prompts/
+wave.yaml
+.env

flake.nix

@@ -0,0 +1,100 @@
+{
+  description = "Notesium notes environment";
+
+  inputs = {
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
+    flake-utils.url = "github:numtide/flake-utils";
+  };
+
+  outputs = { self, nixpkgs, flake-utils }:
+    flake-utils.lib.eachDefaultSystem (system:
+      let
+        pkgs = import nixpkgs { inherit system; config.allowUnfree = true; };
+
+        packages = with pkgs; [
+          # claude-code
+          gh
+          bubblewrap
+        ];
+
+        shellFunctions = ''
+          yolo() { claude --dangerously-skip-permissions --resume; }
+        '';
+
+        shellFunctionsScript = pkgs.writeText "shell-functions.sh" shellFunctions;
+
+        sandboxScript = pkgs.writeShellScriptBin "enter-sandbox" ''
+          PROJECT_DIR="''${SANDBOX_PROJECT_DIR:-$PWD}"
+
+          BWRAP_ARGS=(
+            --unshare-all
+            --share-net
+            --die-with-parent
+
+            --ro-bind / /
+            --dev /dev
+            --proc /proc
+
+            --tmpfs "$HOME"
+
+            --bind "$PROJECT_DIR" "$PROJECT_DIR"
+            --bind "$HOME/.claude" "$HOME/.claude"
+            --bind "$HOME/.claude.json" "$HOME/.claude.json"
+
+            --ro-bind "$HOME/.gitconfig" "$HOME/.gitconfig"
+            --ro-bind "$HOME/.ssh" "$HOME/.ssh"
+            --ro-bind "$HOME/.config/gh" "$HOME/.config/gh"
+            --ro-bind "$HOME/.local/bin" "$HOME/.local/bin"
+
+            --tmpfs /tmp
+
+            --setenv HOME "$HOME"
+            --setenv PATH "$PATH"
+            --setenv TERM "''${TERM:-xterm}"
+            --setenv SANDBOX_ACTIVE "1"
+            --chdir "$PROJECT_DIR"
+          )
+
+          mkdir -p "$HOME/.claude"
+          touch "$HOME/.claude.json"
+
+          if [ $# -gt 0 ]; then
+            exec ${pkgs.bubblewrap}/bin/bwrap "''${BWRAP_ARGS[@]}" "$@"
+          else
+            exec ${pkgs.bubblewrap}/bin/bwrap "''${BWRAP_ARGS[@]}" ${pkgs.bash}/bin/bash
+          fi
+        '';
+      in
+      {
+        devShells = {
+          default = pkgs.mkShell {
+            buildInputs = packages ++ [ sandboxScript ];
+            shellHook = ''
+              export SANDBOX_PROJECT_DIR="$PWD"
+              export SHELL_FUNCTIONS="${shellFunctionsScript}"
+
+              if [ ! -t 0 ] || [ -n "$NIX_DEVELOP_COMMAND" ]; then
+                echo "=== Notesium (sandbox: enter-sandbox) ==="
+              else
+                echo "=== Notesium Sandbox ==="
+                echo "WRITE: $PWD, ~/.claude"
+                exec enter-sandbox ${pkgs.bash}/bin/bash --rcfile <(cat << 'SANDBOX_BASHRC'
+              source "$SHELL_FUNCTIONS"
+              PS1="[sandbox] \w \$ "
+SANDBOX_BASHRC
+              )
+              fi
+            '';
+          };
+
+          yolo = pkgs.mkShell {
+            buildInputs = packages;
+            shellHook = ''
+              ${shellFunctions}
+              echo "=== Notesium (YOLO - no sandbox) ==="
+            '';
+          };
+        };
+      }
+    );
+}