{
  description = "Notesium notes environment";

  inputs = {
    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
    flake-utils.url = "github:numtide/flake-utils";
  };

  outputs = { self, nixpkgs, flake-utils }:
    flake-utils.lib.eachDefaultSystem (system:
      let
        pkgs = import nixpkgs { inherit system; config.allowUnfree = true; };

        packages = with pkgs; [
          # claude-code
          gh
          bubblewrap
        ];

        shellFunctions = ''
          yolo() { claude --dangerously-skip-permissions --resume; }
        '';

        shellFunctionsScript = pkgs.writeText "shell-functions.sh" shellFunctions;

        sandboxScript = pkgs.writeShellScriptBin "enter-sandbox" ''
          PROJECT_DIR="''${SANDBOX_PROJECT_DIR:-$PWD}"

          BWRAP_ARGS=(
            --unshare-all
            --share-net
            --die-with-parent

            --ro-bind / /
            --dev /dev
            --proc /proc

            --tmpfs "$HOME"

            --bind "$PROJECT_DIR" "$PROJECT_DIR"
            --bind "$HOME/.claude" "$HOME/.claude"
            --bind "$HOME/.claude.json" "$HOME/.claude.json"

            --ro-bind "$HOME/.gitconfig" "$HOME/.gitconfig"
            --ro-bind "$HOME/.ssh" "$HOME/.ssh"
            --ro-bind "$HOME/.config/gh" "$HOME/.config/gh"
            --ro-bind "$HOME/.local/bin" "$HOME/.local/bin"

            --tmpfs /tmp

            --setenv HOME "$HOME"
            --setenv PATH "$PATH"
            --setenv TERM "''${TERM:-xterm}"
            --setenv SANDBOX_ACTIVE "1"
            --chdir "$PROJECT_DIR"
          )

          mkdir -p "$HOME/.claude"
          touch "$HOME/.claude.json"

          if [ $# -gt 0 ]; then
            exec ${pkgs.bubblewrap}/bin/bwrap "''${BWRAP_ARGS[@]}" "$@"
          else
            exec ${pkgs.bubblewrap}/bin/bwrap "''${BWRAP_ARGS[@]}" ${pkgs.bash}/bin/bash
          fi
        '';
      in
      {
        devShells = {
          default = pkgs.mkShell {
            buildInputs = packages ++ [ sandboxScript ];
            shellHook = ''
              export SANDBOX_PROJECT_DIR="$PWD"
              export SHELL_FUNCTIONS="${shellFunctionsScript}"

              if [ ! -t 0 ] || [ -n "$NIX_DEVELOP_COMMAND" ]; then
                echo "=== Notesium (sandbox: enter-sandbox) ==="
              else
                echo "=== Notesium Sandbox ==="
                echo "WRITE: $PWD, ~/.claude"
                exec enter-sandbox ${pkgs.bash}/bin/bash --rcfile <(cat << 'SANDBOX_BASHRC'
              source "$SHELL_FUNCTIONS"
              PS1="[sandbox] \w \$ "
SANDBOX_BASHRC
              )
              fi
            '';
          };

          yolo = pkgs.mkShell {
            buildInputs = packages;
            shellHook = ''
              ${shellFunctions}
              echo "=== Notesium (YOLO - no sandbox) ==="
            '';
          };
        };
      }
    );
}