migrate to the new tiered structure

example/.safeclaude/.env.example

@@ -0,0 +1,3 @@
+# Copy to .env (gitignored) for secrets injected into the container at runtime.
+# Private gem registry token used by hooks/20-bundle.sh:
+# BUNDLE_GEMS__GRAPHQL__PRO=user:token

example/.safeclaude/.gitignore

@@ -0,0 +1 @@
+.env

example/.safeclaude/Dockerfile

@@ -0,0 +1,31 @@
+# Example .safeclaude/Dockerfile for a Ruby + Postgres app.
+#
+# Everything here runs once when the container is built (and is cached), so it
+# won't slow down launches. You're root during the build, so apt just works.
+FROM safeclaude-base:latest
+
+# System packages: what's needed to build Ruby, talk to Postgres, proxy the
+# database (socat), and run browser tests (headless Chrome).
+RUN apt-get update && apt-get install -y --no-install-recommends \
+      build-essential \
+      libssl-dev libreadline-dev zlib1g-dev libffi-dev libyaml-dev \
+      libpq-dev \
+      socat \
+      chromium chromium-driver \
+    && rm -rf /var/lib/apt/lists/*
+
+# Capybara/Selenium look for Chrome at these paths.
+ENV CHROME_BIN=/usr/bin/chromium
+ENV CHROMEDRIVER=/usr/bin/chromedriver
+
+# rbenv and nvm get installed by the hooks at launch instead of here, because
+# they live in the home folder — and that folder is swapped in fresh each run, so
+# anything we installed there now would just be thrown away. Here we only set the
+# paths and shell setup; the two lines below do nothing until a hook installs the
+# matching tool.
+ENV RBENV_ROOT=/home/coder/.rbenv
+ENV NVM_DIR=/home/coder/.nvm
+ENV PATH="$RBENV_ROOT/bin:$RBENV_ROOT/shims:$PATH"
+
+RUN echo '[ -d "$RBENV_ROOT/bin" ] && eval "$(rbenv init - bash)"' >> /etc/bash.bashrc && \
+    echo '[ -s "$NVM_DIR/nvm.sh" ] && . "$NVM_DIR/nvm.sh"'         >> /etc/bash.bashrc

example/.safeclaude/hooks/10-ruby.sh

@@ -0,0 +1,31 @@
+#!/bin/bash
+# Sets up rbenv and the project's Ruby. Safe to run every launch — it only does
+# real work the first time, or when the Ruby version changes.
+set -euo pipefail
+
+# Grab rbenv (cloned into the home folder so it sticks around between runs).
+if [ ! -d "$RBENV_ROOT/bin" ]; then
+  echo "[ruby] installing rbenv..."
+  git clone --depth=1 https://github.com/rbenv/rbenv.git "$RBENV_ROOT"
+  git clone --depth=1 https://github.com/rbenv/ruby-build.git "$RBENV_ROOT/plugins/ruby-build"
+fi
+eval "$(rbenv init - bash)"
+
+# Pick the Ruby version: the project's .ruby-version wins, then whatever rbenv
+# was last set to, then a sensible default.
+if [ -f /code/.ruby-version ]; then
+  RUBY_VERSION="$(tr -d '[:space:]' < /code/.ruby-version)"
+elif [ -f "$RBENV_ROOT/version" ]; then
+  RUBY_VERSION="$(cat "$RBENV_ROOT/version")"
+else
+  RUBY_VERSION="3.3.6"
+fi
+
+if ! rbenv versions --bare 2>/dev/null | grep -qx "$RUBY_VERSION"; then
+  echo "[ruby] installing Ruby $RUBY_VERSION (first time only — takes a few minutes)..."
+  rbenv install "$RUBY_VERSION"
+fi
+rbenv global "$RUBY_VERSION"
+
+# Make sure bundler is installed for this Ruby.
+gem list bundler -i &>/dev/null || gem install bundler --no-document

example/.safeclaude/hooks/15-node.sh.example

@@ -0,0 +1,15 @@
+#!/bin/bash
+# OPTIONAL — only needed if your project pins a Node version via .nvmrc (the base
+# already includes a working Node). Rename to 15-node.sh to turn it on.
+set -euo pipefail
+
+if [ ! -s "$NVM_DIR/nvm.sh" ]; then
+  echo "[node] installing nvm..."
+  curl -fsSL https://raw.githubusercontent.com/nvm-sh/nvm/HEAD/install.sh \
+    | NVM_DIR="$NVM_DIR" PROFILE=/dev/null bash
+fi
+. "$NVM_DIR/nvm.sh"
+
+if [ -f /code/.nvmrc ]; then
+  ( cd /code && nvm install && nvm use )
+fi

example/.safeclaude/hooks/20-bundle.sh

@@ -0,0 +1,21 @@
+#!/bin/bash
+# Installs gems, but only when Gemfile.lock has changed: it remembers the last
+# version it installed (saved between runs), so an unchanged lockfile is a
+# near-instant no-op.
+set -euo pipefail
+
+[ -f /code/Gemfile ] || exit 0
+eval "$(rbenv init - bash)"
+
+LOCK=/code/Gemfile.lock
+MARKER="$HOME/.safeclaude-deps/gemfile.sha"
+mkdir -p "$(dirname "$MARKER")"
+CUR="$( [ -f "$LOCK" ] && sha256sum "$LOCK" | cut -d' ' -f1 || echo no-lock )"
+
+if [ "$(cat "$MARKER" 2>/dev/null || true)" != "$CUR" ]; then
+  echo "[bundle] installing gems..."
+  # The token below (for a private gem source) comes from .safeclaude/.env — see
+  # .env.example. It's fine to leave unset if your project doesn't need it.
+  ( cd /code && BUNDLE_GEMS__GRAPHQL__PRO="${BUNDLE_GEMS__GRAPHQL__PRO:-}" bundle install )
+  echo "$CUR" > "$MARKER"
+fi

example/.safeclaude/hooks/30-pg-proxy.sh

@@ -0,0 +1,15 @@
+#!/bin/bash
+# Makes the host machine's Postgres reachable at the usual 127.0.0.1:5432 inside
+# the container, so your database settings work the same in or out of Docker.
+set -euo pipefail
+
+# If something's already answering on 5432 (like a proxy from a previous launch),
+# leave it be. We test the port with a built-in bash trick so we don't have to
+# install extra tools just to check.
+if (exec 3<>/dev/tcp/127.0.0.1/5432) 2>/dev/null; then
+  exec 3>&-   # port answered — already running
+else
+  echo "[pg] proxying 127.0.0.1:5432 -> host.docker.internal:5432"
+  socat TCP-LISTEN:5432,bind=127.0.0.1,fork,reuseaddr \
+        TCP:host.docker.internal:5432 &
+fi