Add capabilities at build

sloppodman

@@ -0,0 +1,97 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+if [[ $# -eq 0 ]]; then
+  printf 'usage: sloppodman <pull|build|tag|run|ps|logs|stop|rm|inspect> ...\n' >&2
+  exit 2
+fi
+
+subcommand=$1
+shift
+
+case "$subcommand" in
+  pull|build|tag|run|ps|logs|stop|rm|inspect)
+    ;;
+  *)
+    printf 'sloppodman: unsupported subcommand %s\n' "$subcommand" >&2
+    exit 2
+    ;;
+esac
+
+workspace_root=${SLOPTRAP_WORKDIR:-/workspace}
+podman_root=${SLOPTRAP_INNER_PODMAN_ROOT:-/codex/capabilities/podman/storage}
+podman_runroot=${SLOPTRAP_INNER_PODMAN_RUNROOT:-/codex/capabilities/podman/run}
+runtime_dir=${XDG_RUNTIME_DIR:-/codex/capabilities/podman/runtime}
+mkdir -p "$podman_root" "$podman_runroot" "$runtime_dir"
+
+resolve_inner_path() {
+  local raw=$1
+  if command -v realpath >/dev/null 2>&1; then
+    realpath -m "$raw"
+    return
+  fi
+  case "$raw" in
+    /*) printf '%s\n' "$raw" ;;
+    *) printf '%s/%s\n' "$(pwd -P)" "$raw" ;;
+  esac
+}
+
+validate_workspace_path() {
+  local path=$1
+  path=$(resolve_inner_path "$path")
+  case "$path" in
+    "$workspace_root"|"${workspace_root}/"*) ;;
+    *)
+      printf 'sloppodman: path must stay within %s (%s)\n' "$workspace_root" "$path" >&2
+      exit 2
+      ;;
+  esac
+}
+
+if [[ $subcommand == "build" ]]; then
+  args=("$@")
+  context=""
+  idx=0
+  while (( idx < ${#args[@]} )); do
+    arg=${args[$idx]}
+    case "$arg" in
+      -f|--file)
+        ((idx+=1))
+        (( idx < ${#args[@]} )) || { printf 'sloppodman: %s requires a path\n' "$arg" >&2; exit 2; }
+        validate_workspace_path "${args[$idx]}"
+        ;;
+      --network)
+        ((idx+=1))
+        (( idx < ${#args[@]} )) || { printf 'sloppodman: --network requires a value\n' >&2; exit 2; }
+        if [[ ${args[$idx]} == "host" && ${SLOPTRAP_INNER_PODMAN_HOST_NETWORK:-0} != 1 ]]; then
+          printf 'sloppodman: host networking is not available in this session\n' >&2
+          exit 2
+        fi
+        ;;
+    esac
+    ((idx+=1))
+  done
+  if [[ ${#args[@]} -gt 0 ]]; then
+    context=${args[$(( ${#args[@]} - 1 ))]}
+    validate_workspace_path "$context"
+  fi
+fi
+
+if [[ $subcommand == "run" ]]; then
+  args=("$@")
+  idx=0
+  while (( idx < ${#args[@]} )); do
+    arg=${args[$idx]}
+    if [[ $arg == "--network" ]]; then
+      ((idx+=1))
+      (( idx < ${#args[@]} )) || { printf 'sloppodman: --network requires a value\n' >&2; exit 2; }
+      if [[ ${args[$idx]} == "host" && ${SLOPTRAP_INNER_PODMAN_HOST_NETWORK:-0} != 1 ]]; then
+        printf 'sloppodman: host networking is not available in this session\n' >&2
+        exit 2
+      fi
+    fi
+    ((idx+=1))
+  done
+fi
+
+exec podman --root "$podman_root" --runroot "$podman_runroot" "$subcommand" "$@"