Currently the template help has the following interface:
```
usage: clan [-h] [SUBCOMMAND]
The clan cli tool
positional arguments:
{show,backups,b,flakes,f,templates,flash,ssh,secrets,facts,vars,va,machines,m,vms,select,se,state,st}
show Show meta information about the clan
backups (b) Manage backups of clan machines
flakes (f) Create a clan flake inside the current directory
templates Subcommands to interact with templates
flash Flashes your machine to an USB drive
ssh Ssh to a remote machine
secrets Manage secrets
facts Manage facts
vars (va) Manage vars
machines (m) Manage machines and their configuration
vms Manage virtual machines
select (se) Select nixos values from the flake
state (st) Query state information about machines
options:
-h, --help show this help message and exit
Online reference for the clan cli tool: ]8;;https://docs.clan.lol/reference/cli\https://docs.clan.lol/reference/cli]8;;\
For more detailed information, visit: ]8;;https://docs.clan.lol\https://docs.clan.lol]8;;\
```
Changed sandbox_exec_cmd to return a context manager that automatically
handles profile file cleanup. This ensures the temporary profile is
always removed, even if exceptions occur.
Adds macOS sandboxing support similar to Linux bubblewrap implementation:
- Created clan_lib/sandbox_exec module with sandbox profile creation
- Implemented file system isolation allowing only tmpdir and nix store access
- Added network restrictions (deny outbound except localhost)
- Integrated sandbox-exec command into vars generation on macOS
- Added comprehensive test suite for macOS sandbox functionality
- Fixed working directory handling for generators writing to CWD
Stores now get machine context from generator objects instead of storing
it internally. This enables future machine-independent generators and
reduces coupling.
- StoreBase.__init__ only takes flake parameter
- Store methods receive machine as explicit parameter
- Fixed all callers to pass machine context
- Updated StoreBase.__init__ to accept machine: str and flake: Flake
- Modified all StoreBase subclasses (in_repo, vm, fs, sops, password_store) to match new signature
- Added select_machine method to Flake class for machine-specific attribute selection
- Updated Machine.select to use the new Flake.select_machine method
- Fixed all test cases to pass machine name and flake to store constructors
- Maintained backward compatibility by keeping the same external API
This reduces coupling between the store system and the Machine class,
making the architecture more modular and flexible.
