This uses the networking module to find the best_host, as we already do
with ssh and install. So if we don't supply a --target-host and a
networking module is configured, the remote should be autodetected.
Since vars upload doesn't have a --target-host argument, we always try
to use get_best_remote
The motivation is to create one powerful entrypoint shared by the GUI as well as the CLI in order to not having to maintain too much separate code paths.
As a next step, generate_vars can probably also be removed.
This is useful to force on-interactive mode with automatic key selection. In unit tests this is necessary. When debugging a test on a real terminal interactive mode is not desired
This now gives a clearer error than:
```
Traceback (most recent call last):
File "/nix/store/mznnb8il3njp6jxn5i57d0myjdh6cs0i-clan-cli/bin/.clan-wrapped", line 9, in <module>
sys.exit(main())
~~~~^^
File "/nix/store/mznnb8il3njp6jxn5i57d0myjdh6cs0i-clan-cli/lib/python3.13/site-packages/clan_cli/cli.py", line 516, in main
args.func(args)
~~~~~~~~~^^^^^^
File "/nix/store/mznnb8il3njp6jxn5i57d0myjdh6cs0i-clan-cli/lib/python3.13/site-packages/clan_cli/vars/check.py", line 113, in check_command
ok = check_vars(args.machine, args.flake, generator_name=args.generator)
File "/nix/store/mznnb8il3njp6jxn5i57d0myjdh6cs0i-clan-cli/lib/python3.13/site-packages/clan_cli/vars/check.py", line 103, in check_vars
status = vars_status(machine_name, flake, generator_name=generator_name)
File "/nix/store/mznnb8il3njp6jxn5i57d0myjdh6cs0i-clan-cli/lib/python3.13/site-packages/clan_cli/vars/check.py", line 41, in vars_status
generators = Generator.generators_from_flake(machine.name, machine.flake)
File "/nix/store/mznnb8il3njp6jxn5i57d0myjdh6cs0i-clan-cli/lib/python3.13/site-packages/clan_cli/vars/generate.py", line 67, in generators_from_flake
generators_data = flake.select_machine(
^^^^^^^^^^^^^^^^^^^^
AttributeError: 'NoneType' object has no attribute 'select_machine'
```
When not being in a flake.
When creating a new clan, the key selection now looks like this:
```
Found existing admin keys on this machine:
1: type: AGE
pubkey: age1xyz...
source: /home/grmpf/.config/sops/age/keys.txt
2: type: PGP
pubkey: abc...
source: SOPS_PGP_FP
Select keys to use (comma-separated list of numbers, or leave empty to select all):
```
This is achieved by adding a `source` attribute to `SopsKey`.
Changed sandbox_exec_cmd to return a context manager that automatically
handles profile file cleanup. This ensures the temporary profile is
always removed, even if exceptions occur.
Adds macOS sandboxing support similar to Linux bubblewrap implementation:
- Created clan_lib/sandbox_exec module with sandbox profile creation
- Implemented file system isolation allowing only tmpdir and nix store access
- Added network restrictions (deny outbound except localhost)
- Integrated sandbox-exec command into vars generation on macOS
- Added comprehensive test suite for macOS sandbox functionality
- Fixed working directory handling for generators writing to CWD
