Combining `bwrap` and the `.zip` trick for auto-concatenating single-file distributables

git-vault.zsh

#!/bin/zsh

identity="${1:?Must supply identity file for `age` or '-' for first run}"
target="${@[2,-1]}"

setup() {
    mkdir -p ~/public
    if [[ -e /tmp/.identity ]]; then
        unzip -d ~/public -o /tmp/.vault >/dev/null 2>&1
        age -d -i /tmp/.identity ~/public/.private 2>/dev/null | tar -C ~ -I zstd -xf - >/dev/null 2>&1
    else # first run
        git init . >/dev/null 2>&1
        >>.gitignore <<< .gitconfig
        >>.gitignore <<< public/
        age-keygen -o /tmp/.identity
        </tmp/.identity
    fi
}
teardown() {
    if ! git log >/dev/null 2>&1; then # first run
        git add .gitignore >/dev/null 2>&1
        git commit -am 'first commit' >/dev/null 2>&1
    else
        git add . >/dev/null 2>&1
        git commit -am "$(< /tmp/.target)" >/dev/null 2>&1
    fi
    tar -C ~ -I zstd --exclude public -cf - . .* | age -e -i /tmp/.identity -o ~/public/.private
    {
        sed '/^EOF$/q' /tmp/.vault
        cd ~/public && zip -r - . 2>/dev/null
    } | sponge /tmp/.vault
}
setup="$(whence -f setup | sed '1d;/^}$/d;s/^\t//;s/\t/    /')"
teardown="$(whence -f teardown | sed '1d;/^}$/d;s/^\t//;s/\t/    /')"

if [[ -z "$target" ]]; then
    if [[ "$identity" == '-' ]]; then
        target=:
    else
        target='tree -a --gitignore -I .gitconfig -I public/.private -I .git ~ public'
    fi
fi
typeset -a bwrap_flags=(
    --bind / /
    --dev-bind /dev /dev
    --proc /proc
    --tmpfs /tmp
    --tmpfs ~
    --chdir ~
    --bind $ZSH_SCRIPT /tmp/.vault
    --ro-bind ~/.gitconfig ~/.gitconfig
    '--ro-bind-data <(<<< "$target")(:t) /tmp/.target'
    '--ro-bind-data <(<<< "$setup"; <<< "${target}"; <<< "$teardown")(:t) /tmp/.script.zsh'
)
[[ "$identity" != '-' ]] && bwrap_flags+=( --ro-bind-data '<(< "${identity}")(:t)' /tmp/.identity )

exec eval "bwrap ${(*)bwrap_flags} zsh /tmp/.script.zsh"

EOF

zip-trick.zsh

#!/bin/zsh

setup() {
    unzip -o /tmp/.payload.orig.zip 2>/dev/null >&2
}
teardown() {
    (
        sed '/^EOF$/q' /tmp/.payload.orig.zip
        zip -r - . 2>/dev/null
    ) | sponge /tmp/.payload.orig.zip
}
setup="$(whence -f setup | sed '1d;/^}$/d;s/\t/    /')"
teardown="$(whence -f teardown | sed '1d;/^}$/d;s/\t/    /')"

typeset -a bwrap_flags=(
    --bind / /
    --dev-bind /dev /dev
    --proc /proc
    --tmpfs /tmp
    --tmpfs ~
    --chdir ~
    --bind $ZSH_SCRIPT /tmp/.payload.orig.zip
    '--ro-bind-data <(<<< "$setup"; <<< "${@[1,-1]}"; <<< "$teardown")(:t) /tmp/.script.zsh'
)
exec eval "bwrap ${(*)bwrap_flags} zsh /tmp/.script.zsh"

EOF

zip-vault.zsh

#!/bin/zsh

identity="${1:?Must supply identity file for `age` or '-' for first run}"
target="${@[2,-1]:-ls -1al}"

setup() {
    if [[ -e /tmp/.identity ]]; then
        unzip -o =( sed '1,/^EOF$/d' /tmp/.vault.age | age -d -i /tmp/.identity - 2>/dev/null ) 2>/dev/null >&2
    else # first run
        age-keygen -o /tmp/.identity
        </tmp/.identity
        exit
    fi
}
teardown() {
    {
        sed '/^EOF$/q' /tmp/.vault.age
        zip -r - . 2>/dev/null | age -e -i /tmp/.identity -
    } | sponge /tmp/.vault.age
}
setup="$(whence -f setup | sed '1d;/^}$/d;s/^\t//;s/\t/    /')"
teardown="$(whence -f teardown | sed '1d;/^}$/d;s/^\t//;s/\t/    /')"

typeset -a bwrap_flags=(
    --bind / /
    --dev-bind /dev /dev
    --proc /proc
    --tmpfs /tmp
    --tmpfs ~
    --chdir ~
    --bind $ZSH_SCRIPT /tmp/.vault.age
    '--ro-bind-data <(<<< "$setup"; <<< "${target}"; <<< "$teardown")(:t) /tmp/.script.zsh'
)
[[ $identity != '-' ]] && bwrap_flags+=( --ro-bind-data '<(< "${identity}")(:t)' /tmp/.identity )

exec eval "bwrap ${(*)bwrap_flags} zsh /tmp/.script.zsh"

EOF