Setup Ralph.

flake.nix

@@ -1,5 +1,5 @@
 # ABOUTME: Nix flake for PhaseFlow development environment.
-# ABOUTME: Provides Node.js 24, pnpm, turbo, and lefthook.
+# ABOUTME: Provides Node.js 24, pnpm, turbo, lefthook, and Ralph sandbox shell.
 {
   inputs.nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
 
@@ -7,17 +7,44 @@
     let
       system = "x86_64-linux";
       pkgs = nixpkgs.legacyPackages.${system};
-    in {
-      devShells.${system}.default = pkgs.mkShell {
-        packages = with pkgs; [
-          nodejs_24
-          pnpm
-          turbo
-          lefthook
-        ];
 
-        # For native modules (sharp, better-sqlite3, etc.)
-        LD_LIBRARY_PATH = pkgs.lib.makeLibraryPath [ pkgs.stdenv.cc.cc ];
+      # Common packages for development
+      commonPackages = with pkgs; [
+        nodejs_24
+        pnpm
+        git
+      ];
+    in {
+      devShells.${system} = {
+        # Default development shell with all tools
+        default = pkgs.mkShell {
+          packages = commonPackages ++ (with pkgs; [
+            turbo
+            lefthook
+          ]);
+
+          # For native modules (sharp, better-sqlite3, etc.)
+          LD_LIBRARY_PATH = pkgs.lib.makeLibraryPath [ pkgs.stdenv.cc.cc ];
+        };
+
+        # Ralph sandbox shell with minimal permissions
+        # Used for autonomous Ralph loop execution
+        ralph = pkgs.mkShell {
+          packages = commonPackages ++ (with pkgs; [
+            # Claude CLI (assumes installed globally or via npm)
+            # Add any other tools Ralph needs here
+          ]);
+
+          # Restrictive environment for sandboxed execution
+          shellHook = ''
+            echo "🔒 Ralph Sandbox Environment"
+            echo "   Limited to: nodejs, pnpm, git"
+            echo ""
+          '';
+
+          # For native modules
+          LD_LIBRARY_PATH = pkgs.lib.makeLibraryPath [ pkgs.stdenv.cc.cc ];
+        };
       };
     };
 }