SwiftSQLite: sandboxed sqlite3 command for SwiftBash (M0–M6)

.github/workflows/swift.yml

@@ -0,0 +1,49 @@
+name: Swift
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+# macOS-only, mirroring the sibling SwiftGog repo's proven CI. A full
+# SwiftBash consumer builds cleanly on macOS (Xcode 26 / Swift 6.2); the Linux
+# build of BashCommandKit's SwiftPorts closure (libgit2 + the compression
+# family + ripgrep) needs heavier system-lib setup. SwiftSQLiteKit itself is
+# SwiftBash-agnostic and Linux-clean, so a Linux engine-only job can be added
+# later without that closure.
+#
+# The SQLite amalgamation (sqlite3.c/.h) is vendored (committed), so the build
+# needs no network. Package.resolved pins marcprux/swift-archive by revision —
+# its `master` branch was renamed, so a fresh resolve would otherwise fail
+# chasing the dead ref.
+
+jobs:
+  build-macos:
+    runs-on: macos-latest
+    timeout-minutes: 30
+    steps:
+      - uses: actions/checkout@v4
+      # SwiftBash's manifest declares swift-tools-version 6.2, so the
+      # toolchain must be >= 6.2. Xcode 26.0 ships Swift 6.2.
+      - name: Select Xcode 26.0
+        uses: maxim-lobanov/setup-xcode@v1
+        with:
+          xcode-version: "26.0"
+      # bzip2 / zstd back SwiftPorts' compression kits; macOS runners usually
+      # already have them, so this is a defensive idempotent install.
+      - name: Install C dependencies (Homebrew)
+        run: |
+          for pkg in bzip2 zstd; do
+            brew list --versions "$pkg" >/dev/null 2>&1 || brew install "$pkg"
+          done
+      - name: Verify Swift version
+        run: swift --version
+      - name: Build (including tests)
+        run: swift build --build-tests -v
+      - name: Test
+        run: swift test --skip-build

.github/workflows/vendor-sqlite.yml

@@ -0,0 +1,45 @@
+name: Vendor SQLite amalgamation
+
+# Fetches, SHA3-256-verifies, and commits sqlite3.c / sqlite3.h into the repo.
+# Run manually (Actions ▸ "Vendor SQLite amalgamation" ▸ Run workflow) or it
+# fires automatically when Sources/CSQLite/VERSION changes (a version bump).
+# The committed amalgamation is what makes the package build from a fresh clone
+# / as a plain SwiftPM dependency — this workflow just keeps it in sync with
+# the pin in VERSION.
+
+on:
+  workflow_dispatch:
+  push:
+    paths:
+      - "Sources/CSQLite/VERSION"
+
+permissions:
+  contents: write
+
+concurrency:
+  group: vendor-sqlite-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  vendor:
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    steps:
+      - uses: actions/checkout@v4
+      - name: Ensure fetch tools
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y --no-install-recommends curl unzip openssl ca-certificates
+      - name: Fetch + verify amalgamation
+        run: ./scripts/fetch-sqlite.sh --force
+      - name: Commit if changed
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+          git add Sources/CSQLite/sqlite3.c Sources/CSQLite/include/sqlite3.h
+          if git diff --cached --quiet; then
+            echo "Amalgamation already matches the pin — nothing to commit."
+          else
+            git commit -m "Vendor sqlite3 amalgamation (SHA3-256 verified)"
+            git push
+          fi

.gitignore

@@ -6,3 +6,10 @@ DerivedData/
 .swiftpm/configuration/registries.json
 .swiftpm/xcode/package.xcworkspace/contents.xcworkspacedata
 .netrc
+
+# The SQLite amalgamation (sqlite3.c / sqlite3.h) IS committed (vendored) so a
+# fresh clone builds with no prerequisite step and the package is usable as a
+# plain SwiftPM dependency. scripts/fetch-sqlite.sh refreshes it on a version
+# bump (it's SHA3-256-verified). shell.c / sqlite3ext.h aren't used — ignored.
+/Sources/CSQLite/shell.c
+/Sources/CSQLite/include/sqlite3ext.h

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 PicoMLX
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.