Initial commit

scripts/build_bundle.sh

@@ -0,0 +1,31 @@
+#!/usr/bin/env bash
+# Build one-folder PyInstaller distribution (see applepy.spec). Requires: pip install -e ".[bundle]"
+# By default fetches NIST macos_security + Lynis into applepy/data/ (git + network). Offline:
+#   SKIP_VENDOR_COMPLIANCE=1 ./scripts/build_bundle.sh
+set -euo pipefail
+ROOT="$(cd "$(dirname "$0")/.." && pwd)"
+cd "$ROOT"
+if [[ -f .venv/bin/activate ]]; then
+  # shellcheck source=/dev/null
+  source .venv/bin/activate
+fi
+if [[ "${SKIP_VENDOR_COMPLIANCE:-0}" != "1" ]]; then
+  "${ROOT}/scripts/vendor_compliance_assets.sh" all
+else
+  echo "SKIP_VENDOR_COMPLIANCE=1: skipping scripts/vendor_compliance_assets.sh"
+fi
+python -m pip install -q -e ".[bundle]"
+DIST_OUT="${ROOT}/dist/applepy"
+if [[ -e "${DIST_OUT}" ]]; then
+  echo "Removing previous bundle: ${DIST_OUT}"
+  if ! rm -rf "${DIST_OUT}"; then
+    echo "ERROR: Could not remove ${DIST_OUT}." >&2
+    echo "This usually means root-owned files under .../macos_security/build from a prior sudo run of the bundle." >&2
+    echo "Fix:  sudo rm -rf \"${DIST_OUT}\"" >&2
+    echo "Then re-run this script. The spec omits mSCP build/ from the bundle to avoid shipping host output." >&2
+    exit 1
+  fi
+fi
+python -m PyInstaller --noconfirm "${ROOT}/applepy.spec"
+echo "Output: ${ROOT}/dist/applepy/  →  run: dist/applepy/applepy --help"
+echo "Note: build/applepy/ is PyInstaller’s work dir only (no _internal/). Do not run that copy."