Move mfc wrapper to libexec and use write_exec_script for audit compliance

sbryngelson · sbryngelson · commit f850b08de72c · 2025-11-08T10:50:45.000-05:00
diff --git a/packaging/homebrew/mfc.rb b/packaging/homebrew/mfc.rb
@@ -73,12 +73,8 @@ def install
     # Install examples
     prefix.install "examples"
 
-    # Create smart wrapper script that:
-    # 1. Works around read-only Cellar issue by using a temp working dir
-    # 2. Uses the persistent var-based venv (no copy needed)
-    # 3. Minimal copying - only what needs to be writable
-    # 4. Resolves input file paths before changing directories
-    (bin/"mfc").write <<~EOS
+    # Create smart wrapper script in libexec; bin wrapper will be generated by Homebrew
+    (libexec/"mfc").write <<~EOS
         #!/usr/bin/env bash
         set -euo pipefail
 
@@ -184,12 +180,15 @@ def _homebrew_is_buildable(self):
           exec ./mfc.sh "${ARGS[@]}"
         fi
     EOS
-    (bin/"mfc").chmod 0755
+    (libexec/"mfc").chmod 0755
+
+    # Create a thin exec wrapper in bin that calls the libexec script (audit-friendly)
+    bin.write_exec_script libexec/"mfc"
   end
 
   def post_install
-    # Fix executable permissions (Homebrew sometimes overrides them)
-    (bin/"mfc").chmod 0755
+    # Fix executable permissions for libexec wrapper
+    (libexec/"mfc").chmod 0755
   end
 
   def caveats
