From b1cdf9b63e14dab9937ec7f5f6bd6c6aabd844a4 Mon Sep 17 00:00:00 2001
From: Colin <colin@uninsane.org>
Date: Tue, 22 Jul 2025 00:07:31 +0000
Subject: [PATCH] sane-profile: init

---
 hosts/common/programs/sane-scripts.nix     | 11 ++++++++++-
 pkgs/by-name/sane-scripts/package.nix      |  5 +++++
 pkgs/by-name/sane-scripts/src/sane-profile | 13 +++++++++++++
 3 files changed, 28 insertions(+), 1 deletion(-)
 create mode 100755 pkgs/by-name/sane-scripts/src/sane-profile

diff --git a/hosts/common/programs/sane-scripts.nix b/hosts/common/programs/sane-scripts.nix
index dd38bb3d4..993666782 100644
--- a/hosts/common/programs/sane-scripts.nix
+++ b/hosts/common/programs/sane-scripts.nix
@@ -16,6 +16,7 @@ in
     "sane-scripts.dev" = declPackageSet [
       "sane-scripts.clone"
       "sane-scripts.dev-cargo-loop"
+      "sane-scripts.profile"
     ];
     "sane-scripts.cli" = declPackageSet [
       "sane-scripts.find-dotfiles"
@@ -76,7 +77,7 @@ in
     "sane-scripts.dev-cargo-loop".sandbox = {
       net = "clearnet";
       whitelistPwd = true;
-      extraPaths = [
+      extraHomePaths = [
         # a build script can do a lot... but a well-written one will be confined
         # to XDG dirs and the local dir, and maybe the internet for fetching dependencies.
         ".cache"
@@ -85,6 +86,14 @@ in
       ];
     };
 
+    "sane-scripts.profile".sandbox = {
+      # should maybe be unconfined instead, since it runs a user program?
+      autodetectCliPaths = "existing";
+      extraPaths = [
+        "/tmp"
+      ];
+    };
+
     "sane-scripts.find-dotfiles".sandbox = {
       method = "bunpen";
       extraHomePaths = [
diff --git a/pkgs/by-name/sane-scripts/package.nix b/pkgs/by-name/sane-scripts/package.nix
index 29aeaa311..bfa5dc53a 100644
--- a/pkgs/by-name/sane-scripts/package.nix
+++ b/pkgs/by-name/sane-scripts/package.nix
@@ -122,6 +122,11 @@ let
       srcRoot = ./src;
       pkgs = [ "openssh" "sane-scripts.secrets-dump" ];
     };
+    profile = static-nix-shell.mkYsh {
+      pname = "sane-profile";
+      srcRoot = ./src;
+      pkgs = [ "flamegraph" "linuxPackages.perf" ];
+    };
     rcp = static-nix-shell.mkBash {
       pname = "sane-rcp";
       srcRoot = ./src;
diff --git a/pkgs/by-name/sane-scripts/src/sane-profile b/pkgs/by-name/sane-scripts/src/sane-profile
new file mode 100755
index 000000000..5920f27eb
--- /dev/null
+++ b/pkgs/by-name/sane-scripts/src/sane-profile
@@ -0,0 +1,13 @@
+#!/usr/bin/env nix-shell
+#!nix-shell -i ysh -p flamegraph -p linuxPackages.perf -p oils-for-unix
+
+# use like `sane-profile some-command --which-takes-a flag`.
+# will render a .html file showing the hot-path functions inside the command.
+
+var cmd = ARGV
+var tmpdir = "/tmp"
+perf record -F 9000 -e cycles:u -g -o "$tmpdir/perf.data" -- @cmd
+perf script --input "$tmpdir/perf.data" > "$tmpdir/perf.script"
+stackcollapse-perf.pl "$tmpdir/perf.script" | flamegraph.pl --width 2000 > "$tmpdir/flamegraph.html"
+
+echo "flame graph available at $tmpdir/flamegraph.html"