docker-claude/README.md

# docker-claude

Runs [Claude Code](https://claude.ai/code) inside an isolated Docker environment with a proxy sidecar for controlled egress. Claude cannot access the host filesystem or network directly.

## Architecture

```
┌──────────────────────────────────────────────────────────┐
│  Host machine                                            │
│                                                          │
│  claude.sh (control script)                              │
│       │                                                  │
│       ▼                                                  │
│  ┌──────────────────────────────────────────────────┐   │
│  │  Docker: claude-secure                           │   │
│  │                                                  │   │
│  │  ┌─────────────┐    claude-internal              │   │
│  │  │  claude     │    (internal: true)             │   │
│  │  │  (UID 1000) │──────────────► ┌──────────┐    │   │
│  │  └─────────────┘                │  proxy   │    │   │
│  │                                 │ (UID 13) │    │   │
│  │                                 └────┬─────┘    │   │
│  │                             proxy-external       │   │
│  └──────────────────────────────────────────────────┘   │
│                                            │             │
│                                            ▼             │
│                                 internet (allowlisted)   │
└──────────────────────────────────────────────────────────┘
```

- **`claude`** — Claude Code CLI (`node:20-alpine`), runs as the built-in `node` user (UID 1000), on `claude-internal` only
- **`proxy`** — Squid forward proxy (`alpine:3.21`), bridges `claude-internal` ↔ internet with egress allowlist
- **`claude-internal`** — `internal: true`; no default gateway, containers cannot reach the internet directly
- **`proxy-external`** — Standard bridge; proxy sidecar only

## Prerequisites

- Docker Engine 24+
- Docker Compose v2 plugin (`docker compose version`)

## Setup

```bash
# 1. Clone / copy this repo
git clone <repo> docker-claude && cd docker-claude

# 2. Configure credentials (see Authentication below)
cp .env.example .env
$EDITOR .env

# 3. Make the control script executable
chmod +x claude.sh
```

## Authentication

Three options — pick one and set it in `.env`:

### Option 1 — API key
```bash
ANTHROPIC_API_KEY=sk-ant-...
```

### Option 2 — OAuth token (subscription, headless-friendly)

Run this **on your host** (not inside the container) to generate a 1-year token:
```bash
claude setup-token
```
Then set the printed token in `.env`:
```bash
CLAUDE_CODE_OAUTH_TOKEN=...
```

### Option 3 — Browser OAuth (interactive)

Leave both keys unset. On first run, Claude Code will print a login URL.
Port 54545 must be reachable from your browser for the OAuth callback:

```bash
sbx ports <sandbox-name> --publish 54545:54545/tcp
```

Then run `./claude.sh start` and follow the prompt. Credentials are stored in
`~/.claude` on the host and reused on every subsequent run.

## Usage

```bash
# Start proxy, pull latest images, launch Claude Code in the current directory
cd ~/myproject
./claude.sh start
```

### Other commands

```bash
./claude.sh stop          # Stop and remove all containers
./claude.sh update        # Pull latest images from the registry
./claude.sh logs          # Tail proxy logs
./claude.sh status        # Show container status
./claude.sh shell         # Debug bash shell in the Claude container
```

### Building locally

`build.sh` builds images from source using the local Dockerfiles:

```bash
./build.sh              # build with layer cache
./build.sh --no-cache   # force full rebuild
```

## Egress allowlist

Edit `proxy/squid.conf` and add domains to the `allowed_sites` ACL:

```
acl allowed_sites dstdomain api.anthropic.com
acl allowed_sites dstdomain statsig.anthropic.com
# acl allowed_sites dstdomain api.github.com
# acl allowed_sites dstdomain registry.npmjs.org
```

Rebuild after changes:

```bash
./claude.sh stop && ./claude.sh start
```

## Security controls

| Control | claude | proxy |
|---|---|---|
| Non-root user | UID 1000 (`node`, built into base image) | `squid` user |
| `no-new-privileges` | yes | yes |
| All capabilities dropped | yes | yes |
| Direct internet access | no (`internal` network only) | allowlisted only |
| Host filesystem | CWD mounted as `/workspace` | none |
| Docker socket | not mounted | not mounted |
initial 2026-04-14 20:11:24 +02:00			`# docker-claude`

docs(readme): sync with current state after webui removal Remove webui from architecture, commands, and security table. Update auth option 3 to reference ~/.claude instead of claude-config volume. Drop stale registry path comment and web interface section. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-04-15 22:41:28 +02:00			`Runs [Claude Code](https://claude.ai/code) inside an isolated Docker environment with a proxy sidecar for controlled egress. Claude cannot access the host filesystem or network directly.`
initial 2026-04-14 20:11:24 +02:00
			`## Architecture`

			```
feat(webui): add browser terminal interface via ttyd Adds a webui service to docker-compose that wraps Claude Code in ttyd, serving a browser-accessible terminal on port 7681. The webui reuses Dockerfile.claude (ttyd added to apt deps) with a dedicated entrypoint script that enforces WEBUI_PASSWORD before starting. Network isolation is identical to the CLI container: claude-internal only, all egress via the proxy allowlist. claude.sh gains web and web-stop commands. 2026-04-14 22:25:38 +02:00			`┌──────────────────────────────────────────────────────────┐`
			`│ Host machine │`
			`│ │`
			`│ claude.sh (control script) │`
			`│ │ │`
			`│ ▼ │`
			`│ ┌──────────────────────────────────────────────────┐ │`
			`│ │ Docker: claude-secure │ │`
			`│ │ │ │`
docs(readme): sync with current state after webui removal Remove webui from architecture, commands, and security table. Update auth option 3 to reference ~/.claude instead of claude-config volume. Drop stale registry path comment and web interface section. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-04-15 22:41:28 +02:00			`│ │ ┌─────────────┐ claude-internal │ │`
			`│ │ │ claude │ (internal: true) │ │`
			`│ │ │ (UID 1000) │──────────────► ┌──────────┐ │ │`
			`│ │ └─────────────┘ │ proxy │ │ │`
			`│ │ │ (UID 13) │ │ │`
			`│ │ └────┬─────┘ │ │`
			`│ │ proxy-external │ │`
feat(webui): add browser terminal interface via ttyd Adds a webui service to docker-compose that wraps Claude Code in ttyd, serving a browser-accessible terminal on port 7681. The webui reuses Dockerfile.claude (ttyd added to apt deps) with a dedicated entrypoint script that enforces WEBUI_PASSWORD before starting. Network isolation is identical to the CLI container: claude-internal only, all egress via the proxy allowlist. claude.sh gains web and web-stop commands. 2026-04-14 22:25:38 +02:00			`│ └──────────────────────────────────────────────────┘ │`
			`│ │ │`
			`│ ▼ │`
			`│ internet (allowlisted) │`
			`└──────────────────────────────────────────────────────────┘`
initial 2026-04-14 20:11:24 +02:00			```

refactor(claude): use built-in node user instead of custom claude user Drop the addgroup/adduser layer entirely. node:20-alpine already ships a node user at uid/gid 1000. Update chown and USER directives, and update the claude-config volume mount path to /home/node/.claude. 2026-04-14 22:50:59 +02:00			- `claude` — Claude Code CLI (`node:20-alpine`), runs as the built-in `node` user (UID 1000), on `claude-internal` only
refactor(docker): migrate both images to Alpine Replace node:20-slim/ubuntu:22.04 with node:20-alpine/alpine:3.21. Switch package management from apt to apk (--no-cache, no cleanup layer). Use Alpine addgroup/adduser in claude/Dockerfile. Update proxy to use squid user (Alpine convention) and /var/cache/squid cache path. Fix proxy/Dockerfile COPY path now that context is proxy/. Move webui-entrypoint.sh into claude/ to match its build context. Fix docker-compose.yml webui context to claude/, update proxy tmpfs path. 2026-04-14 22:40:57 +02:00			- `proxy` — Squid forward proxy (`alpine:3.21`), bridges `claude-internal` ↔ internet with egress allowlist
feat(webui): add browser terminal interface via ttyd Adds a webui service to docker-compose that wraps Claude Code in ttyd, serving a browser-accessible terminal on port 7681. The webui reuses Dockerfile.claude (ttyd added to apt deps) with a dedicated entrypoint script that enforces WEBUI_PASSWORD before starting. Network isolation is identical to the CLI container: claude-internal only, all egress via the proxy allowlist. claude.sh gains web and web-stop commands. 2026-04-14 22:25:38 +02:00			- `claude-internal` — `internal: true`; no default gateway, containers cannot reach the internet directly
			- `proxy-external` — Standard bridge; proxy sidecar only
initial 2026-04-14 20:11:24 +02:00
			`## Prerequisites`

			`- Docker Engine 24+`
			- Docker Compose v2 plugin (`docker compose version`)

			`## Setup`

			```bash
			`# 1. Clone / copy this repo`
			`git clone <repo> docker-claude && cd docker-claude`

feat(auth): support subscription login alongside API key Make ANTHROPIC_API_KEY optional. Add CLAUDE_CODE_OAUTH_TOKEN pass-through for headless token-based auth (claude setup-token). When neither is set, Claude Code falls back to browser OAuth on port 54545. Add claude-config named volume mounted at ~/.claude/ in both claude and webui services so credentials persist across container runs. Pre-create ~/.claude/ in the Dockerfile so the volume is initialised with correct ownership. Add --service-ports to docker compose run calls to publish port 54545 during CLI sessions. 2026-04-14 22:47:04 +02:00			`# 2. Configure credentials (see Authentication below)`
initial 2026-04-14 20:11:24 +02:00			`cp .env.example .env`
feat(auth): support subscription login alongside API key Make ANTHROPIC_API_KEY optional. Add CLAUDE_CODE_OAUTH_TOKEN pass-through for headless token-based auth (claude setup-token). When neither is set, Claude Code falls back to browser OAuth on port 54545. Add claude-config named volume mounted at ~/.claude/ in both claude and webui services so credentials persist across container runs. Pre-create ~/.claude/ in the Dockerfile so the volume is initialised with correct ownership. Add --service-ports to docker compose run calls to publish port 54545 during CLI sessions. 2026-04-14 22:47:04 +02:00			`$EDITOR .env`
initial 2026-04-14 20:11:24 +02:00
			`# 3. Make the control script executable`
			`chmod +x claude.sh`
			```

feat(auth): support subscription login alongside API key Make ANTHROPIC_API_KEY optional. Add CLAUDE_CODE_OAUTH_TOKEN pass-through for headless token-based auth (claude setup-token). When neither is set, Claude Code falls back to browser OAuth on port 54545. Add claude-config named volume mounted at ~/.claude/ in both claude and webui services so credentials persist across container runs. Pre-create ~/.claude/ in the Dockerfile so the volume is initialised with correct ownership. Add --service-ports to docker compose run calls to publish port 54545 during CLI sessions. 2026-04-14 22:47:04 +02:00			`## Authentication`

			Three options — pick one and set it in `.env`:

			`### Option 1 — API key`
			```bash
			`ANTHROPIC_API_KEY=sk-ant-...`
			```

			`### Option 2 — OAuth token (subscription, headless-friendly)`

			`Run this on your host (not inside the container) to generate a 1-year token:`
			```bash
			`claude setup-token`
			```
			Then set the printed token in `.env`:
			```bash
			`CLAUDE_CODE_OAUTH_TOKEN=...`
			```

			`### Option 3 — Browser OAuth (interactive)`

			`Leave both keys unset. On first run, Claude Code will print a login URL.`
			`Port 54545 must be reachable from your browser for the OAuth callback:`

			```bash
			`sbx ports <sandbox-name> --publish 54545:54545/tcp`
			```

docs(readme): sync with current state after webui removal Remove webui from architecture, commands, and security table. Update auth option 3 to reference ~/.claude instead of claude-config volume. Drop stale registry path comment and web interface section. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-04-15 22:41:28 +02:00			Then run `./claude.sh start` and follow the prompt. Credentials are stored in
			`~/.claude` on the host and reused on every subsequent run.
feat(auth): support subscription login alongside API key Make ANTHROPIC_API_KEY optional. Add CLAUDE_CODE_OAUTH_TOKEN pass-through for headless token-based auth (claude setup-token). When neither is set, Claude Code falls back to browser OAuth on port 54545. Add claude-config named volume mounted at ~/.claude/ in both claude and webui services so credentials persist across container runs. Pre-create ~/.claude/ in the Dockerfile so the volume is initialised with correct ownership. Add --service-ports to docker compose run calls to publish port 54545 during CLI sessions. 2026-04-14 22:47:04 +02:00
initial 2026-04-14 20:11:24 +02:00			`## Usage`

			```bash
docs(readme): sync with current state after webui removal Remove webui from architecture, commands, and security table. Update auth option 3 to reference ~/.claude instead of claude-config volume. Drop stale registry path comment and web interface section. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-04-15 22:41:28 +02:00			`# Start proxy, pull latest images, launch Claude Code in the current directory`
refactor(workspace): mount CWD as /workspace instead of named volume Run from the project directory you want to work on; claude.sh mounts it automatically. Removes WORKSPACE_DIR env var support and the named claude-secure-workspace Docker volume. 2026-04-15 08:10:44 +02:00			`cd ~/myproject`
initial 2026-04-14 20:11:24 +02:00			`./claude.sh start`
feat(webui): add browser terminal interface via ttyd Adds a webui service to docker-compose that wraps Claude Code in ttyd, serving a browser-accessible terminal on port 7681. The webui reuses Dockerfile.claude (ttyd added to apt deps) with a dedicated entrypoint script that enforces WEBUI_PASSWORD before starting. Network isolation is identical to the CLI container: claude-internal only, all egress via the proxy allowlist. claude.sh gains web and web-stop commands. 2026-04-14 22:25:38 +02:00			```
initial 2026-04-14 20:11:24 +02:00
feat(webui): add browser terminal interface via ttyd Adds a webui service to docker-compose that wraps Claude Code in ttyd, serving a browser-accessible terminal on port 7681. The webui reuses Dockerfile.claude (ttyd added to apt deps) with a dedicated entrypoint script that enforces WEBUI_PASSWORD before starting. Network isolation is identical to the CLI container: claude-internal only, all egress via the proxy allowlist. claude.sh gains web and web-stop commands. 2026-04-14 22:25:38 +02:00			`### Other commands`
initial 2026-04-14 20:11:24 +02:00
			```bash
feat(webui): add browser terminal interface via ttyd Adds a webui service to docker-compose that wraps Claude Code in ttyd, serving a browser-accessible terminal on port 7681. The webui reuses Dockerfile.claude (ttyd added to apt deps) with a dedicated entrypoint script that enforces WEBUI_PASSWORD before starting. Network isolation is identical to the CLI container: claude-internal only, all egress via the proxy allowlist. claude.sh gains web and web-stop commands. 2026-04-14 22:25:38 +02:00			`./claude.sh stop # Stop and remove all containers`
refactor(images): pull from registry instead of building; add build.sh for local dev 2026-04-15 17:02:43 +02:00			`./claude.sh update # Pull latest images from the registry`
feat(webui): add browser terminal interface via ttyd Adds a webui service to docker-compose that wraps Claude Code in ttyd, serving a browser-accessible terminal on port 7681. The webui reuses Dockerfile.claude (ttyd added to apt deps) with a dedicated entrypoint script that enforces WEBUI_PASSWORD before starting. Network isolation is identical to the CLI container: claude-internal only, all egress via the proxy allowlist. claude.sh gains web and web-stop commands. 2026-04-14 22:25:38 +02:00			`./claude.sh logs # Tail proxy logs`
			`./claude.sh status # Show container status`
			`./claude.sh shell # Debug bash shell in the Claude container`
initial 2026-04-14 20:11:24 +02:00			```

refactor(images): pull from registry instead of building; add build.sh for local dev 2026-04-15 17:02:43 +02:00			`### Building locally`

docs(readme): sync with current state after webui removal Remove webui from architecture, commands, and security table. Update auth option 3 to reference ~/.claude instead of claude-config volume. Drop stale registry path comment and web interface section. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-04-15 22:41:28 +02:00			`build.sh` builds images from source using the local Dockerfiles:
refactor(images): pull from registry instead of building; add build.sh for local dev 2026-04-15 17:02:43 +02:00
			```bash
			`./build.sh # build with layer cache`
			`./build.sh --no-cache # force full rebuild`
			```

initial 2026-04-14 20:11:24 +02:00			`## Egress allowlist`

			Edit `proxy/squid.conf` and add domains to the `allowed_sites` ACL:

feat(webui): add browser terminal interface via ttyd Adds a webui service to docker-compose that wraps Claude Code in ttyd, serving a browser-accessible terminal on port 7681. The webui reuses Dockerfile.claude (ttyd added to apt deps) with a dedicated entrypoint script that enforces WEBUI_PASSWORD before starting. Network isolation is identical to the CLI container: claude-internal only, all egress via the proxy allowlist. claude.sh gains web and web-stop commands. 2026-04-14 22:25:38 +02:00			```
initial 2026-04-14 20:11:24 +02:00			`acl allowed_sites dstdomain api.anthropic.com`
			`acl allowed_sites dstdomain statsig.anthropic.com`
feat(webui): add browser terminal interface via ttyd Adds a webui service to docker-compose that wraps Claude Code in ttyd, serving a browser-accessible terminal on port 7681. The webui reuses Dockerfile.claude (ttyd added to apt deps) with a dedicated entrypoint script that enforces WEBUI_PASSWORD before starting. Network isolation is identical to the CLI container: claude-internal only, all egress via the proxy allowlist. claude.sh gains web and web-stop commands. 2026-04-14 22:25:38 +02:00			`# acl allowed_sites dstdomain api.github.com`
initial 2026-04-14 20:11:24 +02:00			`# acl allowed_sites dstdomain registry.npmjs.org`
			```

feat(webui): add browser terminal interface via ttyd Adds a webui service to docker-compose that wraps Claude Code in ttyd, serving a browser-accessible terminal on port 7681. The webui reuses Dockerfile.claude (ttyd added to apt deps) with a dedicated entrypoint script that enforces WEBUI_PASSWORD before starting. Network isolation is identical to the CLI container: claude-internal only, all egress via the proxy allowlist. claude.sh gains web and web-stop commands. 2026-04-14 22:25:38 +02:00			`Rebuild after changes:`
initial 2026-04-14 20:11:24 +02:00
			```bash
			`./claude.sh stop && ./claude.sh start`
			```

			`## Security controls`

docs(readme): sync with current state after webui removal Remove webui from architecture, commands, and security table. Update auth option 3 to reference ~/.claude instead of claude-config volume. Drop stale registry path comment and web interface section. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-04-15 22:41:28 +02:00			`\| Control \| claude \| proxy \|`
initial 2026-04-14 20:11:24 +02:00			`\|---\|---\|---\|`
refactor(claude): use built-in node user instead of custom claude user Drop the addgroup/adduser layer entirely. node:20-alpine already ships a node user at uid/gid 1000. Update chown and USER directives, and update the claude-config volume mount path to /home/node/.claude. 2026-04-14 22:50:59 +02:00			\| Non-root user \| UID 1000 (`node`, built into base image) \| `squid` user \|
initial 2026-04-14 20:11:24 +02:00			\| `no-new-privileges` \| yes \| yes \|
			`\| All capabilities dropped \| yes \| yes \|`
			\| Direct internet access \| no (`internal` network only) \| allowlisted only \|
docs(readme): sync with current state after webui removal Remove webui from architecture, commands, and security table. Update auth option 3 to reference ~/.claude instead of claude-config volume. Drop stale registry path comment and web interface section. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-04-15 22:41:28 +02:00			\| Host filesystem \| CWD mounted as `/workspace` \| none \|
initial 2026-04-14 20:11:24 +02:00			`\| Docker socket \| not mounted \| not mounted \|`