docker-claude/claude/Dockerfile

FROM node:20-alpine

# Install runtime dependencies
RUN apk add --no-cache \
        git \
        curl \
        ca-certificates \
        bash \
        ttyd

# Entrypoint used by the webui service (ttyd wrapping claude)
COPY --chmod=755 webui-entrypoint.sh /usr/local/bin/webui-entrypoint.sh

# System-level Claude Code policy — owned by root, not writable by the node user.
# Restricts available models; cannot be bypassed via CLI flags or env vars.
COPY settings.json /etc/claude-code/managed-settings.json

# Install Claude Code globally
RUN npm install -g @anthropic-ai/claude-code

# Install MCP servers globally — entry points land in /usr/local/lib/node_modules/
RUN npm install -g \
        @modelcontextprotocol/server-github \
        @yoda.digital/gitlab-mcp-server \
        @aashari/mcp-server-atlassian-jira \
        @aashari/mcp-server-atlassian-confluence

# Workspace and Claude config dir — owned by the built-in node user (uid 1000).
# Pre-creating ~/.claude ensures the named volume is initialised with the
# correct ownership when first mounted (Docker copies image content into
# an empty named volume on first use).
RUN mkdir -p /workspace /home/node/.claude \
    && chown -R node:node /workspace /home/node/.claude

USER node
WORKDIR /workspace

# Proxy traffic through sidecar — override at runtime if needed
ENV HTTP_PROXY=http://proxy:3128
ENV HTTPS_PROXY=http://proxy:3128
ENV ALL_PROXY=http://proxy:3128
ENV NO_PROXY=localhost,127.0.0.1

ENTRYPOINT ["claude"]
refactor(docker): migrate both images to Alpine Replace node:20-slim/ubuntu:22.04 with node:20-alpine/alpine:3.21. Switch package management from apt to apk (--no-cache, no cleanup layer). Use Alpine addgroup/adduser in claude/Dockerfile. Update proxy to use squid user (Alpine convention) and /var/cache/squid cache path. Fix proxy/Dockerfile COPY path now that context is proxy/. Move webui-entrypoint.sh into claude/ to match its build context. Fix docker-compose.yml webui context to claude/, update proxy tmpfs path. 2026-04-14 22:40:57 +02:00			`FROM node:20-alpine`
initial 2026-04-14 20:11:24 +02:00
refactor(docker): migrate both images to Alpine Replace node:20-slim/ubuntu:22.04 with node:20-alpine/alpine:3.21. Switch package management from apt to apk (--no-cache, no cleanup layer). Use Alpine addgroup/adduser in claude/Dockerfile. Update proxy to use squid user (Alpine convention) and /var/cache/squid cache path. Fix proxy/Dockerfile COPY path now that context is proxy/. Move webui-entrypoint.sh into claude/ to match its build context. Fix docker-compose.yml webui context to claude/, update proxy tmpfs path. 2026-04-14 22:40:57 +02:00			`# Install runtime dependencies`
			`RUN apk add --no-cache \`
initial 2026-04-14 20:11:24 +02:00			`git \`
			`curl \`
			`ca-certificates \`
			`bash \`
refactor(docker): migrate both images to Alpine Replace node:20-slim/ubuntu:22.04 with node:20-alpine/alpine:3.21. Switch package management from apt to apk (--no-cache, no cleanup layer). Use Alpine addgroup/adduser in claude/Dockerfile. Update proxy to use squid user (Alpine convention) and /var/cache/squid cache path. Fix proxy/Dockerfile COPY path now that context is proxy/. Move webui-entrypoint.sh into claude/ to match its build context. Fix docker-compose.yml webui context to claude/, update proxy tmpfs path. 2026-04-14 22:40:57 +02:00			`ttyd`
initial 2026-04-14 20:11:24 +02:00
feat(webui): add browser terminal interface via ttyd Adds a webui service to docker-compose that wraps Claude Code in ttyd, serving a browser-accessible terminal on port 7681. The webui reuses Dockerfile.claude (ttyd added to apt deps) with a dedicated entrypoint script that enforces WEBUI_PASSWORD before starting. Network isolation is identical to the CLI container: claude-internal only, all egress via the proxy allowlist. claude.sh gains web and web-stop commands. 2026-04-14 22:25:38 +02:00			`# Entrypoint used by the webui service (ttyd wrapping claude)`
			`COPY --chmod=755 webui-entrypoint.sh /usr/local/bin/webui-entrypoint.sh`

feat(policy): restrict available models to sonnet, opus, haiku Add /etc/claude-code/managed-settings.json with availableModels set to the three Anthropic model families. The file is root-owned inside the container so the node user cannot modify it. Managed settings cannot be bypassed via --model flag, /model command, or ANTHROPIC_MODEL env var. 2026-04-14 22:55:02 +02:00			`# System-level Claude Code policy — owned by root, not writable by the node user.`
			`# Restricts available models; cannot be bypassed via CLI flags or env vars.`
refactor(policy): rename managed-settings.json to settings.json 2026-04-14 22:59:25 +02:00			`COPY settings.json /etc/claude-code/managed-settings.json`
feat(policy): restrict available models to sonnet, opus, haiku Add /etc/claude-code/managed-settings.json with availableModels set to the three Anthropic model families. The file is root-owned inside the container so the node user cannot modify it. Managed settings cannot be bypassed via --model flag, /model command, or ANTHROPIC_MODEL env var. 2026-04-14 22:55:02 +02:00
refactor(claude): use built-in node user instead of custom claude user Drop the addgroup/adduser layer entirely. node:20-alpine already ships a node user at uid/gid 1000. Update chown and USER directives, and update the claude-config volume mount path to /home/node/.claude. 2026-04-14 22:50:59 +02:00			`# Install Claude Code globally`
initial 2026-04-14 20:11:24 +02:00			`RUN npm install -g @anthropic-ai/claude-code`

feat(mcp): add GitHub, GitLab, Jira, and Confluence MCP servers Install four MCP servers globally in the claude image: @modelcontextprotocol/server-github → mcp-server-github @yoda.digital/gitlab-mcp-server → gitlab-mcp-server @aashari/mcp-server-atlassian-jira → mcp-atlassian-jira @aashari/mcp-server-atlassian-confluence → mcp-atlassian-confluence Wire them in managed-settings.json via mcpServers with env var pass-through. Jira and Confluence share ATLASSIAN_* credentials. Add api.github.com, .gitlab.com, .atlassian.net to the squid allowlist. All credentials are optional — servers are skipped if the relevant env vars are unset. 2026-04-14 23:09:42 +02:00			`# Install MCP servers globally — entry points land in /usr/local/lib/node_modules/`
			`RUN npm install -g \`
			`@modelcontextprotocol/server-github \`
			`@yoda.digital/gitlab-mcp-server \`
			`@aashari/mcp-server-atlassian-jira \`
			`@aashari/mcp-server-atlassian-confluence`

refactor(claude): use built-in node user instead of custom claude user Drop the addgroup/adduser layer entirely. node:20-alpine already ships a node user at uid/gid 1000. Update chown and USER directives, and update the claude-config volume mount path to /home/node/.claude. 2026-04-14 22:50:59 +02:00			`# Workspace and Claude config dir — owned by the built-in node user (uid 1000).`
feat(auth): support subscription login alongside API key Make ANTHROPIC_API_KEY optional. Add CLAUDE_CODE_OAUTH_TOKEN pass-through for headless token-based auth (claude setup-token). When neither is set, Claude Code falls back to browser OAuth on port 54545. Add claude-config named volume mounted at ~/.claude/ in both claude and webui services so credentials persist across container runs. Pre-create ~/.claude/ in the Dockerfile so the volume is initialised with correct ownership. Add --service-ports to docker compose run calls to publish port 54545 during CLI sessions. 2026-04-14 22:47:04 +02:00			`# Pre-creating ~/.claude ensures the named volume is initialised with the`
			`# correct ownership when first mounted (Docker copies image content into`
			`# an empty named volume on first use).`
refactor(claude): use built-in node user instead of custom claude user Drop the addgroup/adduser layer entirely. node:20-alpine already ships a node user at uid/gid 1000. Update chown and USER directives, and update the claude-config volume mount path to /home/node/.claude. 2026-04-14 22:50:59 +02:00			`RUN mkdir -p /workspace /home/node/.claude \`
			`&& chown -R node:node /workspace /home/node/.claude`
initial 2026-04-14 20:11:24 +02:00
refactor(claude): use built-in node user instead of custom claude user Drop the addgroup/adduser layer entirely. node:20-alpine already ships a node user at uid/gid 1000. Update chown and USER directives, and update the claude-config volume mount path to /home/node/.claude. 2026-04-14 22:50:59 +02:00			`USER node`
initial 2026-04-14 20:11:24 +02:00			`WORKDIR /workspace`

			`# Proxy traffic through sidecar — override at runtime if needed`
			`ENV HTTP_PROXY=http://proxy:3128`
			`ENV HTTPS_PROXY=http://proxy:3128`
			`ENV ALL_PROXY=http://proxy:3128`
			`ENV NO_PROXY=localhost,127.0.0.1`

			`ENTRYPOINT ["claude"]`