docker-claude/CLAUDE.md

# Project Guidance

This file provides context and guidance for working with this project.

## Project Overview

**docker-claude** runs Claude Code inside a hardened Docker environment with a Squid proxy sidecar. The goal is full host encapsulation: Claude cannot access the host filesystem or network. All egress is routed through an allowlist-enforcing proxy.

## Architecture

Three containers managed by Docker Compose:

- **`claude`** — Claude Code CLI (`node:20-alpine`), runs as the built-in `node` user (UID 1000), isolated to an internal-only Docker network
- **`webui`** — Claude Code as a browser terminal via ttyd (`node:20-alpine`), `node` user (UID 1000), same network isolation, basic auth required
- **`proxy`** — Squid forward proxy (`alpine:3.21`), `squid` user, bridges the internal network to the internet with an egress allowlist

Key Docker network property: `claude-internal` has `internal: true`, meaning Docker adds no default gateway. The `claude` and `webui` containers physically cannot reach the internet without going through the `proxy` container.

The `webui` service reuses `claude/Dockerfile`. Its entrypoint (`claude/webui-entrypoint.sh`) starts `ttyd --credential user:pass claude` instead of `claude` directly.

Auth supports three modes (checked at startup by `claude.sh`):
- `ANTHROPIC_API_KEY` — API key
- `CLAUDE_CODE_OAUTH_TOKEN` — 1-year token from `claude setup-token` (headless-friendly)
- Neither set — Claude Code prompts for browser login on first run; port 54545 is published for the OAuth callback. Credentials persist in the `claude-config` named volume.

## File Structure

```
docker-claude/
├── claude.sh               # Control script: start/stop/run/web/web-stop/update/logs/status/shell
├── docker-compose.yml      # Service definitions and network topology
├── claude/
│   ├── Dockerfile          # Claude Code + ttyd (node:20-alpine, UID 1000)
│   └── webui-entrypoint.sh # Entrypoint for webui: starts ttyd wrapping claude
├── proxy/
│   ├── Dockerfile          # Squid proxy sidecar (alpine:3.21, squid user)
│   └── squid.conf          # Squid ACL config — egress allowlist lives here
├── .env.example            # Template for ANTHROPIC_API_KEY, WEBUI_PASSWORD, etc.
├── .gitignore              # Excludes .env and logs
├── .dockerignore           # Keeps .env out of build context
└── README.md               # User documentation
```

## Development Workflow

```bash
chmod +x claude.sh
cp .env.example .env                      # set ANTHROPIC_API_KEY (and WEBUI_PASSWORD for web mode)
cd /path/to/project && ./claude.sh start  # build + start proxy + launch Claude (mounts CWD as /workspace)
./claude.sh web                           # build + start proxy + webui (browser terminal on :7681)
./claude.sh update                        # rebuild images (no cache) after upstream updates
```

## Coding Standards

- Shell scripts use `set -euo pipefail`
- Dockerfiles use Alpine (`node:20-alpine`, `alpine:3.21`) for minimal attack surface
- Alpine packages use `apk add --no-cache`; no apt cache cleanup layer needed
- No capabilities granted; `no-new-privileges` on all containers
- `.env` is never committed (enforced by `.gitignore` and `.dockerignore`)
- Commit messages follow **Angular format**: `type(scope): summary`

## Extending the Egress Allowlist

Add domains to `proxy/squid.conf` under the `allowed_sites` ACL, then rebuild:

```bash
docker compose -p claude-secure build proxy
./claude.sh stop && ./claude.sh start
```

## Environment Persistence

This sandbox has a persistent environment file at `/etc/sandbox-persistent.sh`.

This file is automatically sourced in all shell contexts:
- **Non-interactive shells**: via `BASH_ENV=/etc/sandbox-persistent.sh`
- **Login shells**: via `/etc/profile.d/sandbox-persistent.sh`
- **Interactive shells**: via `/etc/bash.bashrc` and `~/.bashrc`

## Critical: Shell Completions Must NOT Be in the Persistent Environment File

**NEVER add shell completion scripts to `/etc/sandbox-persistent.sh`.**

Shell completion scripts will completely break the bash tool when sourced via the persistent environment file.

## Network access

There is a firewall in place to restrict outbound network access. If you need http/https access to
an external service, request it by running:

```bash
sbx policy allow network [domain]
```

## Git Authentication

The sandbox proxy handles GitHub authentication automatically by injecting credentials for HTTPS Git operations.

## Additional Notes

- Always read relevant files before making changes
- Run tests after making modifications
- Follow the existing code structure and patterns
- You have sudo permissions, so you can install necessary packages
- npm, pip and uv are already available for package management
initial 2026-04-14 20:11:24 +02:00			`# Project Guidance`

			`This file provides context and guidance for working with this project.`

			`## Project Overview`

			`docker-claude runs Claude Code inside a hardened Docker environment with a Squid proxy sidecar. The goal is full host encapsulation: Claude cannot access the host filesystem or network. All egress is routed through an allowlist-enforcing proxy.`

			`## Architecture`

feat(webui): add browser terminal interface via ttyd Adds a webui service to docker-compose that wraps Claude Code in ttyd, serving a browser-accessible terminal on port 7681. The webui reuses Dockerfile.claude (ttyd added to apt deps) with a dedicated entrypoint script that enforces WEBUI_PASSWORD before starting. Network isolation is identical to the CLI container: claude-internal only, all egress via the proxy allowlist. claude.sh gains web and web-stop commands. 2026-04-14 22:25:38 +02:00			`Three containers managed by Docker Compose:`
initial 2026-04-14 20:11:24 +02:00
refactor(claude): use built-in node user instead of custom claude user Drop the addgroup/adduser layer entirely. node:20-alpine already ships a node user at uid/gid 1000. Update chown and USER directives, and update the claude-config volume mount path to /home/node/.claude. 2026-04-14 22:50:59 +02:00			- `claude` — Claude Code CLI (`node:20-alpine`), runs as the built-in `node` user (UID 1000), isolated to an internal-only Docker network
			- `webui` — Claude Code as a browser terminal via ttyd (`node:20-alpine`), `node` user (UID 1000), same network isolation, basic auth required
refactor(docker): migrate both images to Alpine Replace node:20-slim/ubuntu:22.04 with node:20-alpine/alpine:3.21. Switch package management from apt to apk (--no-cache, no cleanup layer). Use Alpine addgroup/adduser in claude/Dockerfile. Update proxy to use squid user (Alpine convention) and /var/cache/squid cache path. Fix proxy/Dockerfile COPY path now that context is proxy/. Move webui-entrypoint.sh into claude/ to match its build context. Fix docker-compose.yml webui context to claude/, update proxy tmpfs path. 2026-04-14 22:40:57 +02:00			- `proxy` — Squid forward proxy (`alpine:3.21`), `squid` user, bridges the internal network to the internet with an egress allowlist
initial 2026-04-14 20:11:24 +02:00
feat(webui): add browser terminal interface via ttyd Adds a webui service to docker-compose that wraps Claude Code in ttyd, serving a browser-accessible terminal on port 7681. The webui reuses Dockerfile.claude (ttyd added to apt deps) with a dedicated entrypoint script that enforces WEBUI_PASSWORD before starting. Network isolation is identical to the CLI container: claude-internal only, all egress via the proxy allowlist. claude.sh gains web and web-stop commands. 2026-04-14 22:25:38 +02:00			Key Docker network property: `claude-internal` has `internal: true`, meaning Docker adds no default gateway. The `claude` and `webui` containers physically cannot reach the internet without going through the `proxy` container.

refactor(docker): migrate both images to Alpine Replace node:20-slim/ubuntu:22.04 with node:20-alpine/alpine:3.21. Switch package management from apt to apk (--no-cache, no cleanup layer). Use Alpine addgroup/adduser in claude/Dockerfile. Update proxy to use squid user (Alpine convention) and /var/cache/squid cache path. Fix proxy/Dockerfile COPY path now that context is proxy/. Move webui-entrypoint.sh into claude/ to match its build context. Fix docker-compose.yml webui context to claude/, update proxy tmpfs path. 2026-04-14 22:40:57 +02:00			The `webui` service reuses `claude/Dockerfile`. Its entrypoint (`claude/webui-entrypoint.sh`) starts `ttyd --credential user:pass claude` instead of `claude` directly.
initial 2026-04-14 20:11:24 +02:00
feat(auth): support subscription login alongside API key Make ANTHROPIC_API_KEY optional. Add CLAUDE_CODE_OAUTH_TOKEN pass-through for headless token-based auth (claude setup-token). When neither is set, Claude Code falls back to browser OAuth on port 54545. Add claude-config named volume mounted at ~/.claude/ in both claude and webui services so credentials persist across container runs. Pre-create ~/.claude/ in the Dockerfile so the volume is initialised with correct ownership. Add --service-ports to docker compose run calls to publish port 54545 during CLI sessions. 2026-04-14 22:47:04 +02:00			Auth supports three modes (checked at startup by `claude.sh`):
			- `ANTHROPIC_API_KEY` — API key
			- `CLAUDE_CODE_OAUTH_TOKEN` — 1-year token from `claude setup-token` (headless-friendly)
			- Neither set — Claude Code prompts for browser login on first run; port 54545 is published for the OAuth callback. Credentials persist in the `claude-config` named volume.

initial 2026-04-14 20:11:24 +02:00			`## File Structure`

			```
			`docker-claude/`
feat(webui): add browser terminal interface via ttyd Adds a webui service to docker-compose that wraps Claude Code in ttyd, serving a browser-accessible terminal on port 7681. The webui reuses Dockerfile.claude (ttyd added to apt deps) with a dedicated entrypoint script that enforces WEBUI_PASSWORD before starting. Network isolation is identical to the CLI container: claude-internal only, all egress via the proxy allowlist. claude.sh gains web and web-stop commands. 2026-04-14 22:25:38 +02:00			`├── claude.sh # Control script: start/stop/run/web/web-stop/update/logs/status/shell`
			`├── docker-compose.yml # Service definitions and network topology`
refactor(docker): migrate both images to Alpine Replace node:20-slim/ubuntu:22.04 with node:20-alpine/alpine:3.21. Switch package management from apt to apk (--no-cache, no cleanup layer). Use Alpine addgroup/adduser in claude/Dockerfile. Update proxy to use squid user (Alpine convention) and /var/cache/squid cache path. Fix proxy/Dockerfile COPY path now that context is proxy/. Move webui-entrypoint.sh into claude/ to match its build context. Fix docker-compose.yml webui context to claude/, update proxy tmpfs path. 2026-04-14 22:40:57 +02:00			`├── claude/`
			`│ ├── Dockerfile # Claude Code + ttyd (node:20-alpine, UID 1000)`
			`│ └── webui-entrypoint.sh # Entrypoint for webui: starts ttyd wrapping claude`
initial 2026-04-14 20:11:24 +02:00			`├── proxy/`
refactor(docker): migrate both images to Alpine Replace node:20-slim/ubuntu:22.04 with node:20-alpine/alpine:3.21. Switch package management from apt to apk (--no-cache, no cleanup layer). Use Alpine addgroup/adduser in claude/Dockerfile. Update proxy to use squid user (Alpine convention) and /var/cache/squid cache path. Fix proxy/Dockerfile COPY path now that context is proxy/. Move webui-entrypoint.sh into claude/ to match its build context. Fix docker-compose.yml webui context to claude/, update proxy tmpfs path. 2026-04-14 22:40:57 +02:00			`│ ├── Dockerfile # Squid proxy sidecar (alpine:3.21, squid user)`
feat(webui): add browser terminal interface via ttyd Adds a webui service to docker-compose that wraps Claude Code in ttyd, serving a browser-accessible terminal on port 7681. The webui reuses Dockerfile.claude (ttyd added to apt deps) with a dedicated entrypoint script that enforces WEBUI_PASSWORD before starting. Network isolation is identical to the CLI container: claude-internal only, all egress via the proxy allowlist. claude.sh gains web and web-stop commands. 2026-04-14 22:25:38 +02:00			`│ └── squid.conf # Squid ACL config — egress allowlist lives here`
			`├── .env.example # Template for ANTHROPIC_API_KEY, WEBUI_PASSWORD, etc.`
			`├── .gitignore # Excludes .env and logs`
			`├── .dockerignore # Keeps .env out of build context`
			`└── README.md # User documentation`
initial 2026-04-14 20:11:24 +02:00			```

			`## Development Workflow`

			```bash
			`chmod +x claude.sh`
refactor(workspace): mount CWD as /workspace instead of named volume Run from the project directory you want to work on; claude.sh mounts it automatically. Removes WORKSPACE_DIR env var support and the named claude-secure-workspace Docker volume. 2026-04-15 08:10:44 +02:00			`cp .env.example .env # set ANTHROPIC_API_KEY (and WEBUI_PASSWORD for web mode)`
			`cd /path/to/project && ./claude.sh start # build + start proxy + launch Claude (mounts CWD as /workspace)`
			`./claude.sh web # build + start proxy + webui (browser terminal on :7681)`
			`./claude.sh update # rebuild images (no cache) after upstream updates`
initial 2026-04-14 20:11:24 +02:00			```

			`## Coding Standards`

			- Shell scripts use `set -euo pipefail`
refactor(docker): migrate both images to Alpine Replace node:20-slim/ubuntu:22.04 with node:20-alpine/alpine:3.21. Switch package management from apt to apk (--no-cache, no cleanup layer). Use Alpine addgroup/adduser in claude/Dockerfile. Update proxy to use squid user (Alpine convention) and /var/cache/squid cache path. Fix proxy/Dockerfile COPY path now that context is proxy/. Move webui-entrypoint.sh into claude/ to match its build context. Fix docker-compose.yml webui context to claude/, update proxy tmpfs path. 2026-04-14 22:40:57 +02:00			- Dockerfiles use Alpine (`node:20-alpine`, `alpine:3.21`) for minimal attack surface
			- Alpine packages use `apk add --no-cache`; no apt cache cleanup layer needed
initial 2026-04-14 20:11:24 +02:00			- No capabilities granted; `no-new-privileges` on all containers
			- `.env` is never committed (enforced by `.gitignore` and `.dockerignore`)
			- Commit messages follow Angular format: `type(scope): summary`

			`## Extending the Egress Allowlist`

			Add domains to `proxy/squid.conf` under the `allowed_sites` ACL, then rebuild:

			```bash
			`docker compose -p claude-secure build proxy`
			`./claude.sh stop && ./claude.sh start`
			```

			`## Environment Persistence`

			This sandbox has a persistent environment file at `/etc/sandbox-persistent.sh`.

			`This file is automatically sourced in all shell contexts:`
			- Non-interactive shells: via `BASH_ENV=/etc/sandbox-persistent.sh`
			- Login shells: via `/etc/profile.d/sandbox-persistent.sh`
			- Interactive shells: via `/etc/bash.bashrc` and `~/.bashrc`

			`## Critical: Shell Completions Must NOT Be in the Persistent Environment File`

			NEVER add shell completion scripts to `/etc/sandbox-persistent.sh`.

			`Shell completion scripts will completely break the bash tool when sourced via the persistent environment file.`

			`## Network access`

			`There is a firewall in place to restrict outbound network access. If you need http/https access to`
			`an external service, request it by running:`

			```bash
			`sbx policy allow network [domain]`
			```

			`## Git Authentication`

			`The sandbox proxy handles GitHub authentication automatically by injecting credentials for HTTPS Git operations.`

			`## Additional Notes`

			`- Always read relevant files before making changes`
			`- Run tests after making modifications`
			`- Follow the existing code structure and patterns`
			`- You have sudo permissions, so you can install necessary packages`
			`- npm, pip and uv are already available for package management`