diff --git a/.env.example b/.env.example index 935ccb8..e8c6eea 100644 --- a/.env.example +++ b/.env.example @@ -14,12 +14,6 @@ # Port 54545 must be reachable from your browser for the OAuth callback. # Run: sbx ports --publish 54545:54545/tcp -# ─── Workspace (CLI mode only) ──────────────────────────────────────────────── - -# Optional: mount a host directory as /workspace inside the Claude container. -# If unset, a named Docker volume is used (fully isolated from the host). -# WORKSPACE_DIR=/absolute/path/to/your/project - # ─── Web interface ──────────────────────────────────────────────────────────── # Required for ./claude.sh web diff --git a/CLAUDE.md b/CLAUDE.md index 1abc17e..b9d8ea5 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -45,10 +45,10 @@ docker-claude/ ```bash chmod +x claude.sh -cp .env.example .env # set ANTHROPIC_API_KEY (and WEBUI_PASSWORD for web mode) -./claude.sh start # build + start proxy + launch Claude interactively (CLI) -./claude.sh web # build + start proxy + webui (browser terminal on :7681) -./claude.sh update # rebuild images (no cache) after upstream updates +cp .env.example .env # set ANTHROPIC_API_KEY (and WEBUI_PASSWORD for web mode) +cd /path/to/project && ./claude.sh start # build + start proxy + launch Claude (mounts CWD as /workspace) +./claude.sh web # build + start proxy + webui (browser terminal on :7681) +./claude.sh update # rebuild images (no cache) after upstream updates ``` ## Coding Standards diff --git a/README.md b/README.md index c729c70..6f37c42 100644 --- a/README.md +++ b/README.md @@ -92,14 +92,12 @@ Then run `./claude.sh run` and follow the prompt. Credentials are stored in the ### CLI mode ```bash -# Build images, start proxy, launch Claude Code interactively +# Build images, start proxy, launch Claude Code in the current directory +cd ~/myproject ./claude.sh start # Start proxy if needed, launch Claude Code (faster on subsequent runs) ./claude.sh run - -# Mount a host directory as the workspace -WORKSPACE_DIR=$HOME/myproject ./claude.sh run ``` ### Web interface @@ -134,10 +132,10 @@ sbx ports --publish 7681:7681/tcp ### Workspace -| Mode | Default | Override | -|---|---|---| -| CLI (`run`/`start`) | Named Docker volume (isolated) | `WORKSPACE_DIR=/path ./claude.sh run` | -| Web (`web`) | Named Docker volume (`claude-web-workspace`) | Edit `docker-compose.yml` volumes | +| Mode | Workspace | +|---|---| +| CLI (`run`/`start`) | Current working directory (mounted as `/workspace`) | +| Web (`web`) | Named Docker volume (`claude-web-workspace`) | ## Egress allowlist @@ -165,6 +163,6 @@ Rebuild after changes: | `no-new-privileges` | yes | yes | | All capabilities dropped | yes | yes | | Direct internet access | no (`internal` network only) | allowlisted only | -| Host filesystem | no mounts by default | none | +| Host filesystem | CWD mounted as `/workspace` (CLI only) | none | | Docker socket | not mounted | not mounted | | Web auth | basic auth (ttyd `--credential`) | n/a | diff --git a/claude.sh b/claude.sh index de90c7f..62aad47 100644 --- a/claude.sh +++ b/claude.sh @@ -43,20 +43,9 @@ load_env() { } # ─── Workspace volume resolution ────────────────────────────────────────────── -# Default: named Docker volume (fully isolated). -# Override: export WORKSPACE_DIR=/path/to/project before running. +# Mounts the current working directory as /workspace inside the container. workspace_flag() { - if [[ -n "${WORKSPACE_DIR:-}" ]]; then - local abs - abs="$(realpath "${WORKSPACE_DIR}")" - if [[ ! -d "$abs" ]]; then - error "WORKSPACE_DIR does not exist: $abs" - exit 1 - fi - echo "--volume ${abs}:/workspace:z" - else - echo "--volume ${PROJECT}-workspace:/workspace" - fi + echo "--volume $(pwd):/workspace:z" } # ─── Compose wrapper ────────────────────────────────────────────────────────── @@ -164,14 +153,11 @@ Commands: Environment variables (set in .env or shell): ANTHROPIC_API_KEY Required for all modes. - WORKSPACE_DIR Optional (CLI mode). Host path to mount as /workspace. - Defaults to a named Docker volume (fully isolated). WEBUI_USER Web interface username (default: claude). WEBUI_PASSWORD Required for web mode. Basic auth password. Examples: - ./claude.sh start - WORKSPACE_DIR=\$HOME/myproject ./claude.sh run + cd ~/myproject && ./claude.sh start ./claude.sh web ./claude.sh logs proxy ./claude.sh logs webui diff --git a/docker-compose.yml b/docker-compose.yml index 753b2c4..e215390 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -51,8 +51,7 @@ services: - "0.0.0.0:54545:54545" volumes: - claude-config:/home/node/.claude - # Workspace is injected by claude.sh via --volume flag at run time. - # Default: named Docker volume. Override: set WORKSPACE_DIR on the host. + # Workspace is injected by claude.sh via --volume flag at run time (current directory). security_opt: - no-new-privileges:true cap_drop: