refactor(workspace): mount CWD as /workspace instead of named volume

Run from the project directory you want to work on; claude.sh mounts it automatically. Removes WORKSPACE_DIR env var support and the named claude-secure-workspace Docker volume.
2026-04-15 08:10:44 +02:00 · 2026-04-15 08:10:44 +02:00 · 3401fa38a5
commit 3401fa38a5
parent e19d4eb0a3
5 changed files with 15 additions and 38 deletions
--- a/README.md
+++ b/README.md
@ -92,14 +92,12 @@ Then run `./claude.sh run` and follow the prompt. Credentials are stored in the
 ### CLI mode

 ```bash
-# Build images, start proxy, launch Claude Code interactively
+# Build images, start proxy, launch Claude Code in the current directory
+cd ~/myproject
 ./claude.sh start

 # Start proxy if needed, launch Claude Code (faster on subsequent runs)
 ./claude.sh run
-
-# Mount a host directory as the workspace
-WORKSPACE_DIR=$HOME/myproject ./claude.sh run
 ```

 ### Web interface
@ -134,10 +132,10 @@ sbx ports <sandbox-name> --publish 7681:7681/tcp

 ### Workspace

-| Mode | Default | Override |
-|---|---|---|
-| CLI (`run`/`start`) | Named Docker volume (isolated) | `WORKSPACE_DIR=/path ./claude.sh run` |
-| Web (`web`) | Named Docker volume (`claude-web-workspace`) | Edit `docker-compose.yml` volumes |
+| Mode | Workspace |
+|---|---|
+| CLI (`run`/`start`) | Current working directory (mounted as `/workspace`) |
+| Web (`web`) | Named Docker volume (`claude-web-workspace`) |

 ## Egress allowlist

@ -165,6 +163,6 @@ Rebuild after changes:
 | `no-new-privileges` | yes | yes |
 | All capabilities dropped | yes | yes |
 | Direct internet access | no (`internal` network only) | allowlisted only |
-| Host filesystem | no mounts by default | none |
+| Host filesystem | CWD mounted as `/workspace` (CLI only) | none |
 | Docker socket | not mounted | not mounted |
 | Web auth | basic auth (ttyd `--credential`) | n/a |