refactor(workspace): mount CWD as /workspace instead of named volume

Run from the project directory you want to work on; claude.sh mounts it automatically. Removes WORKSPACE_DIR env var support and the named claude-secure-workspace Docker volume.
2026-04-15 08:10:44 +02:00 · 2026-04-15 08:10:44 +02:00 · 3401fa38a5
commit 3401fa38a5
parent e19d4eb0a3
5 changed files with 15 additions and 38 deletions
--- a/.env.example
+++ b/.env.example
@ -14,12 +14,6 @@
 # Port 54545 must be reachable from your browser for the OAuth callback.
 # Run: sbx ports <sandbox-name> --publish 54545:54545/tcp

-# ─── Workspace (CLI mode only) ────────────────────────────────────────────────
-
-# Optional: mount a host directory as /workspace inside the Claude container.
-# If unset, a named Docker volume is used (fully isolated from the host).
-# WORKSPACE_DIR=/absolute/path/to/your/project
-
 # ─── Web interface ────────────────────────────────────────────────────────────

 # Required for ./claude.sh web
--- a/CLAUDE.md
+++ b/CLAUDE.md
@ -46,7 +46,7 @@ docker-claude/
 ```bash
 chmod +x claude.sh
 cp .env.example .env                      # set ANTHROPIC_API_KEY (and WEBUI_PASSWORD for web mode)
-./claude.sh start         # build + start proxy + launch Claude interactively (CLI)
+cd /path/to/project && ./claude.sh start  # build + start proxy + launch Claude (mounts CWD as /workspace)
 ./claude.sh web                           # build + start proxy + webui (browser terminal on :7681)
 ./claude.sh update                        # rebuild images (no cache) after upstream updates
 ```
--- a/README.md
+++ b/README.md
@ -92,14 +92,12 @@ Then run `./claude.sh run` and follow the prompt. Credentials are stored in the
 ### CLI mode

 ```bash
-# Build images, start proxy, launch Claude Code interactively
+# Build images, start proxy, launch Claude Code in the current directory
+cd ~/myproject
 ./claude.sh start

 # Start proxy if needed, launch Claude Code (faster on subsequent runs)
 ./claude.sh run
-
-# Mount a host directory as the workspace
-WORKSPACE_DIR=$HOME/myproject ./claude.sh run
 ```

 ### Web interface
@ -134,10 +132,10 @@ sbx ports <sandbox-name> --publish 7681:7681/tcp

 ### Workspace

-| Mode | Default | Override |
-|---|---|---|
-| CLI (`run`/`start`) | Named Docker volume (isolated) | `WORKSPACE_DIR=/path ./claude.sh run` |
-| Web (`web`) | Named Docker volume (`claude-web-workspace`) | Edit `docker-compose.yml` volumes |
+| Mode | Workspace |
+|---|---|
+| CLI (`run`/`start`) | Current working directory (mounted as `/workspace`) |
+| Web (`web`) | Named Docker volume (`claude-web-workspace`) |

 ## Egress allowlist

@ -165,6 +163,6 @@ Rebuild after changes:
 | `no-new-privileges` | yes | yes |
 | All capabilities dropped | yes | yes |
 | Direct internet access | no (`internal` network only) | allowlisted only |
-| Host filesystem | no mounts by default | none |
+| Host filesystem | CWD mounted as `/workspace` (CLI only) | none |
 | Docker socket | not mounted | not mounted |
 | Web auth | basic auth (ttyd `--credential`) | n/a |
--- a/claude.sh
+++ b/claude.sh
@ -43,20 +43,9 @@ load_env() {
 }

 # ─── Workspace volume resolution ──────────────────────────────────────────────
-# Default: named Docker volume (fully isolated).
-# Override: export WORKSPACE_DIR=/path/to/project before running.
+# Mounts the current working directory as /workspace inside the container.
 workspace_flag() {
-    if [[ -n "${WORKSPACE_DIR:-}" ]]; then
-        local abs
-        abs="$(realpath "${WORKSPACE_DIR}")"
-        if [[ ! -d "$abs" ]]; then
-            error "WORKSPACE_DIR does not exist: $abs"
-            exit 1
-        fi
-        echo "--volume ${abs}:/workspace:z"
-    else
-        echo "--volume ${PROJECT}-workspace:/workspace"
-    fi
+    echo "--volume $(pwd):/workspace:z"
 }

 # ─── Compose wrapper ──────────────────────────────────────────────────────────
@ -164,14 +153,11 @@ Commands:

 Environment variables (set in .env or shell):
  ANTHROPIC_API_KEY   Required for all modes.
-  WORKSPACE_DIR       Optional (CLI mode). Host path to mount as /workspace.
-                      Defaults to a named Docker volume (fully isolated).
  WEBUI_USER          Web interface username (default: claude).
  WEBUI_PASSWORD      Required for web mode. Basic auth password.

 Examples:
-  ./claude.sh start
-  WORKSPACE_DIR=\$HOME/myproject ./claude.sh run
+  cd ~/myproject && ./claude.sh start
  ./claude.sh web
  ./claude.sh logs proxy
  ./claude.sh logs webui
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -51,8 +51,7 @@ services:
      - "0.0.0.0:54545:54545"
    volumes:
      - claude-config:/home/node/.claude
-      # Workspace is injected by claude.sh via --volume flag at run time.
-      # Default: named Docker volume. Override: set WORKSPACE_DIR on the host.
+      # Workspace is injected by claude.sh via --volume flag at run time (current directory).
    security_opt:
      - no-new-privileges:true
    cap_drop: