feat(policy): restrict available models to sonnet, opus, haiku
Add /etc/claude-code/managed-settings.json with availableModels set to the three Anthropic model families. The file is root-owned inside the container so the node user cannot modify it. Managed settings cannot be bypassed via --model flag, /model command, or ANTHROPIC_MODEL env var.
This commit is contained in:
docker-claude
parent
1c489f8636
commit
3adc97d901
2 changed files with 7 additions and 0 deletions
|
|
@ -11,6 +11,10 @@ RUN apk add --no-cache \
|
||||||
# Entrypoint used by the webui service (ttyd wrapping claude)
|
# Entrypoint used by the webui service (ttyd wrapping claude)
|
||||||
COPY --chmod=755 webui-entrypoint.sh /usr/local/bin/webui-entrypoint.sh
|
COPY --chmod=755 webui-entrypoint.sh /usr/local/bin/webui-entrypoint.sh
|
||||||
|
|
||||||
|
# System-level Claude Code policy — owned by root, not writable by the node user.
|
||||||
|
# Restricts available models; cannot be bypassed via CLI flags or env vars.
|
||||||
|
COPY managed-settings.json /etc/claude-code/managed-settings.json
|
||||||
|
|
||||||
# Install Claude Code globally
|
# Install Claude Code globally
|
||||||
RUN npm install -g @anthropic-ai/claude-code
|
RUN npm install -g @anthropic-ai/claude-code
|
||||||
|
|
||||||
|
|
|
||||||
3
claude/managed-settings.json
Normal file
3
claude/managed-settings.json
Normal file
|
|
@ -0,0 +1,3 @@
|
||||||
|
{
|
||||||
|
"availableModels": ["sonnet", "opus", "haiku"]
|
||||||
|
}
|
||||||
Loading…
Add table
Add a link
Reference in a new issue