diff --git a/.env.example b/.env.example index 01476c3..ad79c7b 100644 --- a/.env.example +++ b/.env.example @@ -18,3 +18,17 @@ # Option 3: No key set — Claude Code will prompt for browser login on first run. # Port 54545 must be reachable from your browser for the OAuth callback. # Run: sbx ports --publish 54545:54545/tcp + +# ─── MCP servers (all optional) ─────────────────────────────────────────────── + +# GitHub — PAT with repo scope +# GITHUB_TOKEN=ghp_... + +# GitLab — PAT with api scope; GITLAB_URL defaults to https://gitlab.com +# GITLAB_TOKEN=glpat_... +# GITLAB_URL=https://gitlab.com + +# Jira + Confluence — shared Atlassian credentials +# ATLASSIAN_SITE_NAME=your-company # subdomain of .atlassian.net +# ATLASSIAN_USER_EMAIL=you@example.com +# ATLASSIAN_API_TOKEN=... # https://id.atlassian.com/manage-profile/security/api-tokens diff --git a/claude/Dockerfile b/claude/Dockerfile index a780724..07a3560 100644 --- a/claude/Dockerfile +++ b/claude/Dockerfile @@ -30,6 +30,28 @@ COPY settings.json /etc/claude-code/managed-settings.json RUN curl -fsSL https://claude.ai/install.sh | bash -s stable +# Install MCP servers globally — entry points land in /usr/local/lib/node_modules/ +RUN npm install -g \ + @modelcontextprotocol/server-github \ + @yoda.digital/gitlab-mcp-server \ + @aashari/mcp-server-atlassian-jira \ + @aashari/mcp-server-atlassian-confluence + +# Patch transitive CVEs bundled inside MCP server node_modules: +# CVE-2025-66414, CVE-2026-0621 — @modelcontextprotocol/sdk <1.25.2 +# CVE-2026-33671 — picomatch <4.0.4 +RUN for pkg_dir in \ + /usr/local/lib/node_modules/@modelcontextprotocol/server-github \ + /usr/local/lib/node_modules/@yoda.digital/gitlab-mcp-server \ + /usr/local/lib/node_modules/@aashari/mcp-server-atlassian-jira \ + /usr/local/lib/node_modules/@aashari/mcp-server-atlassian-confluence; do \ + [ -d "$pkg_dir" ] && \ + cd "$pkg_dir" && \ + npm install --no-audit --no-fund \ + @modelcontextprotocol/sdk@1.25.2 \ + picomatch@4.0.4 \ + || true; \ + done # Workspace and Claude config dir — owned by the built-in node user (uid 1000). # Pre-creating ~/.claude ensures the named volume is initialised with the diff --git a/docker-compose.yml b/docker-compose.yml index ebb9fcf..4148250 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -35,6 +35,13 @@ services: - HTTPS_PROXY=http://proxy:3128 - ALL_PROXY=http://proxy:3128 - NO_PROXY=localhost,127.0.0.1 + # MCP server credentials — all optional; servers are skipped if unset + - GITHUB_TOKEN=${GITHUB_TOKEN:-} + - GITLAB_TOKEN=${GITLAB_TOKEN:-} + - GITLAB_URL=${GITLAB_URL:-https://gitlab.com} + - ATLASSIAN_SITE_NAME=${ATLASSIAN_SITE_NAME:-} + - ATLASSIAN_USER_EMAIL=${ATLASSIAN_USER_EMAIL:-} + - ATLASSIAN_API_TOKEN=${ATLASSIAN_API_TOKEN:-} ports: # OAuth callback — required for browser-based login (claude login) - "0.0.0.0:54545:54545" diff --git a/proxy/squid.conf b/proxy/squid.conf index fc0a07e..4deb96d 100644 --- a/proxy/squid.conf +++ b/proxy/squid.conf @@ -29,6 +29,10 @@ acl CONNECT method CONNECT acl allowed_sites dstdomain api.anthropic.com acl allowed_sites dstdomain statsig.anthropic.com acl allowed_sites dstdomain platform.claude.com +# MCP servers +acl allowed_sites dstdomain api.github.com +acl allowed_sites dstdomain .gitlab.com +acl allowed_sites dstdomain .atlassian.net # Kubernetes API server — add your cluster's hostname here when using --kube # acl allowed_sites dstdomain k8s.example.com