diff --git a/CLAUDE.md b/CLAUDE.md
index 3d15507..3e394b2 100644
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -10,7 +10,7 @@ This file provides context and guidance for working with this project.
 
 Two containers managed by Docker Compose:
 
-- **`claude`** — Claude Code CLI (`node:20-alpine`), runs as the built-in `node` user (UID 1000), isolated to an internal-only Docker network
+- **`claude`** — Claude Code CLI (`node:24-alpine`), runs as the built-in `node` user (UID 1000), isolated to an internal-only Docker network
 - **`proxy`** — Squid forward proxy (`alpine:3.21`), `squid` user, bridges the internal network to the internet with an egress allowlist
 
 Key Docker network property: `claude-internal` has `internal: true`, meaning Docker adds no default gateway. The `claude` container physically cannot reach the internet without going through the `proxy` container.
@@ -31,7 +31,7 @@ docker-claude/
 ├── build.sh                # Build images locally (development)
 ├── docker-compose.yml      # Service definitions and network topology
 ├── claude/
-│   └── Dockerfile          # Claude Code stable release (node:20-alpine, UID 1000)
+│   └── Dockerfile          # Claude Code stable release (node:24-alpine, UID 1000)
 ├── proxy/
 │   ├── Dockerfile          # Squid proxy sidecar (alpine:3.21, squid user)
 │   └── squid.conf          # Squid ACL config — egress allowlist lives here
@@ -63,7 +63,7 @@ git config core.hooksPath hooks
 ## Coding Standards
 
 - Shell scripts use `set -euo pipefail`
-- Dockerfiles use Alpine (`node:20-alpine`, `alpine:3.21`) for minimal attack surface
+- Dockerfiles use Alpine (`node:24-alpine`, `alpine:3.21`) for minimal attack surface
 - Alpine packages use `apk add --no-cache`; no apt cache cleanup layer needed
 - No capabilities granted; `no-new-privileges` on all containers
 - `.env` is never committed (enforced by `.gitignore` and `.dockerignore`)
diff --git a/README.md b/README.md
index 7eaef5d..af10e9d 100644
--- a/README.md
+++ b/README.md
@@ -68,7 +68,7 @@ Setup will ask how you want to authenticate (API key, subscription token, or bro
 └──────────────────────────────────────────────────────────┘
 ```
 
-- **`claude`** — Claude Code CLI (`node:20-alpine`), runs as the built-in `node` user (UID 1000), on `claude-internal` only
+- **`claude`** — Claude Code CLI (`node:24-alpine`), runs as the built-in `node` user (UID 1000), on `claude-internal` only
 - **`proxy`** — Squid forward proxy (`alpine:3.21`), bridges `claude-internal` ↔ internet with egress allowlist
 - **`claude-internal`** — `internal: true`; no default gateway, containers cannot reach the internet directly
 - **`proxy-external`** — Standard bridge; proxy sidecar only