From a79aad9fc8dd5b0d65d07590af681d05a234e9b7 Mon Sep 17 00:00:00 2001
From: docker-claude <user@docker-claude.local>
Date: Mon, 20 Apr 2026 16:00:37 +0200
Subject: [PATCH] fix(security): remove MCP credentials from
 managed-settings.json; bump Trivy to 0.70.0

settings.json is COPY-ed into the image at build time. Putting MCP server
config with credential env references there risks baking tokens into the
image if placeholders are ever replaced with real values. Move MCP server
config to ~/.claude/settings.json (runtime volume mount) instead.
Managed settings now contains policy only: models, permissions, telemetry.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .forgejo/workflows/docker-build.yml |  2 +-
 claude/settings.json                | 31 -----------------------------
 2 files changed, 1 insertion(+), 32 deletions(-)

diff --git a/.forgejo/workflows/docker-build.yml b/.forgejo/workflows/docker-build.yml
index 97b97cd..615da18 100644
--- a/.forgejo/workflows/docker-build.yml
+++ b/.forgejo/workflows/docker-build.yml
@@ -10,7 +10,7 @@ env:
   # whichever you use to reach it from your desktop/laptop
   FORGEJO_HOST: code.zeidler.dev
   HELM_EXPERIMENTAL_OCI: 1
-  TRIVY_IMAGE: registry.zeidler.dev/docker-hub/aquasec/trivy:0.69.3
+  TRIVY_IMAGE: registry.zeidler.dev/docker-hub/aquasec/trivy:0.70.0
 
 jobs:
   check-docker:
diff --git a/claude/settings.json b/claude/settings.json
index 4e2033e..175bdd4 100644
--- a/claude/settings.json
+++ b/claude/settings.json
@@ -6,36 +6,5 @@
     "env": {
       "CLAUDE_CODE_ENABLE_TELEMETRY": "0"
     }
-  },
-  "mcpServers": {
-    "github": {
-      "command": "mcp-server-github",
-      "env": {
-        "GITHUB_PERSONAL_ACCESS_TOKEN": "${GITHUB_TOKEN}"
-      }
-    },
-    "gitlab": {
-      "command": "gitlab-mcp-server",
-      "env": {
-        "GITLAB_PERSONAL_ACCESS_TOKEN": "${GITLAB_TOKEN}",
-        "GITLAB_URL": "${GITLAB_URL}"
-      }
-    },
-    "jira": {
-      "command": "mcp-atlassian-jira",
-      "env": {
-        "ATLASSIAN_SITE_NAME": "${ATLASSIAN_SITE_NAME}",
-        "ATLASSIAN_USER_EMAIL": "${ATLASSIAN_USER_EMAIL}",
-        "ATLASSIAN_API_TOKEN": "${ATLASSIAN_API_TOKEN}"
-      }
-    },
-    "confluence": {
-      "command": "mcp-atlassian-confluence",
-      "env": {
-        "ATLASSIAN_SITE_NAME": "${ATLASSIAN_SITE_NAME}",
-        "ATLASSIAN_USER_EMAIL": "${ATLASSIAN_USER_EMAIL}",
-        "ATLASSIAN_API_TOKEN": "${ATLASSIAN_API_TOKEN}"
-      }
-    }
   }
 }