From a9ff78b49449a563de402eaaf0e9d423c009f389 Mon Sep 17 00:00:00 2001 From: docker-claude Date: Mon, 20 Apr 2026 15:32:05 +0200 Subject: [PATCH] feat: remove MCP servers Remove all four MCP server packages from the Dockerfile along with their associated env vars (docker-compose.yml, .env.example) and egress allowlist entries (squid.conf). Co-Authored-By: Claude Sonnet 4.6 --- .env.example | 14 -------------- claude/Dockerfile | 22 ---------------------- docker-compose.yml | 7 ------- proxy/squid.conf | 4 ---- 4 files changed, 47 deletions(-) diff --git a/.env.example b/.env.example index ad79c7b..01476c3 100644 --- a/.env.example +++ b/.env.example @@ -18,17 +18,3 @@ # Option 3: No key set — Claude Code will prompt for browser login on first run. # Port 54545 must be reachable from your browser for the OAuth callback. # Run: sbx ports --publish 54545:54545/tcp - -# ─── MCP servers (all optional) ─────────────────────────────────────────────── - -# GitHub — PAT with repo scope -# GITHUB_TOKEN=ghp_... - -# GitLab — PAT with api scope; GITLAB_URL defaults to https://gitlab.com -# GITLAB_TOKEN=glpat_... -# GITLAB_URL=https://gitlab.com - -# Jira + Confluence — shared Atlassian credentials -# ATLASSIAN_SITE_NAME=your-company # subdomain of .atlassian.net -# ATLASSIAN_USER_EMAIL=you@example.com -# ATLASSIAN_API_TOKEN=... # https://id.atlassian.com/manage-profile/security/api-tokens diff --git a/claude/Dockerfile b/claude/Dockerfile index 07a3560..a780724 100644 --- a/claude/Dockerfile +++ b/claude/Dockerfile @@ -30,28 +30,6 @@ COPY settings.json /etc/claude-code/managed-settings.json RUN curl -fsSL https://claude.ai/install.sh | bash -s stable -# Install MCP servers globally — entry points land in /usr/local/lib/node_modules/ -RUN npm install -g \ - @modelcontextprotocol/server-github \ - @yoda.digital/gitlab-mcp-server \ - @aashari/mcp-server-atlassian-jira \ - @aashari/mcp-server-atlassian-confluence - -# Patch transitive CVEs bundled inside MCP server node_modules: -# CVE-2025-66414, CVE-2026-0621 — @modelcontextprotocol/sdk <1.25.2 -# CVE-2026-33671 — picomatch <4.0.4 -RUN for pkg_dir in \ - /usr/local/lib/node_modules/@modelcontextprotocol/server-github \ - /usr/local/lib/node_modules/@yoda.digital/gitlab-mcp-server \ - /usr/local/lib/node_modules/@aashari/mcp-server-atlassian-jira \ - /usr/local/lib/node_modules/@aashari/mcp-server-atlassian-confluence; do \ - [ -d "$pkg_dir" ] && \ - cd "$pkg_dir" && \ - npm install --no-audit --no-fund \ - @modelcontextprotocol/sdk@1.25.2 \ - picomatch@4.0.4 \ - || true; \ - done # Workspace and Claude config dir — owned by the built-in node user (uid 1000). # Pre-creating ~/.claude ensures the named volume is initialised with the diff --git a/docker-compose.yml b/docker-compose.yml index 4148250..ebb9fcf 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -35,13 +35,6 @@ services: - HTTPS_PROXY=http://proxy:3128 - ALL_PROXY=http://proxy:3128 - NO_PROXY=localhost,127.0.0.1 - # MCP server credentials — all optional; servers are skipped if unset - - GITHUB_TOKEN=${GITHUB_TOKEN:-} - - GITLAB_TOKEN=${GITLAB_TOKEN:-} - - GITLAB_URL=${GITLAB_URL:-https://gitlab.com} - - ATLASSIAN_SITE_NAME=${ATLASSIAN_SITE_NAME:-} - - ATLASSIAN_USER_EMAIL=${ATLASSIAN_USER_EMAIL:-} - - ATLASSIAN_API_TOKEN=${ATLASSIAN_API_TOKEN:-} ports: # OAuth callback — required for browser-based login (claude login) - "0.0.0.0:54545:54545" diff --git a/proxy/squid.conf b/proxy/squid.conf index 4deb96d..fc0a07e 100644 --- a/proxy/squid.conf +++ b/proxy/squid.conf @@ -29,10 +29,6 @@ acl CONNECT method CONNECT acl allowed_sites dstdomain api.anthropic.com acl allowed_sites dstdomain statsig.anthropic.com acl allowed_sites dstdomain platform.claude.com -# MCP servers -acl allowed_sites dstdomain api.github.com -acl allowed_sites dstdomain .gitlab.com -acl allowed_sites dstdomain .atlassian.net # Kubernetes API server — add your cluster's hostname here when using --kube # acl allowed_sites dstdomain k8s.example.com