feat: remove MCP servers

Remove all four MCP server packages from the Dockerfile along with their
associated env vars (docker-compose.yml, .env.example) and egress allowlist
entries (squid.conf).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

.env.example

@@ -18,17 +18,3 @@
 # Option 3: No key set — Claude Code will prompt for browser login on first run.
 # Port 54545 must be reachable from your browser for the OAuth callback.
 # Run: sbx ports <sandbox-name> --publish 54545:54545/tcp
-
-# ─── MCP servers (all optional) ───────────────────────────────────────────────
-
-# GitHub — PAT with repo scope
-# GITHUB_TOKEN=ghp_...
-
-# GitLab — PAT with api scope; GITLAB_URL defaults to https://gitlab.com
-# GITLAB_TOKEN=glpat_...
-# GITLAB_URL=https://gitlab.com
-
-# Jira + Confluence — shared Atlassian credentials
-# ATLASSIAN_SITE_NAME=your-company        # subdomain of .atlassian.net
-# ATLASSIAN_USER_EMAIL=you@example.com
-# ATLASSIAN_API_TOKEN=...                 # https://id.atlassian.com/manage-profile/security/api-tokens

claude/Dockerfile

@@ -30,28 +30,6 @@ COPY settings.json /etc/claude-code/managed-settings.json
 RUN curl -fsSL https://claude.ai/install.sh | bash -s stable
 
 
-# Install MCP servers globally — entry points land in /usr/local/lib/node_modules/
-RUN npm install -g \
-  @modelcontextprotocol/server-github \
-  @yoda.digital/gitlab-mcp-server \
-  @aashari/mcp-server-atlassian-jira \
-  @aashari/mcp-server-atlassian-confluence
-
-# Patch transitive CVEs bundled inside MCP server node_modules:
-#   CVE-2025-66414, CVE-2026-0621 — @modelcontextprotocol/sdk <1.25.2
-#   CVE-2026-33671               — picomatch <4.0.4
-RUN for pkg_dir in \
-      /usr/local/lib/node_modules/@modelcontextprotocol/server-github \
-      /usr/local/lib/node_modules/@yoda.digital/gitlab-mcp-server \
-      /usr/local/lib/node_modules/@aashari/mcp-server-atlassian-jira \
-      /usr/local/lib/node_modules/@aashari/mcp-server-atlassian-confluence; do \
-    [ -d "$pkg_dir" ] && \
-      cd "$pkg_dir" && \
-      npm install --no-audit --no-fund \
-        @modelcontextprotocol/sdk@1.25.2 \
-        picomatch@4.0.4 \
-      || true; \
-  done
 
 # Workspace and Claude config dir — owned by the built-in node user (uid 1000).
 # Pre-creating ~/.claude ensures the named volume is initialised with the

docker-compose.yml

@@ -35,13 +35,6 @@ services:
       - HTTPS_PROXY=http://proxy:3128
       - ALL_PROXY=http://proxy:3128
       - NO_PROXY=localhost,127.0.0.1
-      # MCP server credentials — all optional; servers are skipped if unset
-      - GITHUB_TOKEN=${GITHUB_TOKEN:-}
-      - GITLAB_TOKEN=${GITLAB_TOKEN:-}
-      - GITLAB_URL=${GITLAB_URL:-https://gitlab.com}
-      - ATLASSIAN_SITE_NAME=${ATLASSIAN_SITE_NAME:-}
-      - ATLASSIAN_USER_EMAIL=${ATLASSIAN_USER_EMAIL:-}
-      - ATLASSIAN_API_TOKEN=${ATLASSIAN_API_TOKEN:-}
     ports:
       # OAuth callback — required for browser-based login (claude login)
       - "0.0.0.0:54545:54545"

proxy/squid.conf

@@ -29,10 +29,6 @@ acl CONNECT    method CONNECT
 acl allowed_sites dstdomain api.anthropic.com
 acl allowed_sites dstdomain statsig.anthropic.com
 acl allowed_sites dstdomain platform.claude.com
-# MCP servers
-acl allowed_sites dstdomain api.github.com
-acl allowed_sites dstdomain .gitlab.com
-acl allowed_sites dstdomain .atlassian.net
 # Kubernetes API server — add your cluster's hostname here when using --kube
 # acl allowed_sites dstdomain k8s.example.com