diff --git a/.dockerignore b/.dockerignore
index ba76e9d..fc75c26 100644
--- a/.dockerignore
+++ b/.dockerignore
@@ -1,4 +1,5 @@
 .env
+.npmrc
 *.log
 .git
 README.md
diff --git a/claude.sh b/claude.sh
old mode 100644
new mode 100755
diff --git a/claude/Dockerfile b/claude/Dockerfile
index fdcccec..9626ff5 100644
--- a/claude/Dockerfile
+++ b/claude/Dockerfile
@@ -62,6 +62,15 @@ RUN for pkg_dir in \
       || true; \
   done
 
+# Remove any npm auth credentials written during install.
+# npm automatically picks up GITHUB_TOKEN and NPM_TOKEN from the build environment
+# and persists them in .npmrc files — scrub all of them before the image is finalised.
+RUN find /root /home /usr/local/etc -name ".npmrc" -o -name "npmrc" \
+      | xargs grep -l "_authToken\|_auth\b" 2>/dev/null \
+      | xargs rm -f 2>/dev/null || true \
+  && npm config delete //npm.pkg.github.com/:_authToken 2>/dev/null || true \
+  && npm config delete //registry.npmjs.org/:_authToken 2>/dev/null || true
+
 # Workspace and Claude config dir — owned by the built-in node user (uid 1000).
 # Pre-creating ~/.claude ensures the named volume is initialised with the
 # correct ownership when first mounted (Docker copies image content into
diff --git a/hooks/pre-commit b/hooks/pre-commit
old mode 100644
new mode 100755
diff --git a/launch.sh b/launch.sh
old mode 100644
new mode 100755
diff --git a/setup.sh b/setup.sh
old mode 100644
new mode 100755