feat(security): block user home dirs and SSH/PGP key directories from workspace mount

claude.sh

@@ -44,7 +44,7 @@ load_env() {
 
 # ─── Workspace volume resolution ──────────────────────────────────────────────
 # Mounts the current working directory as /workspace inside the container.
-# Refuses to mount the home directory or system directories.
+# Refuses to mount home directories, key material, or system directories.
 workspace_flag() {
     local cwd
     cwd="$(pwd)"
@@ -57,12 +57,19 @@ workspace_flag() {
         /home
     )
 
-    # Prefix blocklist — these and any subdirectory are system internals
+    # Prefix blocklist — block these paths and all subdirectories.
+    # Covers system internals and credential/key material.
     local -a prefix_blocked=(
         /bin /sbin /lib /lib64
         /etc /usr /var
         /proc /sys /dev
         /boot /run
+        # SSH keys
+        "$HOME/.ssh"
+        /root/.ssh
+        # PGP/GPG keys
+        "$HOME/.gnupg"
+        /root/.gnupg
     )
 
     for dir in "${exact_blocked[@]}"; do
@@ -73,9 +80,16 @@ workspace_flag() {
         fi
     done
 
+    # Block any user home directory directly under /home (e.g. /home/alice)
+    if [[ "$cwd" =~ ^/home/[^/]+$ ]]; then
+        error "Refusing to mount $cwd as workspace — user home directory."
+        error "cd into a project subdirectory first."
+        exit 1
+    fi
+
     for dir in "${prefix_blocked[@]}"; do
         if [[ "$cwd" == "$dir" || "$cwd" == "$dir/"* ]]; then
-            error "Refusing to mount $cwd as workspace — system directory."
+            error "Refusing to mount $cwd as workspace — contains sensitive data."
             error "cd into a project subdirectory first."
             exit 1
         fi