npm@11.12.1 still bundles picomatch@4.0.3. Add a find-loop after the npm
upgrade to patch every occurrence in node_modules in place. Also restore
and clean up the MCP server install and CVE patch blocks that were
accidentally commented out.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
settings.json is COPY-ed into the image at build time. Putting MCP server
config with credential env references there risks baking tokens into the
image if placeholders are ever replaced with real values. Move MCP server
config to ~/.claude/settings.json (runtime volume mount) instead.
Managed settings now contains policy only: models, permissions, telemetry.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Remove all four MCP server packages from the Dockerfile along with their
associated env vars (docker-compose.yml, .env.example) and egress allowlist
entries (squid.conf).
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
MCP servers bundle their own copies of vulnerable packages. After global
install, patch nested node_modules in each server directly:
- @modelcontextprotocol/sdk 1.0.1 → 1.25.2 (CVE-2025-66414, CVE-2026-0621)
- picomatch 4.0.3 → 4.0.4 (CVE-2026-33671)
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
dhi.io is unreachable on the company network, blocking apk during build.
Trivy scanning in CI provides vulnerability coverage in the meantime.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
trivy-action@v0.35.0 expects trivy pre-installed in the runner environment.
Switch to docker run aquasec/trivy:0.69.3 which uses the Docker daemon
already available in the pipeline. Pin version via TRIVY_IMAGE env var.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Scan job: run Trivy before the security gate to emit a CycloneDX SBOM
for each image (exit-code 0), then run the HIGH/CRITICAL gate as before.
SBOMs are uploaded as a pipeline artifact (90-day retention) with
if: always() so they're available even when the security gate fails.
Build job: add sbom: true and provenance: true to both build-push steps
so BuildKit attaches SBOM and provenance attestations to the image
manifest in the registry.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Add a scan job between check-docker and build-and-push. Builds each image
locally (no push, current platform only), runs Trivy v0.35.0 against it,
and fails on unfixed HIGH/CRITICAL CVEs. build-and-push only runs if both
scans pass.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Docker Desktop requires a commercial licence for business use. Replace all
references with free alternatives:
- macOS: Rancher Desktop (GUI) or Colima (CLI)
- Linux: Docker Engine CE (no Desktop needed at all)
- Windows: Rancher Desktop or WSL2 + Docker Engine
setup.sh detects the OS and shows platform-specific install instructions.
claude.sh defers to setup.sh for install hints to avoid duplication.
README documents all options including a WSL2 setup walkthrough.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
The kubectl_api ACL allowed CONNECT tunnels to any host on port 6443,
bypassing the domain allowlist entirely. Remove it and require cluster
hostnames to be added explicitly to allowed_sites instead.
Also remove the localhost and .local entries — these aren't needed for
Claude Code or the configured MCP servers.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Remove webui from architecture, commands, and security table.
Update auth option 3 to reference ~/.claude instead of claude-config volume.
Drop stale registry path comment and web interface section.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Update image references from registry.zeidler.dev/docker/playground to
registry.zeidler.dev/docker-public/playground in docker-compose.yml and build.sh.
Also bind-mount ${HOME}/.claude instead of using the claude-config named volume.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
