npm@11.12.1 still bundles picomatch@4.0.3. Add a find-loop after the npm
upgrade to patch every occurrence in node_modules in place. Also restore
and clean up the MCP server install and CVE patch blocks that were
accidentally commented out.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
settings.json is COPY-ed into the image at build time. Putting MCP server
config with credential env references there risks baking tokens into the
image if placeholders are ever replaced with real values. Move MCP server
config to ~/.claude/settings.json (runtime volume mount) instead.
Managed settings now contains policy only: models, permissions, telemetry.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Remove all four MCP server packages from the Dockerfile along with their
associated env vars (docker-compose.yml, .env.example) and egress allowlist
entries (squid.conf).
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
MCP servers bundle their own copies of vulnerable packages. After global
install, patch nested node_modules in each server directly:
- @modelcontextprotocol/sdk 1.0.1 → 1.25.2 (CVE-2025-66414, CVE-2026-0621)
- picomatch 4.0.3 → 4.0.4 (CVE-2026-33671)
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
dhi.io is unreachable on the company network, blocking apk during build.
Trivy scanning in CI provides vulnerability coverage in the meantime.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Install four MCP servers globally in the claude image:
@modelcontextprotocol/server-github → mcp-server-github
@yoda.digital/gitlab-mcp-server → gitlab-mcp-server
@aashari/mcp-server-atlassian-jira → mcp-atlassian-jira
@aashari/mcp-server-atlassian-confluence → mcp-atlassian-confluence
Wire them in managed-settings.json via mcpServers with env var
pass-through. Jira and Confluence share ATLASSIAN_* credentials.
Add api.github.com, .gitlab.com, .atlassian.net to the squid
allowlist. All credentials are optional — servers are skipped
if the relevant env vars are unset.
Add permissions.allow to managed-settings.json for Bash(*), Edit(*),
and Write(*). Claude Code will not prompt for confirmation on shell
commands or file writes inside the container.
Add /etc/claude-code/managed-settings.json with availableModels set to
the three Anthropic model families. The file is root-owned inside the
container so the node user cannot modify it. Managed settings cannot be
bypassed via --model flag, /model command, or ANTHROPIC_MODEL env var.
Drop the addgroup/adduser layer entirely. node:20-alpine already ships
a node user at uid/gid 1000. Update chown and USER directives, and
update the claude-config volume mount path to /home/node/.claude.
Make ANTHROPIC_API_KEY optional. Add CLAUDE_CODE_OAUTH_TOKEN pass-through
for headless token-based auth (claude setup-token). When neither is set,
Claude Code falls back to browser OAuth on port 54545. Add claude-config
named volume mounted at ~/.claude/ in both claude and webui services so
credentials persist across container runs. Pre-create ~/.claude/ in the
Dockerfile so the volume is initialised with correct ownership. Add
--service-ports to docker compose run calls to publish port 54545 during
CLI sessions.
Replace node:20-slim/ubuntu:22.04 with node:20-alpine/alpine:3.21.
Switch package management from apt to apk (--no-cache, no cleanup layer).
Use Alpine addgroup/adduser in claude/Dockerfile. Update proxy to use
squid user (Alpine convention) and /var/cache/squid cache path.
Fix proxy/Dockerfile COPY path now that context is proxy/. Move
webui-entrypoint.sh into claude/ to match its build context. Fix
docker-compose.yml webui context to claude/, update proxy tmpfs path.
