Remove all four MCP server packages from the Dockerfile along with their
associated env vars (docker-compose.yml, .env.example) and egress allowlist
entries (squid.conf).
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Run from the project directory you want to work on; claude.sh mounts
it automatically. Removes WORKSPACE_DIR env var support and the
named claude-secure-workspace Docker volume.
Install four MCP servers globally in the claude image:
@modelcontextprotocol/server-github → mcp-server-github
@yoda.digital/gitlab-mcp-server → gitlab-mcp-server
@aashari/mcp-server-atlassian-jira → mcp-atlassian-jira
@aashari/mcp-server-atlassian-confluence → mcp-atlassian-confluence
Wire them in managed-settings.json via mcpServers with env var
pass-through. Jira and Confluence share ATLASSIAN_* credentials.
Add api.github.com, .gitlab.com, .atlassian.net to the squid
allowlist. All credentials are optional — servers are skipped
if the relevant env vars are unset.
Make ANTHROPIC_API_KEY optional. Add CLAUDE_CODE_OAUTH_TOKEN pass-through
for headless token-based auth (claude setup-token). When neither is set,
Claude Code falls back to browser OAuth on port 54545. Add claude-config
named volume mounted at ~/.claude/ in both claude and webui services so
credentials persist across container runs. Pre-create ~/.claude/ in the
Dockerfile so the volume is initialised with correct ownership. Add
--service-ports to docker compose run calls to publish port 54545 during
CLI sessions.
Adds a webui service to docker-compose that wraps Claude Code in ttyd,
serving a browser-accessible terminal on port 7681. The webui reuses
Dockerfile.claude (ttyd added to apt deps) with a dedicated entrypoint
script that enforces WEBUI_PASSWORD before starting. Network isolation
is identical to the CLI container: claude-internal only, all egress via
the proxy allowlist. claude.sh gains web and web-stop commands.
