这是indexloc提供的服务,不要输入任何密码
Skip to content

feat: Claude Configuration Injection for Docker Sandboxes #243

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 6 commits into
base: main
Choose a base branch
from
Draft

feat: Claude Configuration Injection for Docker Sandboxes #243

wants to merge 6 commits into from

Conversation

@mg-dev25
Copy link
Contributor

@mg-dev25 mg-dev25 commented Oct 1, 2025
edited
Loading

Claude Configuration Injection for Docker Sandboxes

Summary

Enables Claude Code to work with full functionality inside Docker containers by automatically injecting user-level configuration files, custom tools, and MCP server environment variables from the host system.

What This PR Adds

1. User-Level Configuration Injection

  • Injects ~/.claude/CLAUDE.md/home/vibekit/.claude/CLAUDE.md
  • Injects ~/.claude/{agents,commands,scripts}/*/home/vibekit/.claude/*/
  • Injects ./.claude/{agents,commands,scripts}/*/workspace/.claude/*/

Why: User's personal coding standards and custom workflow tools now work inside containers

2. MCP Environment Variable Injection

  • Scans .mcp.json for ${ENV_VAR} patterns
  • Extracts referenced variables (e.g., BRAVE_API_KEY, ANTHROPIC_API_KEY)
  • Injects only those variables into container

Security: Only explicitly referenced env vars are passed—no blind credential exposure

3. Project MCP Server Support

  • New extractProjectMcpServers() function extracts MCP servers from project .mcp.json
  • Merges with host-level MCP servers (project takes precedence)

4. Auto-Executable Scripts

  • Automatically chmod +x for .sh files and scripts in /commands/, /scripts/ directories

5. Non-Root User Execution

  • Container now runs as vibekit user (not root)
  • Uses host UID/GID to prevent file ownership conflicts
  • All injected files and workspace owned by correct user

Why: Prevents permission issues when editing files created inside container

Technical Implementation

Method: Base64-encoded injection script mounted into container

  • Avoids Docker's E2BIG limit (~128KB) for large config files
  • Prevents shell injection from special characters
  • Read-only mount (:ro) for security

Graceful Degradation: Silently skips injection if config files don't exist—no errors, no crashes

Files Changed

  • packages/cli/src/sandbox/docker-sandbox.js (+190 lines)

    • injectClaudeFiles() - File injection logic
    • injectEnvironmentVariables() - MCP env var extraction
    • extractEnvVarsFromMcpConfig() - Recursive env var pattern matching
    • createFileInjectionScript() - Base64-encoded script generation

  • packages/cli/src/auth/claude-auth-helper.js (+53 lines)

    • extractProjectMcpServers() - Project-level MCP server extraction
    • Updated generateClaudeSettings() - Merge host + project MCP servers
    • Sanitized MCP server logging (security)

  • packages/cli/Dockerfile (+23/-4 lines)

    • Added non-root user creation with host UID/GID mapping
    • Updated all paths from /root/ to /home/vibekit/
    • Added Node.js for MCP server support
    • Created /home/vibekit/.claude directory

Commits

  1. 921a975 - feat(docker): add Claude configuration and credential injection support
  2. 3101ed2 - fix(auth): sanitize MCP server logging to avoid exposing configuration details
  3. 38c0a39 - fix(docker): automatically set executable permissions for injected scripts

Testing

  • ✅ File injection with large CLAUDE.md (>100KB)
  • ✅ MCP server environment variable extraction from .mcp.json
  • ✅ Executable permissions for scripts in .claude/commands/ and .claude/scripts/
  • ✅ Graceful handling when config files don't exist
  • ✅ Special characters in configuration (quotes, newlines, JSON)
  • ✅ Non-root user execution (no permission errors)
  • ✅ File ownership matches host UID/GID

Before This PR

Claude Code works in containers but:

  • No user-level CLAUDE.md (loses personal coding preferences)
  • No custom tools from .claude/{agents,commands,scripts}
  • MCP servers fail (missing API keys/credentials)
  • Files created as root (permission conflicts on host)

After This PR

  • ✅ User configuration automatically available
  • ✅ Custom tools work immediately
  • ✅ MCP servers functional (Brave Search, context7, etc.)
  • ✅ Zero setup required
  • ✅ Correct file ownership (no permission issues)

Security Notes

  • Only env vars explicitly referenced in .mcp.json are injected
  • Injection script mounted read-only (:ro)
  • Temporary files cleaned up after container starts
  • No credentials in container images or logs
  • Non-root execution follows security best practices

@mg-dev25
feat(docker): add Claude configuration and credential injection support
921a975 
Implements comprehensive Claude integration for Docker sandboxes:
- File injection: Injects Claude config files (~/.claude, ~/.anthropic) into containers at startup
- Credential injection: Securely passes authentication tokens via environment variables
- MCP server configuration: Supports project-level MCP server setup via .mcp.json
- Base64 encoding for secure JSON content handling
- Environment variable extraction from .mcp.json for MCP servers

This enables Claude Code and other Claude-based tools to work seamlessly
within Docker sandbox environments with proper authentication and configuration.
@mg-dev25
fix(auth): sanitize MCP server logging to avoid exposing configuratio…
3101ed2 
…n details
@mg-dev25
fix(docker): automatically set executable permissions for injected sc…
38c0a39 
…ripts

Add automatic chmod +x for .sh files and files in scripts/commands directories
when injecting files into Docker containers. This ensures that shell scripts
and command files are executable without manual intervention.
@vercel
Copy link

vercel bot commented Oct 1, 2025

@mg-dev25 is attempting to deploy a commit to the Superagent Team on Vercel.

A member of the Team first needs to authorize it.

@mg-dev25 mg-dev25 marked this pull request as draft October 1, 2025 08:48
@mg-dev25
chore: merge latest main into feat/claude-injection
ba77478
@mg-dev25
feat(docker): add non-root user execution with host UID/GID mapping
402629b 
Prevents file ownership conflicts when files created inside container
are accessed from host. Container now runs as 'vibekit' user instead
of root, with UID/GID matched to host user.

Changes:
- Add HOST_UID/HOST_GID build arguments (defaults: 1000/1001)
- Create vibekit user/group with host UID/GID
- Update all paths from /root/ to /home/vibekit/
- Set ownership of /workspace and /home/vibekit to vibekit user
- Switch to non-root user execution (USER vibekit)

Benefits:
- Files in /workspace have correct ownership (matches host user)
- Injected .claude/ configs owned by correct user
- No sudo required to edit files created in container
- Better security (principle of least privilege)
@mg-dev25
fix(docker): update all container paths from /root to /home/vibekit
6dd70cc 
Updates hardcoded paths to use non-root user home directory after
switching container execution from root to vibekit user.

Changes:
- Add CONTAINER_HOME constant (/home/vibekit)
- Pass HOST_UID/HOST_GID as build arguments during image build
- Update .anthropic mount path
- Update .config/claude mount path
- Update .claude/projects mount path
- Update .claude/history.jsonl mount path
- Update injected CLAUDE.md target path
- Update injected agents/commands/scripts target paths
- Update comment in createClaudeWrapper

Ensures all file injections and mounts use correct paths for
non-root user execution.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@mg-dev25