Fix Claude Code hanging in hardened container

Claude Code writes to ~/.claude.json, ~/.cache/, and ~/.npm/ which
failed silently on the read-only root filesystem. Add tmpfs at
/home/storkit so the home dir is writable (the claude-state volume
overlays on top for persistent .claude/ data).

Also fix .dockerignore: use **/target/ to match nested target dirs,
add .storkit/logs/ and **/node_modules/ to prevent multi-GB build
context transfers.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

.dockerignore

@@ -0,0 +1,11 @@
+# Docker build context exclusions
+**/target/
+**/node_modules/
+frontend/dist/
+.storkit/worktrees/
+.storkit/logs/
+.storkit/work/6_archived/
+.git/
+*.swp
+*.swo
+.DS_Store

docker/.dockerignore

@@ -1,8 +1,9 @@
 # Docker build context exclusions
-target/
+**/target/
-frontend/node_modules/
+**/node_modules/
 frontend/dist/
 .storkit/worktrees/
+.storkit/logs/
 .storkit/work/6_archived/
 .git/
 *.swp

docker/docker-compose.yml

@@ -72,11 +72,15 @@ services:
     read_only: true
     tmpfs:
       - /tmp:size=512M
-      - /home/storkit/.npm:size=256M
+      - /home/storkit:size=512M
 
     # Drop all Linux capabilities, then add back only what's needed.
+    # SETUID/SETGID needed by Claude Code's PTY allocation (openpty).
     cap_drop:
       - ALL
+    cap_add:
+      - SETUID
+      - SETGID
 
     # Prevent child processes from gaining new privileges via setuid,
     # setgid, or other mechanisms.