fe0f560b58
Run as non-root user (fixes Claude Code refusing bypassPermissions as root, which caused all agent spawns to exit instantly with no session). Add read-only root filesystem, drop all capabilities, set no-new-privileges, bind port to localhost only, and require GIT_USER_NAME/GIT_USER_EMAIL env vars at startup. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
25 lines
984 B
Bash
Executable File
25 lines
984 B
Bash
Executable File
#!/bin/sh
|
|
set -e
|
|
|
|
# ── Git identity ─────────────────────────────────────────────────────
|
|
# Agents commit code inside the container. Without a git identity,
|
|
# commits fail or use garbage defaults. Fail loudly at startup so the
|
|
# operator knows immediately.
|
|
if [ -z "$GIT_USER_NAME" ]; then
|
|
echo "FATAL: GIT_USER_NAME is not set. Export it in your environment or docker-compose.yml." >&2
|
|
exit 1
|
|
fi
|
|
if [ -z "$GIT_USER_EMAIL" ]; then
|
|
echo "FATAL: GIT_USER_EMAIL is not set. Export it in your environment or docker-compose.yml." >&2
|
|
exit 1
|
|
fi
|
|
|
|
# Use GIT_AUTHOR/COMMITTER env vars instead of git config --global,
|
|
# so the root filesystem can stay read-only (no ~/.gitconfig write).
|
|
export GIT_AUTHOR_NAME="$GIT_USER_NAME"
|
|
export GIT_COMMITTER_NAME="$GIT_USER_NAME"
|
|
export GIT_AUTHOR_EMAIL="$GIT_USER_EMAIL"
|
|
export GIT_COMMITTER_EMAIL="$GIT_USER_EMAIL"
|
|
|
|
exec "$@"
|