Skip to content

feat: Claude Configuration Injection for Docker Sandboxes#243

Closed
mg-dev25 wants to merge 1 commit intosuperagent-ai:mainfrom
Mgdev-25:feat/claude-injection
Closed

feat: Claude Configuration Injection for Docker Sandboxes#243
mg-dev25 wants to merge 1 commit intosuperagent-ai:mainfrom
Mgdev-25:feat/claude-injection

Conversation

@mg-dev25
Copy link
Contributor

@mg-dev25 mg-dev25 commented Oct 1, 2025
edited
Loading

Claude Configuration Injection for Docker Sandboxes

Summary

Enables Claude Code to work with full functionality inside Docker containers by automatically injecting user-level configuration files, custom tools, and MCP server environment variables from the host system.

What This PR Adds

1. User-Level Configuration Injection

  • Injects ~/.claude/CLAUDE.md/home/vibekit/.claude/CLAUDE.md
  • Injects ~/.claude/{agents,commands,scripts}/*/home/vibekit/.claude/*/
  • Injects ./.claude/{agents,commands,scripts}/*/workspace/.claude/*/

Why: User's personal coding standards and custom workflow tools now work inside containers

2. MCP Environment Variable Injection

  • Scans .mcp.json for ${ENV_VAR} patterns
  • Extracts referenced variables (e.g., BRAVE_API_KEY, ANTHROPIC_API_KEY)
  • Injects only those variables into container

Security: Only explicitly referenced env vars are passed—no blind credential exposure

3. Project MCP Server Support

  • New extractProjectMcpServers() function extracts MCP servers from project .mcp.json
  • Merges with host-level MCP servers (project takes precedence)

4. Auto-Executable Scripts

  • Automatically chmod +x for .sh files and scripts in /commands/, /scripts/ directories

5. Non-Root User Execution

  • Container now runs as vibekit user (not root)
  • Uses host UID/GID to prevent file ownership conflicts
  • All injected files and workspace owned by correct user

Why: Prevents permission issues when editing files created inside container

Technical Implementation

Method: Base64-encoded injection script mounted into container

  • Avoids Docker's E2BIG limit (~128KB) for large config files
  • Prevents shell injection from special characters
  • Read-only mount (:ro) for security

Graceful Degradation: Silently skips injection if config files don't exist—no errors, no crashes

Files Changed

  • packages/cli/src/sandbox/docker-sandbox.js (+190 lines)

    • injectClaudeFiles() - File injection logic
    • injectEnvironmentVariables() - MCP env var extraction
    • extractEnvVarsFromMcpConfig() - Recursive env var pattern matching
    • createFileInjectionScript() - Base64-encoded script generation

  • packages/cli/src/auth/claude-auth-helper.js (+53 lines)

    • extractProjectMcpServers() - Project-level MCP server extraction
    • Updated generateClaudeSettings() - Merge host + project MCP servers
    • Sanitized MCP server logging (security)

  • packages/cli/Dockerfile (+23/-4 lines)

    • Added non-root user creation with host UID/GID mapping
    • Updated all paths from /root/ to /home/vibekit/
    • Added Node.js for MCP server support
    • Created /home/vibekit/.claude directory

Commits

  1. 921a975 - feat(docker): add Claude configuration and credential injection support
  2. 3101ed2 - fix(auth): sanitize MCP server logging to avoid exposing configuration details
  3. 38c0a39 - fix(docker): automatically set executable permissions for injected scripts

Testing

  • ✅ File injection with large CLAUDE.md (>100KB)
  • ✅ MCP server environment variable extraction from .mcp.json
  • ✅ Executable permissions for scripts in .claude/commands/ and .claude/scripts/
  • ✅ Graceful handling when config files don't exist
  • ✅ Special characters in configuration (quotes, newlines, JSON)
  • ✅ Non-root user execution (no permission errors)
  • ✅ File ownership matches host UID/GID

Before This PR

Claude Code works in containers but:

  • No user-level CLAUDE.md (loses personal coding preferences)
  • No custom tools from .claude/{agents,commands,scripts}
  • MCP servers fail (missing API keys/credentials)
  • Files created as root (permission conflicts on host)

After This PR

  • ✅ User configuration automatically available
  • ✅ Custom tools work immediately
  • ✅ MCP servers functional (Brave Search, context7, etc.)
  • ✅ Zero setup required
  • ✅ Correct file ownership (no permission issues)

Security Notes

  • Only env vars explicitly referenced in .mcp.json are injected
  • Injection script mounted read-only (:ro)
  • Temporary files cleaned up after container starts
  • No credentials in container images or logs
  • Non-root execution follows security best practices

@vercel
Copy link

vercel bot commented Oct 1, 2025

@mg-dev25 is attempting to deploy a commit to the Superagent Team on Vercel.

A member of the Team first needs to authorize it.

@mg-dev25 mg-dev25 marked this pull request as draft October 1, 2025 08:48
@mg-dev25
feat(docker): add Claude configuration injection with non-root user s…
321cce6 
…upport

- Add Claude configuration and credential injection from host to container
- Implement non-root user execution with host UID/GID mapping
- Sanitize MCP server logging to avoid exposing configuration details
- Auto-set executable permissions for injected scripts
- Update all container paths from /root to /home/vibekit
@mg-dev25 mg-dev25 force-pushed the feat/claude-injection branch from 6dd70cc to 321cce6 Compare December 7, 2025 07:16
@mg-dev25 mg-dev25 closed this Feb 12, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@mg-dev25