container/entrypoint.sh

#!/bin/bash
# NOTE: set -e is intentionally omitted. A failing usermod/groupmod must not
# kill the entire entrypoint — SSH setup, git config, and the final exec
# must still run so the container is usable even if remapping fails.

# ── UID/GID remapping ──────────────────────────────────────────────────────
# Match the container's claude user to the host user's UID/GID so that
# bind-mounted files (project dir, docker socket) have correct ownership.
remap_uid_gid() {
    local target_uid="${HOST_UID}"
    local target_gid="${HOST_GID}"
    local current_uid
    local current_gid
    current_uid=$(id -u claude 2>/dev/null) || { echo "entrypoint: claude user not found"; return 1; }
    current_gid=$(id -g claude 2>/dev/null) || { echo "entrypoint: claude group not found"; return 1; }

    # ── GID remapping ──
    if [ -n "$target_gid" ] && [ "$target_gid" != "$current_gid" ]; then
        # If another group already holds the target GID, move it out of the way
        local blocking_group
        blocking_group=$(getent group "$target_gid" 2>/dev/null | cut -d: -f1)
        if [ -n "$blocking_group" ] && [ "$blocking_group" != "claude" ]; then
            echo "entrypoint: moving group '$blocking_group' from GID $target_gid to 65533"
            groupmod -g 65533 "$blocking_group" || echo "entrypoint: warning — failed to relocate group '$blocking_group'"
        fi
        groupmod -g "$target_gid" claude \
            && echo "entrypoint: claude GID -> $target_gid" \
            || echo "entrypoint: warning — groupmod -g $target_gid claude failed"
    fi

    # ── UID remapping ──
    if [ -n "$target_uid" ] && [ "$target_uid" != "$current_uid" ]; then
        # If another user already holds the target UID, move it out of the way
        local blocking_user
        blocking_user=$(getent passwd "$target_uid" 2>/dev/null | cut -d: -f1)
        if [ -n "$blocking_user" ] && [ "$blocking_user" != "claude" ]; then
            echo "entrypoint: moving user '$blocking_user' from UID $target_uid to 65533"
            usermod -u 65533 "$blocking_user" || echo "entrypoint: warning — failed to relocate user '$blocking_user'"
        fi
        usermod -u "$target_uid" claude \
            && echo "entrypoint: claude UID -> $target_uid" \
            || echo "entrypoint: warning — usermod -u $target_uid claude failed"
    fi
}

remap_uid_gid

# Fix ownership of home directory after UID/GID change
chown -R claude:claude /home/claude

# ── SSH key setup ──────────────────────────────────────────────────────────
# Host SSH dir is mounted read-only at /tmp/.host-ssh.
# Copy to /home/claude/.ssh so we can fix permissions.
if [ -d /tmp/.host-ssh ]; then
    rm -rf /home/claude/.ssh
    cp -a /tmp/.host-ssh /home/claude/.ssh
    chown -R claude:claude /home/claude/.ssh
    chmod 700 /home/claude/.ssh
    find /home/claude/.ssh -type f -name "id_*" ! -name "*.pub" -exec chmod 600 {} \;
    find /home/claude/.ssh -type f -name "*.pub" -exec chmod 644 {} \;
    if [ -f /home/claude/.ssh/known_hosts ]; then
        chmod 644 /home/claude/.ssh/known_hosts
    fi
    if [ -f /home/claude/.ssh/config ]; then
        chmod 600 /home/claude/.ssh/config
    fi
fi

# Append common host keys (avoid duplicates)
su -s /bin/bash claude -c '
    mkdir -p /home/claude/.ssh
    ssh-keyscan -t ed25519,rsa github.com gitlab.com bitbucket.org >> /home/claude/.ssh/known_hosts 2>/dev/null || true
    sort -u -o /home/claude/.ssh/known_hosts /home/claude/.ssh/known_hosts
'

# ── Git credential helper (for HTTPS token) ─────────────────────────────────
if [ -n "$GIT_TOKEN" ]; then
    CRED_FILE="/home/claude/.git-credentials"
    : > "$CRED_FILE"
    chmod 600 "$CRED_FILE"
    chown claude:claude "$CRED_FILE"
    echo "https://oauth2:${GIT_TOKEN}@github.com" >> "$CRED_FILE"
    echo "https://oauth2:${GIT_TOKEN}@gitlab.com" >> "$CRED_FILE"
    echo "https://oauth2:${GIT_TOKEN}@bitbucket.org" >> "$CRED_FILE"
    su -s /bin/bash claude -c "git config --global credential.helper 'store --file=$CRED_FILE'"
    unset GIT_TOKEN
fi

# ── Git user config ──────────────────────────────────────────────────────────
if [ -n "$GIT_USER_NAME" ]; then
    su -s /bin/bash claude -c "git config --global user.name '$GIT_USER_NAME'"
fi
if [ -n "$GIT_USER_EMAIL" ]; then
    su -s /bin/bash claude -c "git config --global user.email '$GIT_USER_EMAIL'"
fi

# ── Docker socket permissions ────────────────────────────────────────────────
if [ -S /var/run/docker.sock ]; then
    DOCKER_GID=$(stat -c '%g' /var/run/docker.sock)
    if ! getent group "$DOCKER_GID" > /dev/null 2>&1; then
        groupadd -g "$DOCKER_GID" docker-host
    fi
    DOCKER_GROUP=$(getent group "$DOCKER_GID" | cut -d: -f1)
    usermod -aG "$DOCKER_GROUP" claude
fi

# ── Stay alive as claude ─────────────────────────────────────────────────────
echo "Triple-C container ready."
exec su -s /bin/bash claude -c "exec sleep infinity"
Initial commit: Triple-C app, container, and CI Tauri v2 desktop app (React/TypeScript + Rust) for managing containerized Claude Code environments. Includes Gitea Actions workflow for building and pushing the sandbox container image, and a BUILDING.md guide for manual app builds on Linux and Windows. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-27 04:29:51 +00:00			`#!/bin/bash`
Add container registry pull, image source settings, and global AWS config Support pulling images from registry (default: repo.anhonesthost.net/cybercovellc/triple-c/triple-c-sandbox:latest), local builds, or custom images via a new settings UI. Add global AWS configuration (config path auto-detect, profile picker, region) that serves as defaults overridable per-project for Bedrock auth. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-27 15:22:49 +00:00			`# NOTE: set -e is intentionally omitted. A failing usermod/groupmod must not`
			`# kill the entire entrypoint — SSH setup, git config, and the final exec`
			`# must still run so the container is usable even if remapping fails.`
Initial commit: Triple-C app, container, and CI Tauri v2 desktop app (React/TypeScript + Rust) for managing containerized Claude Code environments. Includes Gitea Actions workflow for building and pushing the sandbox container image, and a BUILDING.md guide for manual app builds on Linux and Windows. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-27 04:29:51 +00:00
Fix UID/GID mismatch and SSH key permissions in container - Entrypoint now runs as root to remap the container's claude user UID/GID to match the host user, fixing bind mount permission errors on WSL - SSH keys are mounted read-only to a staging path (/tmp/.host-ssh) and copied to ~/.ssh with correct permissions by the entrypoint - Exec sessions explicitly run as the claude user - Host UID/GID detected automatically and passed as env vars Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-27 04:36:01 +00:00			`# ── UID/GID remapping ──────────────────────────────────────────────────────`
			`# Match the container's claude user to the host user's UID/GID so that`
			`# bind-mounted files (project dir, docker socket) have correct ownership.`
Add container registry pull, image source settings, and global AWS config Support pulling images from registry (default: repo.anhonesthost.net/cybercovellc/triple-c/triple-c-sandbox:latest), local builds, or custom images via a new settings UI. Add global AWS configuration (config path auto-detect, profile picker, region) that serves as defaults overridable per-project for Bedrock auth. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-27 15:22:49 +00:00			`remap_uid_gid() {`
			`local target_uid="${HOST_UID}"`
			`local target_gid="${HOST_GID}"`
			`local current_uid`
			`local current_gid`
			`current_uid=$(id -u claude 2>/dev/null) \|\| { echo "entrypoint: claude user not found"; return 1; }`
			`current_gid=$(id -g claude 2>/dev/null) \|\| { echo "entrypoint: claude group not found"; return 1; }`

			`# ── GID remapping ──`
			`if [ -n "$target_gid" ] && [ "$target_gid" != "$current_gid" ]; then`
			`# If another group already holds the target GID, move it out of the way`
			`local blocking_group`
			`blocking_group=$(getent group "$target_gid" 2>/dev/null \| cut -d: -f1)`
			`if [ -n "$blocking_group" ] && [ "$blocking_group" != "claude" ]; then`
			`echo "entrypoint: moving group '$blocking_group' from GID $target_gid to 65533"`
			`groupmod -g 65533 "$blocking_group" \|\| echo "entrypoint: warning — failed to relocate group '$blocking_group'"`
			`fi`
			`groupmod -g "$target_gid" claude \`
			`&& echo "entrypoint: claude GID -> $target_gid" \`
			`\|\| echo "entrypoint: warning — groupmod -g $target_gid claude failed"`
			`fi`

			`# ── UID remapping ──`
			`if [ -n "$target_uid" ] && [ "$target_uid" != "$current_uid" ]; then`
			`# If another user already holds the target UID, move it out of the way`
			`local blocking_user`
			`blocking_user=$(getent passwd "$target_uid" 2>/dev/null \| cut -d: -f1)`
			`if [ -n "$blocking_user" ] && [ "$blocking_user" != "claude" ]; then`
			`echo "entrypoint: moving user '$blocking_user' from UID $target_uid to 65533"`
			`usermod -u 65533 "$blocking_user" \|\| echo "entrypoint: warning — failed to relocate user '$blocking_user'"`
			`fi`
			`usermod -u "$target_uid" claude \`
			`&& echo "entrypoint: claude UID -> $target_uid" \`
			`\|\| echo "entrypoint: warning — usermod -u $target_uid claude failed"`
			`fi`
			`}`

			`remap_uid_gid`
Fix UID/GID mismatch and SSH key permissions in container - Entrypoint now runs as root to remap the container's claude user UID/GID to match the host user, fixing bind mount permission errors on WSL - SSH keys are mounted read-only to a staging path (/tmp/.host-ssh) and copied to ~/.ssh with correct permissions by the entrypoint - Exec sessions explicitly run as the claude user - Host UID/GID detected automatically and passed as env vars Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-27 04:36:01 +00:00
			`# Fix ownership of home directory after UID/GID change`
			`chown -R claude:claude /home/claude`

			`# ── SSH key setup ──────────────────────────────────────────────────────────`
			`# Host SSH dir is mounted read-only at /tmp/.host-ssh.`
			`# Copy to /home/claude/.ssh so we can fix permissions.`
			`if [ -d /tmp/.host-ssh ]; then`
			`rm -rf /home/claude/.ssh`
			`cp -a /tmp/.host-ssh /home/claude/.ssh`
			`chown -R claude:claude /home/claude/.ssh`
Initial commit: Triple-C app, container, and CI Tauri v2 desktop app (React/TypeScript + Rust) for managing containerized Claude Code environments. Includes Gitea Actions workflow for building and pushing the sandbox container image, and a BUILDING.md guide for manual app builds on Linux and Windows. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-27 04:29:51 +00:00			`chmod 700 /home/claude/.ssh`
			`find /home/claude/.ssh -type f -name "id_" ! -name ".pub" -exec chmod 600 {} \;`
			`find /home/claude/.ssh -type f -name "*.pub" -exec chmod 644 {} \;`
Fix UID/GID mismatch and SSH key permissions in container - Entrypoint now runs as root to remap the container's claude user UID/GID to match the host user, fixing bind mount permission errors on WSL - SSH keys are mounted read-only to a staging path (/tmp/.host-ssh) and copied to ~/.ssh with correct permissions by the entrypoint - Exec sessions explicitly run as the claude user - Host UID/GID detected automatically and passed as env vars Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-27 04:36:01 +00:00			`if [ -f /home/claude/.ssh/known_hosts ]; then`
			`chmod 644 /home/claude/.ssh/known_hosts`
			`fi`
			`if [ -f /home/claude/.ssh/config ]; then`
			`chmod 600 /home/claude/.ssh/config`
			`fi`
Initial commit: Triple-C app, container, and CI Tauri v2 desktop app (React/TypeScript + Rust) for managing containerized Claude Code environments. Includes Gitea Actions workflow for building and pushing the sandbox container image, and a BUILDING.md guide for manual app builds on Linux and Windows. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-27 04:29:51 +00:00			`fi`

Fix UID/GID mismatch and SSH key permissions in container - Entrypoint now runs as root to remap the container's claude user UID/GID to match the host user, fixing bind mount permission errors on WSL - SSH keys are mounted read-only to a staging path (/tmp/.host-ssh) and copied to ~/.ssh with correct permissions by the entrypoint - Exec sessions explicitly run as the claude user - Host UID/GID detected automatically and passed as env vars Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-27 04:36:01 +00:00			`# Append common host keys (avoid duplicates)`
			`su -s /bin/bash claude -c '`
			`mkdir -p /home/claude/.ssh`
			`ssh-keyscan -t ed25519,rsa github.com gitlab.com bitbucket.org >> /home/claude/.ssh/known_hosts 2>/dev/null \|\| true`
			`sort -u -o /home/claude/.ssh/known_hosts /home/claude/.ssh/known_hosts`
			`'`

Initial commit: Triple-C app, container, and CI Tauri v2 desktop app (React/TypeScript + Rust) for managing containerized Claude Code environments. Includes Gitea Actions workflow for building and pushing the sandbox container image, and a BUILDING.md guide for manual app builds on Linux and Windows. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-27 04:29:51 +00:00			`# ── Git credential helper (for HTTPS token) ─────────────────────────────────`
			`if [ -n "$GIT_TOKEN" ]; then`
			`CRED_FILE="/home/claude/.git-credentials"`
			`: > "$CRED_FILE"`
			`chmod 600 "$CRED_FILE"`
Fix UID/GID mismatch and SSH key permissions in container - Entrypoint now runs as root to remap the container's claude user UID/GID to match the host user, fixing bind mount permission errors on WSL - SSH keys are mounted read-only to a staging path (/tmp/.host-ssh) and copied to ~/.ssh with correct permissions by the entrypoint - Exec sessions explicitly run as the claude user - Host UID/GID detected automatically and passed as env vars Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-27 04:36:01 +00:00			`chown claude:claude "$CRED_FILE"`
Initial commit: Triple-C app, container, and CI Tauri v2 desktop app (React/TypeScript + Rust) for managing containerized Claude Code environments. Includes Gitea Actions workflow for building and pushing the sandbox container image, and a BUILDING.md guide for manual app builds on Linux and Windows. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-27 04:29:51 +00:00			`echo "https://oauth2:${GIT_TOKEN}@github.com" >> "$CRED_FILE"`
			`echo "https://oauth2:${GIT_TOKEN}@gitlab.com" >> "$CRED_FILE"`
			`echo "https://oauth2:${GIT_TOKEN}@bitbucket.org" >> "$CRED_FILE"`
Fix UID/GID mismatch and SSH key permissions in container - Entrypoint now runs as root to remap the container's claude user UID/GID to match the host user, fixing bind mount permission errors on WSL - SSH keys are mounted read-only to a staging path (/tmp/.host-ssh) and copied to ~/.ssh with correct permissions by the entrypoint - Exec sessions explicitly run as the claude user - Host UID/GID detected automatically and passed as env vars Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-27 04:36:01 +00:00			`su -s /bin/bash claude -c "git config --global credential.helper 'store --file=$CRED_FILE'"`
Initial commit: Triple-C app, container, and CI Tauri v2 desktop app (React/TypeScript + Rust) for managing containerized Claude Code environments. Includes Gitea Actions workflow for building and pushing the sandbox container image, and a BUILDING.md guide for manual app builds on Linux and Windows. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-27 04:29:51 +00:00			`unset GIT_TOKEN`
			`fi`

			`# ── Git user config ──────────────────────────────────────────────────────────`
			`if [ -n "$GIT_USER_NAME" ]; then`
Fix UID/GID mismatch and SSH key permissions in container - Entrypoint now runs as root to remap the container's claude user UID/GID to match the host user, fixing bind mount permission errors on WSL - SSH keys are mounted read-only to a staging path (/tmp/.host-ssh) and copied to ~/.ssh with correct permissions by the entrypoint - Exec sessions explicitly run as the claude user - Host UID/GID detected automatically and passed as env vars Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-27 04:36:01 +00:00			`su -s /bin/bash claude -c "git config --global user.name '$GIT_USER_NAME'"`
Initial commit: Triple-C app, container, and CI Tauri v2 desktop app (React/TypeScript + Rust) for managing containerized Claude Code environments. Includes Gitea Actions workflow for building and pushing the sandbox container image, and a BUILDING.md guide for manual app builds on Linux and Windows. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-27 04:29:51 +00:00			`fi`
			`if [ -n "$GIT_USER_EMAIL" ]; then`
Fix UID/GID mismatch and SSH key permissions in container - Entrypoint now runs as root to remap the container's claude user UID/GID to match the host user, fixing bind mount permission errors on WSL - SSH keys are mounted read-only to a staging path (/tmp/.host-ssh) and copied to ~/.ssh with correct permissions by the entrypoint - Exec sessions explicitly run as the claude user - Host UID/GID detected automatically and passed as env vars Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-27 04:36:01 +00:00			`su -s /bin/bash claude -c "git config --global user.email '$GIT_USER_EMAIL'"`
Initial commit: Triple-C app, container, and CI Tauri v2 desktop app (React/TypeScript + Rust) for managing containerized Claude Code environments. Includes Gitea Actions workflow for building and pushing the sandbox container image, and a BUILDING.md guide for manual app builds on Linux and Windows. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-27 04:29:51 +00:00			`fi`

			`# ── Docker socket permissions ────────────────────────────────────────────────`
			`if [ -S /var/run/docker.sock ]; then`
			`DOCKER_GID=$(stat -c '%g' /var/run/docker.sock)`
			`if ! getent group "$DOCKER_GID" > /dev/null 2>&1; then`
Fix UID/GID mismatch and SSH key permissions in container - Entrypoint now runs as root to remap the container's claude user UID/GID to match the host user, fixing bind mount permission errors on WSL - SSH keys are mounted read-only to a staging path (/tmp/.host-ssh) and copied to ~/.ssh with correct permissions by the entrypoint - Exec sessions explicitly run as the claude user - Host UID/GID detected automatically and passed as env vars Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-27 04:36:01 +00:00			`groupadd -g "$DOCKER_GID" docker-host`
Initial commit: Triple-C app, container, and CI Tauri v2 desktop app (React/TypeScript + Rust) for managing containerized Claude Code environments. Includes Gitea Actions workflow for building and pushing the sandbox container image, and a BUILDING.md guide for manual app builds on Linux and Windows. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-27 04:29:51 +00:00			`fi`
			`DOCKER_GROUP=$(getent group "$DOCKER_GID" \| cut -d: -f1)`
Fix UID/GID mismatch and SSH key permissions in container - Entrypoint now runs as root to remap the container's claude user UID/GID to match the host user, fixing bind mount permission errors on WSL - SSH keys are mounted read-only to a staging path (/tmp/.host-ssh) and copied to ~/.ssh with correct permissions by the entrypoint - Exec sessions explicitly run as the claude user - Host UID/GID detected automatically and passed as env vars Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-27 04:36:01 +00:00			`usermod -aG "$DOCKER_GROUP" claude`
Initial commit: Triple-C app, container, and CI Tauri v2 desktop app (React/TypeScript + Rust) for managing containerized Claude Code environments. Includes Gitea Actions workflow for building and pushing the sandbox container image, and a BUILDING.md guide for manual app builds on Linux and Windows. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-27 04:29:51 +00:00			`fi`

Fix UID/GID mismatch and SSH key permissions in container - Entrypoint now runs as root to remap the container's claude user UID/GID to match the host user, fixing bind mount permission errors on WSL - SSH keys are mounted read-only to a staging path (/tmp/.host-ssh) and copied to ~/.ssh with correct permissions by the entrypoint - Exec sessions explicitly run as the claude user - Host UID/GID detected automatically and passed as env vars Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-27 04:36:01 +00:00			`# ── Stay alive as claude ─────────────────────────────────────────────────────`
Initial commit: Triple-C app, container, and CI Tauri v2 desktop app (React/TypeScript + Rust) for managing containerized Claude Code environments. Includes Gitea Actions workflow for building and pushing the sandbox container image, and a BUILDING.md guide for manual app builds on Linux and Windows. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-27 04:29:51 +00:00			`echo "Triple-C container ready."`
Fix UID/GID mismatch and SSH key permissions in container - Entrypoint now runs as root to remap the container's claude user UID/GID to match the host user, fixing bind mount permission errors on WSL - SSH keys are mounted read-only to a staging path (/tmp/.host-ssh) and copied to ~/.ssh with correct permissions by the entrypoint - Exec sessions explicitly run as the claude user - Host UID/GID detected automatically and passed as env vars Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-27 04:36:01 +00:00			`exec su -s /bin/bash claude -c "exec sleep infinity"`