CLAUDE.md

# CLAUDE.md

This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.

## Project Overview

Triple-C (Claude-Code-Container) is a Tauri v2 desktop application that sandboxes Claude Code inside Docker containers. It has two main parts: a React/TypeScript frontend, a Rust backend, and a Docker container image definition.

## Build & Development Commands

All frontend/tauri commands run from the `app/` directory:

```bash
cd app
npm ci                    # Install dependencies (required first time)
npx tauri dev             # Launch app in dev mode with hot reload (Vite on port 1420)
npx tauri build           # Production build (outputs to src-tauri/target/release/bundle/)
npm run build             # Frontend-only build (tsc + vite)
npm run test              # Run Vitest once
npm run test:watch        # Run Vitest in watch mode
```

Rust backend is compiled automatically by `tauri dev`/`tauri build`. To check Rust independently:
```bash
cd app/src-tauri
cargo check               # Type-check without full build
cargo build               # Build Rust backend only
```

Container image:
```bash
docker build -t triple-c-sandbox ./container
```

### Linux Build Dependencies (Ubuntu/Debian)
```bash
sudo apt-get install -y libgtk-3-dev libwebkit2gtk-4.1-dev libayatana-appindicator3-dev librsvg2-dev libsoup-3.0-dev patchelf libssl-dev pkg-config build-essential
```

## Architecture

### Two-Process Model (Tauri IPC)

- **React frontend** (`app/src/`) renders UI in the OS webview
- **Rust backend** (`app/src-tauri/src/`) handles Docker API, credential storage, and terminal I/O
- Communication uses two patterns:
  - `invoke()` — request/response for discrete operations (CRUD, start/stop containers)
  - `emit()`/`listen()` — event streaming for continuous data (terminal I/O)

### Terminal I/O Flow

```
User keystroke → xterm.js onData() → invoke("terminal_input") → mpsc channel → docker exec stdin
docker exec stdout → tokio task → emit("terminal-output-{sessionId}") → listen() → xterm.js write()
```

### Frontend Structure (`app/src/`)

- **`store/appState.ts`** — Single Zustand store for all app state (projects, sessions, UI)
- **`hooks/`** — All Tauri IPC calls are encapsulated in hooks (`useTerminal`, `useProjects`, `useDocker`, `useSettings`)
- **`lib/tauri-commands.ts`** — Typed `invoke()` wrappers; TypeScript types in `lib/types.ts` must match Rust models
- **`components/terminal/TerminalView.tsx`** — xterm.js integration with WebGL rendering, URL detection for OAuth flow
- **`components/layout/`** — TopBar (tabs + status), Sidebar (project list), StatusBar
- **`components/projects/`** — ProjectCard, ProjectList, AddProjectDialog
- **`components/settings/`** — Settings panels for API keys, Docker, AWS, Web Terminal

### Backend Structure (`app/src-tauri/src/`)

- **`commands/`** — Tauri command handlers (docker, project, settings, terminal). These are the IPC entry points called by `invoke()`.
- **`docker/`** — Docker API layer using bollard:
  - `client.rs` — Singleton Docker connection via `OnceLock`
  - `container.rs` — Container lifecycle (create, start, stop, remove, inspect)
  - `exec.rs` — PTY exec sessions with bidirectional stdin/stdout streaming
  - `image.rs` — Image build/pull with progress streaming
- **`web_terminal/`** — Remote terminal access via axum HTTP+WebSocket server:
  - `server.rs` — Axum server lifecycle (start/stop), serves embedded HTML and handles WS upgrades
  - `ws_handler.rs` — Per-connection WebSocket handler with JSON protocol, session management, cleanup on disconnect
  - `terminal.html` — Self-contained xterm.js web UI embedded via `include_str!()`
- **`models/`** — Serde structs (`Project`, `Backend`, `BedrockConfig`, `OllamaConfig`, `OpenAiCompatibleConfig`, `ClaudeCodeSettings`, `ContainerInfo`, `AppSettings`, `WebTerminalSettings`). These define the IPC contract with the frontend.
- **`storage/`** — Persistence: `projects_store.rs` (JSON file with atomic writes), `secure.rs` (OS keychain via `keyring` crate), `settings_store.rs`

### Container (`container/`)

- **`Dockerfile`** — Ubuntu 24.04 base with Claude Code, Node.js 22, Python 3.12, Rust, Docker CLI, git, gh, AWS CLI v2, ripgrep, pnpm, uv, ruff pre-installed
- **`entrypoint.sh`** — UID/GID remapping to match host user, SSH key setup, git config, docker socket permissions, Claude Code settings.json injection, then `sleep infinity`
- **`triple-c-scheduler`** — Bash-based scheduled task system for recurring Claude Code invocations

### Container Lifecycle

Containers use a **stop/start** model (not create/destroy). Installed packages persist across stops. The `.claude` config dir uses a named Docker volume (`triple-c-claude-config-{projectId}`) so OAuth tokens survive even container resets.

### Authentication

Per-project, independently configured:
- **Anthropic (OAuth)** — `claude login` in terminal, token persists in config volume
- **AWS Bedrock** — Static keys, profile, or bearer token injected as env vars
- **Ollama** — Connect to a local or remote Ollama server via `ANTHROPIC_BASE_URL` (e.g., `http://host.docker.internal:11434`)
- **OpenAI Compatible** — Connect through any OpenAI API-compatible endpoint (LiteLLM, OpenRouter, vLLM, etc.) via `ANTHROPIC_BASE_URL` + `ANTHROPIC_AUTH_TOKEN`

## Styling

- **Tailwind CSS v4** with the Vite plugin (`@tailwindcss/vite`). No separate tailwind config file.
- All colors use CSS custom properties in `index.css` `:root` (e.g., `--bg-primary`, `--text-secondary`, `--accent`)
- `color-scheme: dark` is set on `:root` for native dark-mode controls
- **Do not** add a global `* { padding: 0 }` reset — Tailwind v4 uses CSS `@layer`, and unlayered CSS overrides all layered utilities

## Key Conventions

- Frontend types in `lib/types.ts` must stay in sync with Rust structs in `models/`
- Tauri commands are registered in `lib.rs` via `.invoke_handler(tauri::generate_handler![...])`
- Tauri v2 permissions are declared in `capabilities/default.json` — new IPC commands need permission grants there
- The `projects.json` file uses atomic writes (write to `.tmp`, then `rename()`). Corrupted files are backed up to `.bak`.
- Cross-platform paths: Docker socket is `/var/run/docker.sock` on Linux/macOS, `//./pipe/docker_engine` on Windows

## Testing

Frontend tests use Vitest with jsdom environment and React Testing Library. Setup file at `src/test/setup.ts`. Run a single test file:
```bash
cd app
npx vitest run src/path/to/test.test.ts
```
Add CLAUDE.md and HOW-TO-USE.md documentation CLAUDE.md provides guidance for Claude Code instances working in this repo (build commands, architecture overview, key conventions). HOW-TO-USE.md is a user-facing guide covering prerequisites, setup, all application features, and troubleshooting. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-03-01 15:59:53 -08:00			`# CLAUDE.md`

			`This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.`

			`## Project Overview`

			`Triple-C (Claude-Code-Container) is a Tauri v2 desktop application that sandboxes Claude Code inside Docker containers. It has two main parts: a React/TypeScript frontend, a Rust backend, and a Docker container image definition.`

			`## Build & Development Commands`

			All frontend/tauri commands run from the `app/` directory:

			```bash
			`cd app`
			`npm ci # Install dependencies (required first time)`
			`npx tauri dev # Launch app in dev mode with hot reload (Vite on port 1420)`
			`npx tauri build # Production build (outputs to src-tauri/target/release/bundle/)`
			`npm run build # Frontend-only build (tsc + vite)`
			`npm run test # Run Vitest once`
			`npm run test:watch # Run Vitest in watch mode`
			```

			Rust backend is compiled automatically by `tauri dev`/`tauri build`. To check Rust independently:
			```bash
			`cd app/src-tauri`
			`cargo check # Type-check without full build`
			`cargo build # Build Rust backend only`
			```

			`Container image:`
			```bash
			`docker build -t triple-c-sandbox ./container`
			```

			`### Linux Build Dependencies (Ubuntu/Debian)`
			```bash
			`sudo apt-get install -y libgtk-3-dev libwebkit2gtk-4.1-dev libayatana-appindicator3-dev librsvg2-dev libsoup-3.0-dev patchelf libssl-dev pkg-config build-essential`
			```

			`## Architecture`

			`### Two-Process Model (Tauri IPC)`

			- React frontend (`app/src/`) renders UI in the OS webview
			- Rust backend (`app/src-tauri/src/`) handles Docker API, credential storage, and terminal I/O
			`- Communication uses two patterns:`
			- `invoke()` — request/response for discrete operations (CRUD, start/stop containers)
			- `emit()`/`listen()` — event streaming for continuous data (terminal I/O)

			`### Terminal I/O Flow`

			```
			`User keystroke → xterm.js onData() → invoke("terminal_input") → mpsc channel → docker exec stdin`
			`docker exec stdout → tokio task → emit("terminal-output-{sessionId}") → listen() → xterm.js write()`
			```

			### Frontend Structure (`app/src/`)

			- `store/appState.ts` — Single Zustand store for all app state (projects, sessions, UI)
			- `hooks/` — All Tauri IPC calls are encapsulated in hooks (`useTerminal`, `useProjects`, `useDocker`, `useSettings`)
			- `lib/tauri-commands.ts` — Typed `invoke()` wrappers; TypeScript types in `lib/types.ts` must match Rust models
			- `components/terminal/TerminalView.tsx` — xterm.js integration with WebGL rendering, URL detection for OAuth flow
			- `components/layout/` — TopBar (tabs + status), Sidebar (project list), StatusBar
			- `components/projects/` — ProjectCard, ProjectList, AddProjectDialog
Document web terminal feature across all docs Adds web terminal documentation to README (architecture, key files), HOW-TO-USE (setup guide, usage, security tips), TECHNICAL (system diagram, communication flow, dependencies, project structure), and CLAUDE.md (backend structure). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-17 20:09:05 -07:00			- `components/settings/` — Settings panels for API keys, Docker, AWS, Web Terminal
Add CLAUDE.md and HOW-TO-USE.md documentation CLAUDE.md provides guidance for Claude Code instances working in this repo (build commands, architecture overview, key conventions). HOW-TO-USE.md is a user-facing guide covering prerequisites, setup, all application features, and troubleshooting. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-03-01 15:59:53 -08:00
			### Backend Structure (`app/src-tauri/src/`)

			- `commands/` — Tauri command handlers (docker, project, settings, terminal). These are the IPC entry points called by `invoke()`.
			- `docker/` — Docker API layer using bollard:
			- `client.rs` — Singleton Docker connection via `OnceLock`
			- `container.rs` — Container lifecycle (create, start, stop, remove, inspect)
			- `exec.rs` — PTY exec sessions with bidirectional stdin/stdout streaming
			- `image.rs` — Image build/pull with progress streaming
Document web terminal feature across all docs Adds web terminal documentation to README (architecture, key files), HOW-TO-USE (setup guide, usage, security tips), TECHNICAL (system diagram, communication flow, dependencies, project structure), and CLAUDE.md (backend structure). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-17 20:09:05 -07:00			- `web_terminal/` — Remote terminal access via axum HTTP+WebSocket server:
			- `server.rs` — Axum server lifecycle (start/stop), serves embedded HTML and handles WS upgrades
			- `ws_handler.rs` — Per-connection WebSocket handler with JSON protocol, session management, cleanup on disconnect
			- `terminal.html` — Self-contained xterm.js web UI embedded via `include_str!()`
Add Claude Code settings infrastructure, TUI mode, session naming, and global defaults Adds first-class support for Claude Code CLI features (2.1.71-2.1.110): - New ClaudeCodeSettings struct with per-project and global defaults for TUI mode, effort level, focus mode, thinking summaries, session recap, auto-scroll, env scrub, and 1-hour prompt caching - Settings injected as env vars (CLAUDE_CODE_NO_FLICKER, etc.) and ~/.claude/settings.json entries via entrypoint.sh merge block - New ClaudeCodeSettingsModal component for configuring settings - Session naming support (-n flag passed to claude CLI, shown in tabs) - Relaxed reserved prefix filter: CLAUDE_CODE_* env vars now allowed in custom env vars UI for power users - Global SSH key path, git name, and git email now used as fallbacks when per-project values are not set, with UI in SettingsPanel - Fingerprint-based change detection triggers container recreation when Claude Code settings change - Updated README, HOW-TO-USE, and CLAUDE.md documentation Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-04-16 08:46:03 -07:00			- `models/` — Serde structs (`Project`, `Backend`, `BedrockConfig`, `OllamaConfig`, `OpenAiCompatibleConfig`, `ClaudeCodeSettings`, `ContainerInfo`, `AppSettings`, `WebTerminalSettings`). These define the IPC contract with the frontend.
Add CLAUDE.md and HOW-TO-USE.md documentation CLAUDE.md provides guidance for Claude Code instances working in this repo (build commands, architecture overview, key conventions). HOW-TO-USE.md is a user-facing guide covering prerequisites, setup, all application features, and troubleshooting. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-03-01 15:59:53 -08:00			- `storage/` — Persistence: `projects_store.rs` (JSON file with atomic writes), `secure.rs` (OS keychain via `keyring` crate), `settings_store.rs`

			### Container (`container/`)

			- `Dockerfile` — Ubuntu 24.04 base with Claude Code, Node.js 22, Python 3.12, Rust, Docker CLI, git, gh, AWS CLI v2, ripgrep, pnpm, uv, ruff pre-installed
Add Claude Code settings infrastructure, TUI mode, session naming, and global defaults Adds first-class support for Claude Code CLI features (2.1.71-2.1.110): - New ClaudeCodeSettings struct with per-project and global defaults for TUI mode, effort level, focus mode, thinking summaries, session recap, auto-scroll, env scrub, and 1-hour prompt caching - Settings injected as env vars (CLAUDE_CODE_NO_FLICKER, etc.) and ~/.claude/settings.json entries via entrypoint.sh merge block - New ClaudeCodeSettingsModal component for configuring settings - Session naming support (-n flag passed to claude CLI, shown in tabs) - Relaxed reserved prefix filter: CLAUDE_CODE_* env vars now allowed in custom env vars UI for power users - Global SSH key path, git name, and git email now used as fallbacks when per-project values are not set, with UI in SettingsPanel - Fingerprint-based change detection triggers container recreation when Claude Code settings change - Updated README, HOW-TO-USE, and CLAUDE.md documentation Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-04-16 08:46:03 -07:00			- `entrypoint.sh` — UID/GID remapping to match host user, SSH key setup, git config, docker socket permissions, Claude Code settings.json injection, then `sleep infinity`
Add CLAUDE.md and HOW-TO-USE.md documentation CLAUDE.md provides guidance for Claude Code instances working in this repo (build commands, architecture overview, key conventions). HOW-TO-USE.md is a user-facing guide covering prerequisites, setup, all application features, and troubleshooting. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-03-01 15:59:53 -08:00			- `triple-c-scheduler` — Bash-based scheduled task system for recurring Claude Code invocations

			`### Container Lifecycle`

			Containers use a stop/start model (not create/destroy). Installed packages persist across stops. The `.claude` config dir uses a named Docker volume (`triple-c-claude-config-{projectId}`) so OAuth tokens survive even container resets.

			`### Authentication`

			`Per-project, independently configured:`
			- Anthropic (OAuth) — `claude login` in terminal, token persists in config volume
			`- AWS Bedrock — Static keys, profile, or bearer token injected as env vars`
Add Ollama and LiteLLM backend support (v0.2.0) Add two new auth modes for projects alongside Anthropic and Bedrock: - Ollama: connect to local or remote Ollama servers via ANTHROPIC_BASE_URL - LiteLLM: connect through a LiteLLM proxy gateway to 100+ model providers Both modes inject ANTHROPIC_BASE_URL and ANTHROPIC_AUTH_TOKEN env vars into the container, with optional model override via ANTHROPIC_MODEL. LiteLLM API keys are stored securely in the OS keychain. Config changes trigger automatic container recreation via fingerprinting. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-03-11 13:05:52 -07:00			- Ollama — Connect to a local or remote Ollama server via `ANTHROPIC_BASE_URL` (e.g., `http://host.docker.internal:11434`)
Rename LiteLLM backend to OpenAI Compatible Reflects that this backend works with any OpenAI API-compatible endpoint (LiteLLM, OpenRouter, vLLM, text-generation-inference, LocalAI, etc.), not just LiteLLM. Includes serde aliases for backward compatibility with existing projects.json files. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-03-13 06:16:05 -07:00			- OpenAI Compatible — Connect through any OpenAI API-compatible endpoint (LiteLLM, OpenRouter, vLLM, etc.) via `ANTHROPIC_BASE_URL` + `ANTHROPIC_AUTH_TOKEN`
Add CLAUDE.md and HOW-TO-USE.md documentation CLAUDE.md provides guidance for Claude Code instances working in this repo (build commands, architecture overview, key conventions). HOW-TO-USE.md is a user-facing guide covering prerequisites, setup, all application features, and troubleshooting. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-03-01 15:59:53 -08:00
			`## Styling`

			- Tailwind CSS v4 with the Vite plugin (`@tailwindcss/vite`). No separate tailwind config file.
			- All colors use CSS custom properties in `index.css` `:root` (e.g., `--bg-primary`, `--text-secondary`, `--accent`)
			- `color-scheme: dark` is set on `:root` for native dark-mode controls
			- Do not add a global `* { padding: 0 }` reset — Tailwind v4 uses CSS `@layer`, and unlayered CSS overrides all layered utilities

			`## Key Conventions`

			- Frontend types in `lib/types.ts` must stay in sync with Rust structs in `models/`
			- Tauri commands are registered in `lib.rs` via `.invoke_handler(tauri::generate_handler![...])`
			- Tauri v2 permissions are declared in `capabilities/default.json` — new IPC commands need permission grants there
			- The `projects.json` file uses atomic writes (write to `.tmp`, then `rename()`). Corrupted files are backed up to `.bak`.
			- Cross-platform paths: Docker socket is `/var/run/docker.sock` on Linux/macOS, `//./pipe/docker_engine` on Windows

			`## Testing`

			Frontend tests use Vitest with jsdom environment and React Testing Library. Setup file at `src/test/setup.ts`. Run a single test file:
			```bash
			`cd app`
			`npx vitest run src/path/to/test.test.ts`
			```