Skip to content

Commit 50a60db

Browse files
blooopblooop
committed
update notes
1 parent 0e7576a commit 50a60db

File tree

1 file changed

+25
-7
lines changed

1 file changed

+25
-7
lines changed

.devcontainer/claude-code/README.md

Lines changed: 25 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -440,15 +440,33 @@ touch ~/.claude/CLAUDE.md ~/.claude/settings.json
440440

441441
## Security Notes
442442

443-
Based on [PR #25](https://github.com/anthropics/devcontainer-features/pull/25):
444-
445-
- **Read-Only Mounts**: Prevents prompt injection attacks that could modify CLAUDE.md or hooks
446-
- **No Credential Mounts**: `.credentials.json` is NOT mounted to prevent key exfiltration
447-
- **Isolated Configuration**: Each container uses host config but cannot modify it
448-
449-
See issues:
443+
This implementation makes conscious security trade-offs to enable OAuth authentication and persistent setup state:
444+
445+
### What's Protected (Read-Only Mounts)
446+
- **CLAUDE.md**: Prevents prompt injection attacks that could modify your global instructions
447+
- **settings.json**: Prevents config tampering
448+
- **agents/**, **commands/**, **hooks/**: Prevents malicious code execution through modified hooks
449+
450+
### What's Writable (Necessary Trade-off)
451+
- **`.credentials.json`**: OAuth tokens must be writable for token refresh to work
452+
- **`.claude.json`**: Workspace state must be writable to persist `projectOnboardingSeenCount` and other setup tracking
453+
454+
### Security Mitigations
455+
- Files have `600` permissions (user-only access)
456+
- Only use this feature in **trusted repositories**
457+
- Container user isolation provides some protection
458+
- Writable files are limited to authentication/state only
459+
- All configuration and code execution files remain read-only
460+
461+
### Known Risks
462+
- A malicious process in the container could exfiltrate OAuth tokens from `.credentials.json`
463+
- A malicious process could modify workspace state in `.claude.json`
464+
- **Recommendation**: Only use in repositories you trust, as you would with any dev container configuration
465+
466+
See related security discussions:
450467
- [anthropics/claude-code#4478](https://github.com/anthropics/claude-code/issues/4478)
451468
- [anthropics/claude-code#2350](https://github.com/anthropics/claude-code/issues/2350)
469+
- Original read-only approach: [PR #25](https://github.com/anthropics/devcontainer-features/pull/25)
452470

453471
## Reference
454472

0 commit comments

Comments
 (0)