fix(cloud-dev): native Claude install via skel, fix plugin registration, disable symlinks

cevian · claude · cevian · commit bfe08b3d104e · 2026-02-25T14:54:02.000+01:00
- Install Claude Code via native installer (curl) as temp user instead of npm,
  copy to /etc/skel so each runtime user gets their own installation
- Fix relative symlink for claude binary so non-root users can access it
- Add temp /usr/local/bin/claude symlink before 0pflow install so claude is on PATH
- Fix plugin registration: replace hardcoded /home/_setup paths with __HOMEDIR__
  placeholder in skel, substitute actual home dir in entrypoint
- Add build-time verification that settings.json exists (plugin registered)
- Merge .claude.json config instead of overwriting (preserves skel plugin state)
- Disable node_modules symlink scaffold (npm treats symlinks as linked packages
  and runs lifecycle scripts, causing husky-not-found errors)
- Remove 0pflow plugin install step from scripts/install.sh (no longer needed)

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/packages/core/docker/Dockerfile.cloud-dev b/packages/core/docker/Dockerfile.cloud-dev
@@ -11,9 +11,6 @@ RUN apt-get update && apt-get install -y python3 make g++ git curl openssh-serve
 # This means users can run `npm install` without extra flags and still hit the cache.
 RUN npm config set cache /npm-cache --global
 
-# Claude Code CLI (global so PTY manager can find it via `which claude`)
-RUN npm install -g @anthropic-ai/claude-code
-
 # 0pflow — install from local tarball or npm depending on build arg.
 # In dev mode, run: npm pack --pack-destination docker/ (from packages/core)
 # The wildcard COPY uses a dot file as fallback so it never fails when no .tgz exists.
@@ -45,6 +42,24 @@ RUN GLOBAL_MODULES="$(npm root -g)" && \
 RUN chmod -R a+rwx /npm-cache
 ENV PATH=/node_modules/.bin:$PATH
 
+# Pre-run claude install + 0pflow install as a temp user, then save to /etc/skel.
+# useradd -m copies /etc/skel into new home dirs, so runtime users get Claude Code
+# + plugin/marketplace registration without the slow setup on every boot.
+RUN groupadd -f devs && \
+    useradd -m -s /bin/bash -g devs _setup && \
+    su -s /bin/bash _setup -c "curl -fsSL https://claude.ai/install.sh | bash" && \
+    ln -sf /home/_setup/.local/bin/claude /usr/local/bin/claude && \
+    OPFLOW="$(npm prefix -g)/bin/0pflow" && \
+    su -s /bin/bash _setup -c "$OPFLOW install --force" && \
+    test -f /home/_setup/.claude/settings.json || { echo "ERROR: 0pflow plugin not registered"; exit 1; } && \
+    cp -a /home/_setup/. /etc/skel/ && \
+    rm -f /etc/skel/.claude/.credentials.json && \
+    sed -i 's|/home/_setup|__HOMEDIR__|g' /etc/skel/.claude/plugins/known_marketplaces.json /etc/skel/.claude/plugins/installed_plugins.json && \
+    CLAUDE_VER=$(basename "$(readlink /etc/skel/.local/bin/claude)") && \
+    ln -sf "../share/claude/versions/$CLAUDE_VER" /etc/skel/.local/bin/claude && \
+    ln -sf /etc/skel/.local/bin/claude /usr/local/bin/claude && \
+    userdel -r _setup 2>/dev/null || true
+
 COPY entrypoint.sh /entrypoint.sh
 RUN chmod +x /entrypoint.sh
 
diff --git a/packages/core/docker/entrypoint.sh b/packages/core/docker/entrypoint.sh
@@ -17,6 +17,11 @@ if ! id "$DEV_USER" &>/dev/null; then
 fi
 DEV_HOME=$(eval echo "~$DEV_USER")
 
+# Fix up plugin paths — skel has __HOMEDIR__ placeholders from build time
+for f in "$DEV_HOME/.claude/plugins/known_marketplaces.json" "$DEV_HOME/.claude/plugins/installed_plugins.json"; do
+  [ -f "$f" ] && sed -i "s|__HOMEDIR__|$DEV_HOME|g" "$f"
+done
+
 # ── Set up Claude Code config + credentials in user's home ────
 log "Setting up credentials..."
 mkdir -p "$DEV_HOME/.claude"
@@ -29,38 +34,33 @@ elif [ -f "$DEV_HOME/.claude/.credentials.json" ]; then
   log "  OAuth credentials already exist, skipping"
 fi
 
-# Write .claude.json on first boot only — Claude Code may update it at runtime
-if [ ! -f "$DEV_HOME/.claude.json" ]; then
-  API_KEY_FIELD=""
-  if [ -n "$CLAUDE_API_KEY" ]; then
-    API_KEY_FIELD="\"primaryApiKey\": \"$CLAUDE_API_KEY\","
-    log "  Including API key in config"
-  fi
-  cat > "$DEV_HOME/.claude.json" <<CJSON
-{
-  $API_KEY_FIELD
-  "numStartups": 1,
-  "installMethod": "npm",
-  "autoUpdates": false,
-  "hasCompletedOnboarding": true,
-  "effortCalloutDismissed": true,
-  "bypassPermissionsModeAccepted": true,
-  "projects": {
-    "$APP_DIR": {
-      "allowedTools": [],
-      "mcpContextUris": [],
-      "mcpServers": {},
-      "enabledMcpjsonServers": [],
-      "disabledMcpjsonServers": [],
-      "hasTrustDialogAccepted": true
-    }
-  }
-}
-CJSON
-  log "  Wrote .claude.json config"
-else
-  log "  .claude.json already exists, skipping"
-fi
+# Merge required fields into .claude.json (skel provides plugin registrations;
+# we overlay credentials, onboarding flags, and project trust on every boot).
+log "Updating .claude.json..."
+node -e "
+  const fs = require('fs');
+  const path = '$DEV_HOME/.claude.json';
+  let cfg = {};
+  try { cfg = JSON.parse(fs.readFileSync(path, 'utf-8')); } catch {}
+  const apiKey = process.env.CLAUDE_API_KEY || '';
+  if (apiKey) cfg.primaryApiKey = apiKey;
+  Object.assign(cfg, {
+    hasCompletedOnboarding: true,
+    effortCalloutDismissed: true,
+    bypassPermissionsModeAccepted: true,
+  });
+  cfg.projects = cfg.projects || {};
+  cfg.projects['$APP_DIR'] = Object.assign(cfg.projects['$APP_DIR'] || {}, {
+    allowedTools: [],
+    mcpContextUris: [],
+    mcpServers: {},
+    enabledMcpjsonServers: [],
+    disabledMcpjsonServers: [],
+    hasTrustDialogAccepted: true,
+  });
+  fs.writeFileSync(path, JSON.stringify(cfg, null, 2) + '\n');
+"
+log "  .claude.json updated"
 
 if [ -z "$CLAUDE_OAUTH_CREDENTIALS" ] && [ -z "$CLAUDE_API_KEY" ]; then
   log "  WARNING: No Claude credentials found (CLAUDE_OAUTH_CREDENTIALS / CLAUDE_API_KEY not set)"
@@ -77,35 +77,34 @@ if [ ! -f "$APP_DIR/package.json" ]; then
   su -s /bin/bash "$DEV_USER" -c "cd '$APP_DIR' && "$OPFLOW" init '$APP_NAME' --dir . --no-install"
 
   # Symlink base packages into /data/app/node_modules (one-time, persists on volume).
-  # npm sees symlinks as installed packages — subsequent `npm install <pkg>` only writes
-  # the new package. Uninstalls remove symlinks and they stay gone (not recreated on boot).
-  # Upgrades: npm replaces symlinks with real dirs as needed.
-  log "  Symlinking base packages..."
-  mkdir -p "$APP_DIR/node_modules/.bin"
-  for pkg in /node_modules/*; do
-    name="$(basename "$pkg")"
-    [[ "$name" == .* ]] && continue  # skip .bin, .package-lock.json, .cache, etc.
-    if [[ "$name" == @* ]] && [ -d "$pkg" ]; then
-      # Scoped package dir (e.g. @scope) — link individual packages so npm can
-      # still add new packages under the same scope without hitting a symlink.
-      mkdir -p "$APP_DIR/node_modules/$name"
-      for scoped in "$pkg"/*; do
-        sname="$(basename "$scoped")"
-        [ ! -e "$APP_DIR/node_modules/$name/$sname" ] && \
-          ln -s "$scoped" "$APP_DIR/node_modules/$name/$sname"
-      done
-    else
-      [ ! -e "$APP_DIR/node_modules/$name" ] && \
-        ln -s "$pkg" "$APP_DIR/node_modules/$name"
-    fi
-  done
-  # Symlink .bin entries so npm scripts work without a local install
-  for cmd in /node_modules/.bin/*; do
-    cname="$(basename "$cmd")"
-    [ ! -e "$APP_DIR/node_modules/.bin/$cname" ] && \
-      ln -s "$cmd" "$APP_DIR/node_modules/.bin/$cname"
-  done
-  chown -R "$DEV_USER:devs" "$APP_DIR/node_modules"
+  # DISABLED: npm treats symlinks as linked packages and runs their lifecycle scripts,
+  # which fails (e.g. husky not found). Base packages at /node_modules/ are still
+  # found by Node.js via parent-directory resolution from /data/app.
+  # TODO: revisit — either run `npm install` during scaffold or find a symlink-compatible approach.
+  #
+  # log "  Symlinking base packages..."
+  # mkdir -p "$APP_DIR/node_modules/.bin"
+  # for pkg in /node_modules/*; do
+  #   name="$(basename "$pkg")"
+  #   [[ "$name" == .* ]] && continue
+  #   if [[ "$name" == @* ]] && [ -d "$pkg" ]; then
+  #     mkdir -p "$APP_DIR/node_modules/$name"
+  #     for scoped in "$pkg"/*; do
+  #       sname="$(basename "$scoped")"
+  #       [ ! -e "$APP_DIR/node_modules/$name/$sname" ] && \
+  #         ln -s "$scoped" "$APP_DIR/node_modules/$name/$sname"
+  #     done
+  #   else
+  #     [ ! -e "$APP_DIR/node_modules/$name" ] && \
+  #       ln -s "$pkg" "$APP_DIR/node_modules/$name"
+  #   fi
+  # done
+  # for cmd in /node_modules/.bin/*; do
+  #   cname="$(basename "$cmd")"
+  #   [ ! -e "$APP_DIR/node_modules/.bin/$cname" ] && \
+  #     ln -s "$cmd" "$APP_DIR/node_modules/.bin/$cname"
+  # done
+  # chown -R "$DEV_USER:devs" "$APP_DIR/node_modules"
   log "  Scaffold complete"
 fi
 
@@ -123,14 +122,6 @@ mkdir -p "$APP_DIR/node_modules"
 ln -sfn /node_modules/0pflow "$APP_DIR/node_modules/0pflow"
 chown -h "$DEV_USER:devs" "$APP_DIR/node_modules" "$APP_DIR/node_modules/0pflow" 2>/dev/null || true
 
-# ── Complete Claude Code native installer migration (suppresses startup prompt) ──
-log "Completing Claude Code native install for $DEV_USER..."
-su -s /bin/bash "$DEV_USER" -c "HOME='$DEV_HOME' claude install" 2>/dev/null || true
-
-# ── Register 0pflow Claude Code plugin for DEV_USER ────────────
-log "Installing 0pflow plugin for $DEV_USER..."
-su -s /bin/bash "$DEV_USER" -c "HOME='$DEV_HOME' "$OPFLOW" install" 2>/dev/null || true
-
 # ── SSH server setup ──────────────────────────────────────────
 # Persist host keys on volume so they survive redeployments (avoids "host key changed" warnings)
 if [ ! -f /data/ssh_host_keys/ssh_host_ed25519_key ]; then
diff --git a/scripts/install.sh b/scripts/install.sh
@@ -56,7 +56,7 @@ detect_os() {
 # ── Step 1: Node.js ─────────────────────────────────────────────────────────
 
 install_node() {
-  step "Step 1/4: Node.js"
+  step "Step 1/3: Node.js"
 
   if has_cmd node; then
     local node_version node_major
@@ -92,7 +92,7 @@ install_node() {
 # ── Step 2: Claude Code CLI ─────────────────────────────────────────────────
 
 install_claude() {
-  step "Step 2/4: Claude Code CLI"
+  step "Step 2/3: Claude Code CLI"
 
   if has_cmd claude; then
     success "Claude Code CLI found"
@@ -120,7 +120,7 @@ install_claude() {
 # ── Step 3: Tiger CLI ───────────────────────────────────────────────────────
 
 install_tiger() {
-  step "Step 3/4: Tiger CLI"
+  step "Step 3/3: Tiger CLI"
 
   if has_cmd tiger; then
     success "Tiger CLI found"
@@ -145,26 +145,6 @@ install_tiger() {
   fi
 }
 
-# ── Step 4: 0pflow plugin ───────────────────────────────────────────────────
-
-install_0pflow() {
-  step "Step 4/4: 0pflow plugin"
-
-  if [ -n "${CLAUDECODE:-}" ]; then
-    warn "Running inside a Claude Code session."
-    warn "Please run this install script from a regular terminal instead."
-    fatal "Cannot install 0pflow plugin from inside Claude Code."
-  fi
-
-  info "Installing 0pflow plugin for Claude Code..."
-  # Suppress inner output — our script provides its own progress messages
-  if ! npx --loglevel=error -y --prefer-online 0pflow@dev install --force > /dev/null 2>&1; then
-    fatal "0pflow plugin installation failed. Try running: npx -y 0pflow@dev install --force"
-  fi
-
-  success "0pflow plugin installed"
-}
-
 # ── Shell alias ──────────────────────────────────────────────────────────────
 
 setup_alias() {
@@ -227,7 +207,6 @@ main() {
   install_node
   install_claude
   install_tiger
-  install_0pflow
   setup_alias
 
   # Determine which rc file to source
@@ -239,7 +218,7 @@ main() {
   printf "\n"
   printf "${GREEN}${BOLD}  Installation complete!${RESET}\n\n" >&2
   printf "${BOLD}  To get started, run:${RESET}\n\n" >&2
-  printf "${CYAN}    source ${rc_file} && 0pflow run${RESET}\n\n" >&2
+  printf "${CYAN}    source ${rc_file} && 0pflow cloud run${RESET}\n\n" >&2
 }
 
 main "$@"
