Drop the Intended design section and PRD references; keep only
What this is, Goals, Non-goals, Repository layout, Conventions,
and When you're unsure.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Replaces cli.sh + lib/*.sh with a claude_bottle/ Python package and a
cli.py entry point. No external dependencies — uses only Python's
stdlib (json, subprocess, getpass, tempfile, argparse, re, etc.).
- claude_bottle/{log,docker,manifest,env_resolve,network,pipelock,
skills,ssh,cli}.py mirror the previous lib/*.sh modules.
- Tests converted to unittest under tests/test_*.py with a stdlib
runner at tests/run_tests.py (unit | integration | path).
- .githooks/commit-msg ported to Python; same Conventional Commits rules.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Previously cmd_start unconditionally passed --remote-control to claude.
Make it a parsed flag so callers can choose. Behavior change: the
default is now disabled — pass --remote-control to opt in.
Surfaced in usage, the launch plan, and the assembled CLAUDE_ARGS.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
cmd_start declared SLUG as local, but cleanup_all (registered as the
EXIT/INT/TERM trap) calls pipelock_stop "$SLUG" after cmd_start has
returned and the local is out of scope. With set -u this aborted
shell teardown with "SLUG: unbound variable". Drop the local to
match the convention already used for MANIFEST_FILE, CONTAINER, and
STAGE_DIR.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Investigates whether the Gitea `tea` CLI can be authenticated via a
header-injecting proxy so the token never enters the container — even as
an env var. Parallels the OAuth-token research note. Recommends an
in-container root-owned reverse proxy as the lowest-friction shape, and
flags the unavoidable tradeoff that the agent retains the token's full
API scope (no exfil ≠ no harm).
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Walks the current `docker run -e CLAUDE_CODE_OAUTH_TOKEN` flow, why claude
can read the token trivially via its Bash tool, why no Linux primitive
hides an env var from its own process, and why a root-owned localhost
auth-injecting reverse proxy (paired with an egress allowlist) is the
realistic mitigation. Documents `ANTHROPIC_BASE_URL` caveats (SSE,
header passthrough, issue #36998, out-of-band traffic).
didericis