didericis
7a38b8da23
Walks the current `docker run -e CLAUDE_CODE_OAUTH_TOKEN` flow, why claude can read the token trivially via its Bash tool, why no Linux primitive hides an env var from its own process, and why a root-owned localhost auth-injecting reverse proxy (paired with an egress allowlist) is the realistic mitigation. Documents `ANTHROPIC_BASE_URL` caveats (SSE, header passthrough, issue #36998, out-of-band traffic).