run as user outside container

Dockerfile.base

@@ -37,9 +37,18 @@ RUN ARCH=$(uname -m) && \
     rm -rf /tmp/gs-install
 
 # --- the user Claude runs as ---
-# We create this user so the home folder is owned by the same ID the launcher
-# runs as. Without it, the container couldn't write to its own home.
-RUN useradd -m -s /bin/bash -u 1001 coder
+# We create 'coder' with the *host* user's UID/GID (passed in by the launcher).
+# This is what makes the bind-mounted project at /code writable: the files there
+# keep the host's ownership, so the container can only write them if it runs as
+# that same ID. It also means files Claude creates come out owned by you on the
+# host — not root or some stray ID. The launcher rebuilds this image if the host
+# ID ever changes (it reads the labels below to notice), so the default here is
+# just a placeholder for a from-scratch build.
+ARG HOST_UID=1000
+ARG HOST_GID=1000
+RUN if ! getent group "${HOST_GID}" >/dev/null; then groupadd -g "${HOST_GID}" coder; fi && \
+    useradd -m -s /bin/bash -u "${HOST_UID}" -g "${HOST_GID}" coder
+LABEL safeclaude.uid="${HOST_UID}" safeclaude.gid="${HOST_GID}"
 
 # Claude installs itself into one of these folders, so add them to PATH.
 ENV PATH="/home/coder/.local/bin:/home/coder/.claude/bin:$PATH"