# Claude Code — Dockerized

A minimal, guardrailed container for running Claude Code.

## Setup

```bash
# 1. Build the image
docker compose build

# 2. Link the binary where it's accessible
ln -s `readlink -f ./safeclaude` `readlink -f ~/.local/bin`

# 3. Run against your code
cd ~/zenmaid-webapp && safeclaude .
```

## Security notes

- Runs as a non-root user (`coder`, uid 1001)
- All Linux capabilities are dropped except `NET_BIND_SERVICE`
- Privilege escalation is disabled (`no-new-privileges`)
- The container has no network restrictions beyond what Docker provides —
  add a custom network or `--network none` with `--add-host` if you want
  to lock that down further

## Limitations & future updates

- System package requirement changes require updates to the Dockerfile and a restart/rebuild - the claude user can't make these changes itself due to restricted access.

- Bundles need to be updated separately inside the container

- The setup is fairly tightly married to a ruby/psql application and would need to be tweaked to be configurable for other environments or platforms