# .safeclaude/ — this project's sandboxed environment

This folder defines the container that `safeclaude` runs Claude in. The container
is built from these files, so changing the environment means editing them on the
host and rebuilding — not installing things inside the running container (which
is a non-root sandbox and gets reset each run).

## What's here

- `Dockerfile` — the container image: system packages and pinned language
  versions (one Ruby, one Node, etc.). Built once, then cached.
- `hooks/*.sh` — scripts that run at every startup, with the project at `/code`.
  Use these for setup that needs your code present or should run each launch
  (installing dependencies, starting a service proxy). Keep them safe to re-run.
- `cache/` — scratch space on the host, gitignored. A good home for installed
  dependencies, downloads, or "already did this" markers; survives rebuilds and
  `docker volume` resets.
- `.env` — secrets passed into the container at runtime (gitignored; copy from
  `.env.example`).
- `version` — the safeclaude version this config was created with.

## How to change the environment

The container runs as a non-root user with no sudo, so you can't install system
packages from inside it. Instead, edit these files on the host:

- **Add a system package:** add it to `Dockerfile`, then run `safeclaude build`.
- **Add a language or tool:** install a specific version in `Dockerfile` — pin
  it, since a project only needs one. See the repo's `example/` for a worked
  Ruby + Node setup.
- **Run setup at startup:** add or edit a script in `hooks/` (no rebuild needed).
- **Add a secret:** put it in `.env` (see `.env.example`).

After editing the `Dockerfile`, run `safeclaude build` to rebuild. Hook, `.env`,
and `cache/` changes take effect on the next launch with no rebuild.