safeclaude/skeleton/README.md

.safeclaude/ — this project's sandboxed environment

This folder defines the container that safeclaude runs Claude in. The container is built from these files, so changing the environment means editing them on the host and rebuilding — not installing things inside the running container (which is a non-root sandbox and gets reset each run).

What's here

• Dockerfile — the container image: system packages and pinned language versions (one Ruby, one Node, etc.). Built once, then cached.
• hooks/*.sh — scripts that run at every startup, with the project at /code. Use these for setup that needs your code present or should run each launch (installing dependencies, starting a service proxy). Keep them safe to re-run.
• cache/ — scratch space on the host, gitignored. A good home for installed dependencies, downloads, or "already did this" markers; survives rebuilds and docker volume resets.
• .env — secrets passed into the container at runtime (gitignored; copy from .env.example).
• version — the safeclaude version this config was created with.

How to change the environment

The container runs as a non-root user with no sudo, so you can't install system packages from inside it. Instead, edit these files on the host:

• Add a system package: add it to Dockerfile, then run safeclaude build.
• Add a language or tool: install a specific version in Dockerfile — pin it, since a project only needs one. See the repo's example/ for a worked Ruby + Node setup.
• Run setup at startup: add or edit a script in hooks/ (no rebuild needed).
• Add a secret: put it in .env (see .env.example).

After editing the Dockerfile, run safeclaude build to rebuild. Hook, .env, and cache/ changes take effect on the next launch with no rebuild.