sandbox: enforce VS Code git credential lockdown via devcontainer settings

Pin three Dev Containers settings in devcontainer.json so VS Code never
forwards host git credentials into the container in the first place,
rather than relying on env-var clearing in `just claude`:

  git.terminalAuthentication: false              -> stops VS Code's Git
    extension from setting GIT_ASKPASS / VSCODE_GIT_IPC_HANDLE in
    integrated terminals (source: vscode/extensions/git/src/askpass.ts)
  dev.containers.gitCredentialHelperConfigLocation: "none"
                                                 -> stops Dev Containers
    from writing a credential.helper line into /etc/gitconfig
  dev.containers.copyGitConfig: false            -> stops the host
    ~/.gitconfig (with its url.insteadOf rewrites and per-host helpers)
    from being copied into the container

A compromised model can no longer reach a leaked VS Code IPC socket by
editing the hook or recipe, because the socket is never wired up.

Knock-on cleanup:
- devcontainer.json: drop the now-redundant remoteEnv blanks for
  GIT_ASKPASS / VSCODE_GIT_IPC_HANDLE / VSCODE_GIT_ASKPASS_{MAIN,NODE,
  EXTRA_ARGS}. The new settings prevent VS Code from setting them at
  all; sandbox-check.sh catches any regression. SSH_AUTH_SOCK= stays
  in remoteEnv — there is no VS Code setting alternative for it.
- justfile: drop VSCODE_GIT_IPC_HANDLE= / GIT_ASKPASS= from `just claude`
  for the same reason; SSH_AUTH_SOCK= stays.
- sandbox-check.sh: env-var failures for the credential bridge now
  point at "rebuild the devcontainer" since `just claude` no longer
  fixes them.
- README-CLAUDE.md: rewrite the credential-injection section to lead
  with the settings as the primary defence; postStart.sh and the
  sandbox-check.sh hook are belt-and-braces verifications, not the
  only enforcement.

Requires devcontainer rebuild for the settings to take effect.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: gilesknap

template/.devcontainer/devcontainer.json.jinja

@@ -12,15 +12,11 @@
     "remoteEnv": {
         // Allow X11 apps to run inside the container
         "DISPLAY": "${localEnv:DISPLAY}",{% if add_claude %}
-        // Disable SSH agent forwarding — prevents Claude from using host SSH keys
-        "SSH_AUTH_SOCK": "",
-        // Disable VS Code git credential injection — prevents askpass from
-        // relaying host GitHub credentials into the container over the IPC socket
-        "GIT_ASKPASS": "",
-        "VSCODE_GIT_IPC_HANDLE": "",
-        "VSCODE_GIT_ASKPASS_MAIN": "",
-        "VSCODE_GIT_ASKPASS_NODE": "",
-        "VSCODE_GIT_ASKPASS_EXTRA_ARGS": "",{% endif %}
+        // Disable SSH agent forwarding — prevents Claude from using host SSH keys.
+        // No VS Code setting disables this, so the remoteEnv blank is the actual
+        // defence (the GIT_ASKPASS / VSCODE_GIT_IPC_HANDLE bridge is closed at
+        // the customizations.vscode.settings level instead — see below).
+        "SSH_AUTH_SOCK": "",{% endif %}
         // Mark this shell as running inside the devcontainer
         "IN_DEVCONTAINER": "1",
         // Put things that allow it in the persistent cache
@@ -44,7 +40,18 @@
                 "python.terminal.activateEnvironment": false,
                 // Workaround to prevent garbled python REPL in the terminal
                 // https://github.com/microsoft/vscode-python/issues/25505
-                "python.terminal.shellIntegration.enabled": false
+                "python.terminal.shellIntegration.enabled": false{% if add_claude %},
+                // Close every VS Code channel that would otherwise forward host git
+                // credentials into the container. Together these stop the integrated
+                // terminal from inheriting GIT_ASKPASS / VSCODE_GIT_IPC_HANDLE, stop
+                // the Dev Containers extension from writing a credential.helper line
+                // into /etc/gitconfig, and stop the host ~/.gitconfig (with its SSH
+                // url.insteadOf rewrites and per-host helpers) being copied in.
+                // postStart.sh and the sandbox-check.sh hook are belt-and-braces
+                // verifications that these settings actually took effect.
+                "git.terminalAuthentication": false,
+                "dev.containers.gitCredentialHelperConfigLocation": "none",
+                "dev.containers.copyGitConfig": false{% endif %}
             },
             // Add the IDs of extensions you want installed when the container is created.
             "extensions": [

template/{% if add_claude %}.claude{% endif %}/hooks/sandbox-check.sh

@@ -9,15 +9,18 @@ fail() { echo "BLOCKED: $1" >&2; exit 2; }
 [ -n "${IN_DEVCONTAINER:-}" ] || \
     fail "not in the devcontainer (IN_DEVCONTAINER unset). Reopen the project in the devcontainer."
 
-# Host SSH agent must not be reachable.
+# Host SSH agent must not be reachable. remoteEnv blanks SSH_AUTH_SOCK and
+# `just claude` re-blanks it; if it is set, neither layer applied.
 [ -z "${SSH_AUTH_SOCK:-}" ] || \
-    fail "SSH_AUTH_SOCK is set ($SSH_AUTH_SOCK) — host SSH agent is reachable. run \"just claude\""
+    fail "SSH_AUTH_SOCK is set ($SSH_AUTH_SOCK) — host SSH agent is reachable. run \"just claude\" or rebuild the devcontainer."
 
-# VS Code git credential bridge must be silenced.
+# VS Code git credential bridge must be silenced. With
+# git.terminalAuthentication=false in devcontainer.json these env vars
+# should never be set — if they are, the setting was not applied.
 [ -z "${VSCODE_GIT_IPC_HANDLE:-}" ] || \
-    fail "VSCODE_GIT_IPC_HANDLE is set — VS Code credential bridge is reachable. run \"just claude\""
+    fail "VSCODE_GIT_IPC_HANDLE is set — VS Code credential bridge is reachable. Rebuild the devcontainer (git.terminalAuthentication should be false)."
 [ -z "${GIT_ASKPASS:-}" ] || \
-    fail "GIT_ASKPASS is set — VS Code askpass is injected. run \"just claude\""
+    fail "GIT_ASKPASS is set — VS Code askpass is injected. Rebuild the devcontainer (git.terminalAuthentication should be false)."
 
 # The /tmp credential helper script VS Code drops in must have been removed.
 if compgen -G '/tmp/vscode-remote-containers-*.js' >/dev/null; then

template/{% if add_claude %}README-CLAUDE.md{% endif %}.jinja

@@ -14,25 +14,25 @@ and how to verify the sandbox is intact.
 - **No host SSH keys.** `SSH_AUTH_SOCK` is unset in `remoteEnv`, so any
   SSH-agent forwarded by the host is invisible inside the container. No
   private keys are mounted into `/root/.ssh` either — only `known_hosts`.
-- **No VS Code git credential injection.** `GIT_ASKPASS`,
-  `VSCODE_GIT_IPC_HANDLE`, `VSCODE_GIT_ASKPASS_*` are blanked in
-  `devcontainer.json`'s `remoteEnv`, but that only sets the *initial*
-  environment of the remote server — VS Code's built-in Git extension
-  re-injects `GIT_ASKPASS` and `VSCODE_GIT_IPC_HANDLE` per child-process
-  spawn so any extension can prompt for credentials through the UI. The
-  `just claude` recipe therefore re-blanks both vars on the `claude`
-  command line itself, which is the only point at which they can be
-  reliably stripped before `claude` inherits them.
-  `VSCODE_GIT_ASKPASS_NODE`/`_MAIN` may remain populated; they are just
-  paths to the askpass script and are inert without `IPC_HANDLE` (the
-  socket the script phones home through), so they don't need blanking.
-  Separately, `postStart.sh` aggressively unsets `credential.helper` and
-  per-host helpers in BOTH `--system` (`/etc/gitconfig`) and `--global`
-  scopes — VS Code writes the helper into the *system* gitconfig, so a
-  global-only cleanup leaves the leak open. The script also removes the
-  `/tmp/vscode-remote-containers-*.js` bridge that VS Code drops in.
-  The cleanup re-runs on `postAttachCommand` because VS Code re-injects
-  the helper after `postStartCommand`.
+- **No VS Code git credential injection.** Three Dev Containers settings
+  pinned in `devcontainer.json` close every channel at the boundary:
+    - `git.terminalAuthentication: false` — VS Code's Git extension never
+      sets `GIT_ASKPASS` / `VSCODE_GIT_IPC_HANDLE` in the integrated
+      terminal, so there is no IPC socket path for a child process to
+      find. Source-confirmed in `vscode/extensions/git/src/askpass.ts`.
+    - `dev.containers.gitCredentialHelperConfigLocation: "none"` — the
+      Dev Containers extension does not write a `credential.helper` line
+      into `/etc/gitconfig`, so nothing in-container references the
+      `/tmp/vscode-remote-containers-*.js` bridge.
+    - `dev.containers.copyGitConfig: false` — the host's `~/.gitconfig`
+      is not copied into the container, so any `url.ssh://...insteadOf`
+      rewrites or per-host helpers stay on the host.
+
+  These settings are the primary defence. Two layers of belt-and-braces
+  sit on top: `postStart.sh` re-asserts `credential.helper` cleanup at
+  attach (and removes the `/tmp/vscode-remote-containers-*.js` shim if
+  VS Code still drops it), and `.claude/hooks/sandbox-check.sh` verifies
+  the state on every prompt submit.
 - **Per-host helpers point at the in-container CLI.** The host gitconfig
   often references `/usr/local/bin/gh`; here `gh` is at `/usr/bin/gh`. We
   rewrite the helper to `command -v gh` / `command -v glab` so it doesn't

template/{% if add_claude %}justfile{% endif %}.jinja

@@ -1,6 +1,10 @@
-# Start Claude Code in sandbox mode (no SSH agent, skip permission prompts)
+# Start Claude Code in sandbox mode (no SSH agent, skip permission prompts).
+# VSCODE_GIT_IPC_HANDLE / GIT_ASKPASS are no longer cleared here — the
+# devcontainer pins git.terminalAuthentication=false so VS Code never sets
+# them. SSH_AUTH_SOCK still gets blanked because there is no VS Code setting
+# to disable host SSH agent forwarding.
 claude:
-    SSH_AUTH_SOCK= IS_SANDBOX=1 VSCODE_GIT_IPC_HANDLE= GIT_ASKPASS= claude --dangerously-skip-permissions
+    SSH_AUTH_SOCK= IS_SANDBOX=1 claude --dangerously-skip-permissions
 
 
 # Authenticate gh CLI with a GitHub PAT (token not stored in shell history)