switch sandboxing to use unshare and unique gitconfig for claude

Author: gilesknap

template/.devcontainer/devcontainer.json.jinja

@@ -11,13 +11,8 @@
     "remoteUser": "root",{% endif %}
     "remoteEnv": {
         // Allow X11 apps to run inside the container
-        "DISPLAY": "${localEnv:DISPLAY}",{% if add_claude %}
-        // Disable SSH agent forwarding — prevents Claude from using host SSH keys.
-        // No VS Code setting disables this, so the remoteEnv blank is the actual
-        // defence (the GIT_ASKPASS / VSCODE_GIT_IPC_HANDLE bridge is closed at
-        // the customizations.vscode.settings level instead — see below).
-        "SSH_AUTH_SOCK": "",{% endif %}
-        // Mark this shell as running inside the devcontainer
+        "DISPLAY": "${localEnv:DISPLAY}",
+        // Mark this shell as running inside the devcontainer.
         "IN_DEVCONTAINER": "1",
         // Put things that allow it in the persistent cache
         "PRE_COMMIT_HOME": "/cache/pre-commit",
@@ -40,18 +35,7 @@
                 "python.terminal.activateEnvironment": false,
                 // Workaround to prevent garbled python REPL in the terminal
                 // https://github.com/microsoft/vscode-python/issues/25505
-                "python.terminal.shellIntegration.enabled": false{% if add_claude %},
-                // Close every VS Code channel that would otherwise forward host git
-                // credentials into the container. Together these stop the integrated
-                // terminal from inheriting GIT_ASKPASS / VSCODE_GIT_IPC_HANDLE, stop
-                // the Dev Containers extension from writing a credential.helper line
-                // into /etc/gitconfig, and stop the host ~/.gitconfig (with its SSH
-                // url.insteadOf rewrites and per-host helpers) being copied in.
-                // postStart.sh and the sandbox-check.sh hook are belt-and-braces
-                // verifications that these settings actually took effect.
-                "git.terminalAuthentication": false,
-                "dev.containers.gitCredentialHelperConfigLocation": "none",
-                "dev.containers.copyGitConfig": false{% endif %}
+                "python.terminal.shellIntegration.enabled": false
             },
             // Add the IDs of extensions you want installed when the container is created.
             "extensions": [
@@ -72,7 +56,10 @@
         // Allow the container to access the host X11 display and EPICS CA
         "--net=host",
         // Make sure SELinux does not disable with access to host filesystems like tmp
-        "--security-opt=label=disable"
+        "--security-opt=label=disable"{% if add_claude %},
+        // Required for `unshare -m` in the `just claude` recipe; without it,
+        // rootless podman blocks mount-namespace creation. See README-CLAUDE.md.
+        "--cap-add=SYS_ADMIN"{% endif %}
     ],
     "mounts": [
         // Mount in the user terminal config folder so it can be edited
@@ -108,10 +95,5 @@
     ],
     // Mount the parent as /workspaces so we can pip install peers as editable
     "workspaceMount": "source=${localWorkspaceFolder}/..,target=/workspaces,type=bind",
-    "postCreateCommand": ".devcontainer/postCreate.sh"{% if add_claude %},
-    "postStartCommand": ".devcontainer/postStart.sh",
-    // VS Code's Dev Containers extension re-injects its credential bridge
-    // when the editor attaches — after postStart has already run. Re-run
-    // the cleanup at attach so the leak is closed before any git operation.
-    "postAttachCommand": ".devcontainer/postStart.sh"{% endif %}
+    "postCreateCommand": ".devcontainer/postCreate.sh"
 }

template/.devcontainer/postCreate.sh.jinja

@@ -28,8 +28,14 @@ EOF
     exit 1
 fi
 
-# Install Python dependencies and pre-commit hooks
+# Install Python dependencies and pre-commit hooks. `uv venv --clear` wipes
+# the venv that lives in /cache (a persistent named volume), so any bash
+# hash entries pointing into the old venv (e.g. cached `pre-commit` path)
+# are stale. `hash -r` after `uv sync` forces re-resolution against the
+# freshly populated venv and against any new `uv` location after a base
+# image bump.
 uv venv --clear
+hash -r
 uv sync
 pre-commit install --install-hooks
 

template/.devcontainer/{% if add_claude %}claude-sandbox.sh{% endif %}

@@ -0,0 +1,82 @@
+#!/bin/bash
+# Inner script for `just claude`: runs inside a private mount namespace
+# (created by `unshare -m` from the justfile recipe). Mounts tmpfs over
+# the locations VS Code uses for host bridges, builds a Claude-only
+# /root/.gitconfig, then exec's claude with PR_SET_PDEATHSIG so it dies
+# if its parent shell does. Requires CAP_SYS_ADMIN — granted via
+# --cap-add=SYS_ADMIN in devcontainer.json's runArgs. See
+# README-CLAUDE.md for the full sandbox model.
+set -euo pipefail
+
+# VS Code drops IPC sockets (vscode-ipc-*.sock, vscode-git-*.sock,
+# vscode-ssh-auth-*.sock, vscode-remote-containers-ipc-*.sock) and the
+# vscode-remote-containers-*.js credential shim in /tmp, plus more in
+# /run/user/<uid>/. Replacing those directories with tmpfs in Claude's
+# namespace makes them invisible. Outside the namespace (the user's
+# regular terminal) VS Code keeps using them normally.
+mount -t tmpfs tmpfs /tmp
+if [ -d /run/user ]; then
+    mount -t tmpfs tmpfs /run/user
+fi
+
+# Mask credential directories the user may bind-mount from the host for
+# their own use from non-Claude terminals (e.g. ~/.ssh for SSH-based
+# git push). Claude sees an empty tmpfs; the user's regular shell sees
+# the originals.
+for d in /root/.ssh /root/.gnupg /root/.aws /root/.azure /root/.gcloud /root/.docker; do
+    if [ -d "$d" ]; then
+        mount -t tmpfs tmpfs "$d"
+    fi
+done
+# .netrc is a single file, not a dir — mask via bind to /dev/null.
+if [ -e /root/.netrc ]; then
+    mount --bind /dev/null /root/.netrc
+fi
+
+# Build a Claude-only /root/.gitconfig containing the in-container
+# credential helpers (gh / glab) and HTTPS rewrites — and nothing else
+# the user has on the host (no SSH url rewrites, no host-specific
+# helpers). User identity is read from the original gitconfig BEFORE
+# we bind over it, so commits Claude makes are still attributed.
+git_name=$(git config --get user.name 2>/dev/null || true)
+git_email=$(git config --get user.email 2>/dev/null || true)
+gh_path=$(command -v gh || echo /usr/bin/gh)
+glab_path=$(command -v glab || echo /usr/local/bin/glab)
+cat > /etc/claude-gitconfig <<EOF
+[user]
+    name = $git_name
+    email = $git_email
+[safe]
+    directory = *
+[url "https://github.com/"]
+    insteadOf = git@github.com:
+[url "https://gitlab.diamond.ac.uk/"]
+    insteadOf = git@gitlab.diamond.ac.uk:
+[credential "https://github.com"]
+    helper =
+    helper = !$gh_path auth git-credential
+[credential "https://gitlab.diamond.ac.uk"]
+    helper =
+    helper = !$glab_path auth git-credential
+EOF
+mount --bind /etc/claude-gitconfig /root/.gitconfig
+
+# IS_SANDBOX=1 is the canary `.claude/hooks/sandbox-check.sh` keys off.
+# Env-blanks: SSH_AUTH_SOCK / VSCODE_GIT_IPC_HANDLE / VSCODE_IPC_HOOK_CLI
+# all point into /tmp (already tmpfs in this namespace), but blanking
+# the vars stops Claude from even *trying* the path. GIT_ASKPASS and
+# VSCODE_GIT_ASKPASS_* point under /.vscode-server which the namespace
+# does NOT mask — blanking them is the actual defence against Claude
+# triggering the VS Code "log in to GitHub" popup. BROWSER points at a
+# host helper that opens URLs in the user's browser — blanked so
+# Claude cannot drive the user's browser.
+exec setpriv --pdeathsig SIGKILL env \
+    SSH_AUTH_SOCK= \
+    GIT_ASKPASS= \
+    VSCODE_GIT_IPC_HANDLE= \
+    VSCODE_GIT_ASKPASS_NODE= \
+    VSCODE_GIT_ASKPASS_MAIN= \
+    VSCODE_IPC_HOOK_CLI= \
+    BROWSER= \
+    IS_SANDBOX=1 \
+    claude --dangerously-skip-permissions

template/.devcontainer/{% if add_claude %}postStart.sh{% endif %}.jinja

@@ -9,28 +9,21 @@ fail() { echo "BLOCKED: $1" >&2; exit 2; }
 [ -n "${IN_DEVCONTAINER:-}" ] || \
     fail "not in the devcontainer (IN_DEVCONTAINER unset). Reopen the project in the devcontainer."
 
+# IS_SANDBOX=1 is set by the inner `just claude` script after it sets up
+# the private mount namespace. If it's missing, Claude was launched
+# without the namespace and /tmp/vscode-*.sock host bridges are reachable.
+[ -n "${IS_SANDBOX:-}" ] || \
+    fail "IS_SANDBOX unset — Claude was not launched via \"just claude\", so the mount-namespace sandbox is not active."
+
 # Host SSH agent must not be reachable. remoteEnv blanks SSH_AUTH_SOCK and
 # `just claude` re-blanks it; if it is set, neither layer applied.
 [ -z "${SSH_AUTH_SOCK:-}" ] || \
     fail "SSH_AUTH_SOCK is set ($SSH_AUTH_SOCK) — host SSH agent is reachable. run \"just claude\" or rebuild the devcontainer."
 
-# VS Code git credential bridge must be silenced. With
-# git.terminalAuthentication=false in devcontainer.json these env vars
-# should never be set — if they are, the setting was not applied.
-[ -z "${VSCODE_GIT_IPC_HANDLE:-}" ] || \
-    fail "VSCODE_GIT_IPC_HANDLE is set — VS Code credential bridge is reachable. Rebuild the devcontainer (git.terminalAuthentication should be false)."
-[ -z "${GIT_ASKPASS:-}" ] || \
-    fail "GIT_ASKPASS is set — VS Code askpass is injected. Rebuild the devcontainer (git.terminalAuthentication should be false)."
-
-# The /tmp credential helper script VS Code drops in must have been removed.
-if compgen -G '/tmp/vscode-remote-containers-*.js' >/dev/null; then
-    fail "/tmp/vscode-remote-containers-*.js bridge present — re-run .devcontainer/postStart.sh."
-fi
-
-# system-scope credential.helper is where VS Code injects; if anything
-# is set there git will use it before our per-host helpers.
-if git config --system --get credential.helper >/dev/null 2>&1; then
-    fail "system credential.helper is still set — re-run .devcontainer/postStart.sh."
-fi
+# GIT_ASKPASS points at a script under /.vscode-server, which the
+# namespace does NOT mask. If the env var is non-empty AND the file is
+# reachable, claude-sandbox.sh's exec-line blank failed to apply.
+[ ! -e "${GIT_ASKPASS:-}" ] || \
+    fail "GIT_ASKPASS script ($GIT_ASKPASS) is reachable — claude-sandbox.sh did not blank the env var. Rebuild the devcontainer or re-run \"just claude\"."
 
 exit 0

template/{% if add_claude %}.claude{% endif %}/hooks/sandbox-check.sh

@@ -58,3 +58,27 @@ The user runs this themselves (it touches many files); only run it
 yourself if explicitly asked. Always pass `--trust`. After update,
 resolve any conflicts (look for `<<<<<<<` markers and `.rej` files)
 before committing.
+
+## Verifying template changes without committing
+
+When editing files in `/workspaces/python-copier-template/template/`,
+render a throwaway project to confirm the change works for both
+branches of every conditional (`add_claude=true` and `false`):
+
+```bash
+cd /tmp && rm -rf render-true render-false
+git init render-true -b main >/dev/null
+uvx copier copy /workspaces/python-copier-template /tmp/render-true \
+    --data-file /workspaces/python-copier-template/example-answers.yml \
+    --vcs-ref HEAD --defaults --trust
+git init render-false -b main >/dev/null
+uvx copier copy /workspaces/python-copier-template /tmp/render-false \
+    --data-file /workspaces/python-copier-template/example-answers.yml \
+    --data add_claude=false --vcs-ref HEAD --defaults --trust
+```
+
+`--vcs-ref HEAD` makes copier render from the working tree (so
+uncommitted edits are picked up). For each render, sanity-check the
+key files: `.devcontainer/devcontainer.json` should parse as JSON
+(strip `//` comments first), conditional files should appear or
+not as expected, and shell scripts should preserve their `755` mode.