fix(docker): bootstrap Claude auth for containerized phantom#47
Open
electronicBlacksmith wants to merge 1 commit intoghostwright:mainfrom
Open
Conversation
The entrypoint never installed authentication credentials, so every container recreate booted without them and phantom responded with "please /login" to any Slack message. Two paths: 1. Preferred: CLAUDE_CODE_OAUTH_TOKEN in .env, generated once via `claude setup-token` inside the container. This is a long-lived (1 year) token with its own session, so it never rotates and will never conflict with a Claude Code session running on the host. Skips the credentials mount entirely. 2. Fallback: docker-compose.override.yml can bind-mount the host's ~/.claude/.credentials.json to /tmp/.credentials-mount.json. On boot we install it into /home/phantom/.claude/ with 600 perms and start a background loop that re-copies when the host file changes, so host-side token refreshes propagate without a restart. WARNING in the entrypoint comment: this path shares a rotating OAuth session between the host and the container, which the auth backend rejects as concurrent use and which will eventually cause the CLI to delete its own credentials to force re-login. Only safe when nothing else on the host is running Claude Code. Auth priority is token env var > credentials mount > neither (the latter prints a message that ANTHROPIC_API_KEY is expected).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The Docker entrypoint never installed authentication credentials, so every container recreate booted without them and phantom responded with "please /login" to any Slack message.
Two auth paths added:
Preferred:
CLAUDE_CODE_OAUTH_TOKENin.env, generated once viaclaude setup-tokeninside the container. Long-lived (1 year) token with its own session - never rotates, never conflicts with host CLI sessions.Fallback:
docker-compose.override.ymlcan bind-mount the host's~/.claude/.credentials.json. On boot, installs it with 600 perms and starts a background loop that re-copies when the host file changes.Auth priority: token env var > credentials mount > neither (prints message that ANTHROPIC_API_KEY is expected).
Files changed
scripts/docker-entrypoint.sh- Auth bootstrap logicTest plan