From adb9dd117dcee92bbfbe0dafc0f1fab042955d38 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christopher=20M=C3=BChl?= Date: Fri, 10 Apr 2026 09:27:18 +0000 Subject: [PATCH] fix(04): CR-01 CR-02 WR-01 fix credential path and use read-only bind mount --- claudebox.sh | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/claudebox.sh b/claudebox.sh index 1a1a02c..24083d1 100644 --- a/claudebox.sh +++ b/claudebox.sh @@ -102,7 +102,9 @@ CWD=$(pwd) mkdir -p "$HOME/.claudebox" # Credential file mount (AUTH-01, AUTH-02) -CREDS_FILE="$HOME/.claude/.credentials.json" +# Use ~/.claudebox (the host-side claudebox config dir), not ~/.claude +# ~/.claude -> ~/.claudebox symlink only exists inside the sandbox at runtime +CREDS_FILE="$HOME/.claudebox/.credentials.json" if [[ -f "$CREDS_FILE" ]]; then CREDS_MOUNT=true else @@ -264,7 +266,7 @@ print_audit() { printf ' %-12s %s (read-write)\n' "CWD" "$CWD" >&2 printf ' %-12s %s (read-write)\n' "~/.claude" "$HOME/.claudebox" >&2 if [[ "$CREDS_MOUNT" == true ]]; then - printf ' %-12s %s (read-write)\n' "credentials" "$HOME/.claude/.credentials.json" >&2 + printf ' %-12s %s (read-only)\n' "credentials" "$CREDS_FILE" >&2 fi echo "" >&2 @@ -328,7 +330,7 @@ if [[ "$DRY_RUN" == true ]]; then echo " --bind $HOME/.claudebox $HOME/.claudebox \\" echo " --symlink $HOME/.claudebox $HOME/.claude \\" if [[ "$CREDS_MOUNT" == true ]]; then - echo " --bind $CREDS_FILE $HOME/.claude/.credentials.json \\" + echo " --ro-bind $CREDS_FILE $HOME/.claudebox/.credentials.json \\" fi printf ' --ro-bind %q %s/.gitconfig \\\n' "$GITCONFIG_TMP" "$HOME" echo " --bind $CWD $CWD \\" @@ -361,7 +363,7 @@ BWRAP_ARGS=( --symlink "$HOME/.claudebox" "$HOME/.claude" ) if [[ "$CREDS_MOUNT" == true ]]; then - BWRAP_ARGS+=(--bind "$CREDS_FILE" "$HOME/.claude/.credentials.json") + BWRAP_ARGS+=(--ro-bind "$CREDS_FILE" "$HOME/.claudebox/.credentials.json") fi BWRAP_ARGS+=( --ro-bind "$GITCONFIG_TMP" "$HOME/.gitconfig"