From de4549c3f299f9c4bd78d3fb7cc788288c0425d4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christopher=20M=C3=BChl?= Date: Fri, 10 Apr 2026 09:32:14 +0000 Subject: [PATCH] fix(04): revert credentials to read-write mount per plan D-02; add AUTH-01/AUTH-02 to requirements --- .planning/REQUIREMENTS.md | 11 +++++++++-- claudebox.sh | 6 +++--- 2 files changed, 12 insertions(+), 5 deletions(-) diff --git a/.planning/REQUIREMENTS.md b/.planning/REQUIREMENTS.md index 0a94a36..f7b1771 100644 --- a/.planning/REQUIREMENTS.md +++ b/.planning/REQUIREMENTS.md @@ -56,6 +56,11 @@ ## v2 Requirements +### Authentication Passthrough + +- **AUTH-01**: `~/.claudebox/.credentials.json` (OAuth tokens) is bind-mounted read-write into the sandbox when the file exists on the host, so users do not need to re-authenticate on every launch +- **AUTH-02**: When `~/.claudebox/.credentials.json` does not exist, claudebox starts without any error or warning (silent skip) + ### Network Isolation - **NET-01**: Block LAN/Tailscale access (RFC1918 + 100.64.0.0/10) while allowing internet egress @@ -120,10 +125,12 @@ | NIX-01 | Phase 1 | Complete | | NIX-02 | Phase 1 | Complete | | NIX-03 | Phase 1 | Complete | +| AUTH-01 | Phase 4 | Complete | +| AUTH-02 | Phase 4 | Complete | **Coverage:** -- v1 requirements: 31 total -- Mapped to phases: 31 +- v1 requirements: 31 total, v2 requirements (partial): 2 +- Mapped to phases: 33 - Unmapped: 0 --- diff --git a/claudebox.sh b/claudebox.sh index 5897f90..b67c82c 100644 --- a/claudebox.sh +++ b/claudebox.sh @@ -266,7 +266,7 @@ print_audit() { printf ' %-12s %s (read-write)\n' "CWD" "$CWD" >&2 printf ' %-12s %s (read-write)\n' "~/.claude" "$HOME/.claudebox" >&2 if [[ "$CREDS_MOUNT" == true ]]; then - printf ' %-12s %s (read-only)\n' "credentials" "$CREDS_FILE" >&2 + printf ' %-12s %s (read-write)\n' "credentials" "$CREDS_FILE" >&2 fi echo "" >&2 @@ -335,7 +335,7 @@ if [[ "$DRY_RUN" == true ]]; then echo " --bind $HOME/.claudebox $HOME/.claudebox \\" echo " --symlink $HOME/.claudebox $HOME/.claude \\" if [[ "$CREDS_MOUNT" == true ]]; then - echo " --ro-bind $CREDS_FILE $HOME/.claudebox/.credentials.json \\" + echo " --bind $CREDS_FILE $HOME/.claudebox/.credentials.json \\" fi printf ' --ro-bind %q %s/.gitconfig \\\n' "$GITCONFIG_TMP" "$HOME" echo " --bind $CWD $CWD \\" @@ -368,7 +368,7 @@ BWRAP_ARGS=( --symlink "$HOME/.claudebox" "$HOME/.claude" ) if [[ "$CREDS_MOUNT" == true ]]; then - BWRAP_ARGS+=(--ro-bind "$CREDS_FILE" "$HOME/.claudebox/.credentials.json") + BWRAP_ARGS+=(--bind "$CREDS_FILE" "$HOME/.claudebox/.credentials.json") fi BWRAP_ARGS+=( --ro-bind "$GITCONFIG_TMP" "$HOME/.gitconfig"