toph/claudebox
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Gsd/Phase 04 Auth Passthrough #1

Merged
toph merged 18 commits from gsd/phase-04-auth-passthrough into main 2026-04-10 12:27:33 +00:00
Conversation 0 Commits 18 Files changed 7 +12 -5
2 changed files with 12 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files
Showing only changes of commit de4549c3f2 - Show all commits

11
.planning/REQUIREMENTS.md
View file

@ -56,6 +56,11 @@
## v2 Requirements
### Authentication Passthrough
- **AUTH-01**: `~/.claudebox/.credentials.json` (OAuth tokens) is bind-mounted read-write into the sandbox when the file exists on the host, so users do not need to re-authenticate on every launch
- **AUTH-02**: When `~/.claudebox/.credentials.json` does not exist, claudebox starts without any error or warning (silent skip)
### Network Isolation
- **NET-01**: Block LAN/Tailscale access (RFC1918 + 100.64.0.0/10) while allowing internet egress
@ -120,10 +125,12 @@
| NIX-01 | Phase 1 | Complete |
| NIX-02 | Phase 1 | Complete |
| NIX-03 | Phase 1 | Complete |
| AUTH-01 | Phase 4 | Complete |
| AUTH-02 | Phase 4 | Complete |
**Coverage:**
- v1 requirements: 31 total
- Mapped to phases: 31
- v1 requirements: 31 total, v2 requirements (partial): 2
- Mapped to phases: 33
- Unmapped: 0
---

6
claudebox.sh
View file

@ -266,7 +266,7 @@ print_audit() {
printf ' %-12s %s (read-write)\n' "CWD" "$CWD" >&2
printf ' %-12s %s (read-write)\n' "~/.claude" "$HOME/.claudebox" >&2
if [[ "$CREDS_MOUNT" == true ]]; then
printf ' %-12s %s (read-only)\n' "credentials" "$CREDS_FILE" >&2
printf ' %-12s %s (read-write)\n' "credentials" "$CREDS_FILE" >&2
fi
echo "" >&2
@ -335,7 +335,7 @@ if [[ "$DRY_RUN" == true ]]; then
echo " --bind $HOME/.claudebox $HOME/.claudebox \\"
echo " --symlink $HOME/.claudebox $HOME/.claude \\"
if [[ "$CREDS_MOUNT" == true ]]; then
echo " --ro-bind $CREDS_FILE $HOME/.claudebox/.credentials.json \\"
echo " --bind $CREDS_FILE $HOME/.claudebox/.credentials.json \\"
fi
printf ' --ro-bind %q %s/.gitconfig \\\n' "$GITCONFIG_TMP" "$HOME"
echo " --bind $CWD $CWD \\"
@ -368,7 +368,7 @@ BWRAP_ARGS=(
--symlink "$HOME/.claudebox" "$HOME/.claude"
)
if [[ "$CREDS_MOUNT" == true ]]; then
BWRAP_ARGS+=(--ro-bind "$CREDS_FILE" "$HOME/.claudebox/.credentials.json")
BWRAP_ARGS+=(--bind "$CREDS_FILE" "$HOME/.claudebox/.credentials.json")
fi
BWRAP_ARGS+=(
--ro-bind "$GITCONFIG_TMP" "$HOME/.gitconfig"