Add claude sandbox#337
Conversation
Three new copier questions gate a sandboxed Claude Code setup: add_claude (top-level — env var blockers, ~/.claude bind mount, Claude Code CLI install, postCreate/postStart hooks, node, justfile); install_gh and install_glab (each gated on add_claude — adds the CLI install plus per-repo PAT volume mount and matching just recipe). Breaks the template/.devcontainer symlink so devcontainer.json can be Jinja-conditional. The meta repo's own .devcontainer/devcontainer.json and Dockerfile become the add_claude=no baseline. A new test_meta_matches_no_claude_template drift test renders the template with all Claude opts off and byte-diffs the result against the meta repo to catch divergence. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
VS Code's auto-detection races with sphinx-autobuild on container restart and steals the port, breaking the live-reload docs preview. Disable it and forward 8000 explicitly so the docs URL is stable. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
gilesknap
merged commit d645eb3
into
DiamondLightSource:claude-sandbox
| // Explicitly forward sphinx-autobuild port (auto-detection disabled above) | ||
| "forwardPorts": [ | ||
| 8000 | ||
| ], |
There was a problem hiding this comment.
Why do we need this? When you click on the link it autoforwards the port anyway...
There was a problem hiding this comment.
This got pulled in from my project that was having issues with sphinx-autobuild - I'm not sure why it fighting it - but we should not have this by default - agreed.
| // Mount the parent as /workspaces so we can pip install peers as editable | ||
| "workspaceMount": "source=${localWorkspaceFolder}/..,target=/workspaces,type=bind",{% if add_claude %} | ||
| "postCreateCommand": ".devcontainer/postCreate.sh", | ||
| "postStartCommand": ".devcontainer/postStart.sh"{% else %} |
There was a problem hiding this comment.
Should we always put a postCreate in and jinja template just the claude bits?
There was a problem hiding this comment.
I think yes - its tidier than long bash entries embedded in the devcontainer.json
| pre-commit install --install-hooks | ||
|
|
||
| # Initialise git submodules if any are declared | ||
| [ -f .gitmodules ] && git submodule update --init || true |
There was a problem hiding this comment.
I think this line is useful in the non-claude case too.
There was a problem hiding this comment.
Ah - I thought I had dropped that. It is useful for first opening a devcontainer that needs submodules to build, but ...... if you rebuild your container while you are in progress with submodule changes they disapear. I think that cost outweighs the benefit.
So I vote to take this back out.
| # GitHub CLI — used by Claude to authenticate to github.com via PAT | ||
| RUN curl -fsSL https://cli.github.com/packages/githubcli-archive-keyring.gpg | \ | ||
| dd of=/usr/share/keyrings/githubcli-archive-keyring.gpg && \ | ||
| chmod go+r /usr/share/keyrings/githubcli-archive-keyring.gpg && \ | ||
| echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/githubcli-archive-keyring.gpg] https://cli.github.com/packages stable main" \ | ||
| | tee /etc/apt/sources.list.d/github-cli.list > /dev/null && \ | ||
| apt-get update && apt-get install -y --no-install-recommends gh && \ | ||
| apt-get dist-clean{% endif %}{% if install_glab %} |
There was a problem hiding this comment.
2.46.0-4 is in apt for 26.04, is that new enough?
There was a problem hiding this comment.
I should think yes - so lets do as you suggest below and put these in the base container from 26.04 onwards and claude enabled PCT will use that.
| ARG GLAB_VERSION=1.92.1 | ||
| RUN curl -fsSL "https://gitlab.com/gitlab-org/cli/-/releases/v${GLAB_VERSION}/downloads/glab_${GLAB_VERSION}_linux_amd64.tar.gz" \ | ||
| | tar -xz -C /tmp bin/glab && \ | ||
| install -m 0755 /tmp/bin/glab /usr/local/bin/glab && \ |
There was a problem hiding this comment.
1.53.0-1build1 is in apt for 26.04, is that new enough?
|
|
||
| # Node is required by Claude Code's hook runtime | ||
| RUN apt-get update -y && apt-get install -y --no-install-recommends \ | ||
| nodejs \ |
There was a problem hiding this comment.
Should this plus gh plus glab be in the ubuntu devcontainer base?
| install_gh: | ||
| type: bool | ||
| when: "{{ add_claude }}" | ||
| help: | | ||
| Install the GitHub CLI (gh) so Claude can push/pull via PAT auth? | ||
| Only useful inside the Claude sandbox — ordinary users typically | ||
| rely on SSH keys or VS Code git credentials. | ||
|
|
||
| install_glab: | ||
| type: bool | ||
| when: "{{ add_claude }}" | ||
| help: | | ||
| Install the GitLab CLI (glab) for projects that talk to a GitLab | ||
| instance (e.g. gitlab.diamond.ac.uk submodules)? | ||
| Only useful inside the Claude sandbox. |
There was a problem hiding this comment.
Again, I reckon we should probably just include these in the ubuntu devcontainer unconditionally
There was a problem hiding this comment.
That was my first instinct and then I thought people would push back on it especially since glab would be a less common requirement. But if you like always including then I do to.
|
@coretl sorry about the WIP PR - in retrospect that was a bad idea! |
2 participants
Three new copier questions gate a sandboxed Claude Code setup: add_claude (top-level — env var blockers, ~/.claude bind mount, Claude Code CLI install, postCreate/postStart hooks, node, justfile), install_gh and install_glab (each gated on add_claude).
Breaks the template/.devcontainer symlink so devcontainer.json can be Jinja-conditional. The meta repo's own .devcontainer/devcontainer.json and Dockerfile become the add_claude=no baseline; a new test_meta_matches_no_claude_template drift test enforces it.
Adds remote.autoForwardPorts: false and explicit forwardPorts: [8000] so VS Code stops stealing sphinx-autobuild's port on restart (separate commit).