claude-code

docker/.dockerignore

@@ -0,0 +1,35 @@
+# NOTE: Docker reads .dockerignore from the build context root.
+# The canonical copy lives at /.dockerignore — keep both in sync.
+
+# Dependencies (rebuilt in container)
+node_modules
+
+# Git metadata
+.git
+.github
+.gitignore
+
+# Build output (rebuilt in container)
+dist
+
+# Env files — never bake secrets into the image
+.env
+.env.*
+
+# Logs and debug
+*.log
+npm-debug.log*
+bun-debug.log*
+
+# Test artifacts
+coverage
+.nyc_output
+
+# Editor / OS noise
+.DS_Store
+Thumbs.db
+.vscode
+.idea
+
+# Docker context itself
+docker

docker/Dockerfile

@@ -0,0 +1,83 @@
+# ─────────────────────────────────────────────────────────────
+# Claude Web Terminal — Production Container
+# ─────────────────────────────────────────────────────────────
+# Multi-stage build: compiles node-pty native module and bundles
+# the Claude CLI, then copies artifacts into a slim runtime image.
+#
+# Usage:
+#   docker build -f docker/Dockerfile -t claude-web .
+#   docker run -p 3000:3000 -e ANTHROPIC_API_KEY=sk-ant-... claude-web
+# ─────────────────────────────────────────────────────────────
+
+# ── Stage 1: Build ────────────────────────────────────────────
+FROM oven/bun:1 AS builder
+
+WORKDIR /app
+
+# Build tools required to compile node-pty's native C++ addon
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    python3 make g++ \
+    && rm -rf /var/lib/apt/lists/*
+
+# Copy manifests first for layer caching
+COPY package.json bun.lockb* ./
+
+# Install all deps (triggers node-pty native compilation)
+RUN bun install --frozen-lockfile 2>/dev/null || bun install
+
+# Copy source tree
+COPY . .
+
+# Bundle the Claude CLI (produces dist/cli.mjs)
+RUN bun run build:prod
+
+# ── Stage 2: Runtime ──────────────────────────────────────────
+FROM oven/bun:1 AS runtime
+
+WORKDIR /app
+
+# curl for health checks; no build tools needed at runtime
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    curl \
+    && rm -rf /var/lib/apt/lists/*
+
+# Non-root user that PTY sessions will run under
+RUN groupadd -r claude && useradd -r -g claude -m -d /home/claude claude
+
+# Compiled node_modules (includes native node-pty binary)
+COPY --from=builder /app/node_modules ./node_modules
+
+# Bundled Claude CLI
+COPY --from=builder /app/dist ./dist
+
+# PTY server source (bun runs TypeScript natively)
+COPY --from=builder /app/src/server ./src/server
+
+# TypeScript config needed for bun's module resolution
+COPY --from=builder /app/tsconfig.json ./tsconfig.json
+
+# Thin wrapper so the PTY server can exec `claude` as a subprocess
+RUN printf '#!/bin/sh\nexec bun /app/dist/cli.mjs "$@"\n' \
+    > /usr/local/bin/claude && chmod +x /usr/local/bin/claude
+
+# Entrypoint script
+COPY docker/entrypoint.sh /entrypoint.sh
+RUN chmod +x /entrypoint.sh
+
+# Allow the claude user to write its config into its home dir
+RUN chown -R claude:claude /home/claude
+
+# ── Defaults ──────────────────────────────────────────────────
+ENV NODE_ENV=production \
+    PORT=3000 \
+    MAX_SESSIONS=5 \
+    CLAUDE_BIN=claude
+
+EXPOSE 3000
+
+USER claude
+
+HEALTHCHECK --interval=30s --timeout=5s --retries=3 \
+    CMD curl -f http://localhost:${PORT:-3000}/health || exit 1
+
+ENTRYPOINT ["/entrypoint.sh"]

docker/docker-compose.yml

@@ -0,0 +1,28 @@
+services:
+  claude-web:
+    build:
+      context: ..
+      dockerfile: docker/Dockerfile
+    ports:
+      - "${PORT:-3000}:3000"
+    environment:
+      - ANTHROPIC_API_KEY=${ANTHROPIC_API_KEY}
+      - AUTH_TOKEN=${AUTH_TOKEN:-}
+      - MAX_SESSIONS=${MAX_SESSIONS:-5}
+      - ALLOWED_ORIGINS=${ALLOWED_ORIGINS:-}
+    volumes:
+      # Persist Claude's config and session data across restarts
+      - claude-data:/home/claude/.claude
+    tmpfs:
+      # PTY processes write temp files here; no persistent storage needed
+      - /tmp:mode=1777
+    restart: unless-stopped
+    healthcheck:
+      test: ["CMD", "curl", "-f", "http://localhost:3000/health"]
+      interval: 30s
+      timeout: 5s
+      retries: 3
+      start_period: 10s
+
+volumes:
+  claude-data:

docker/entrypoint.sh

@@ -0,0 +1,28 @@
+#!/bin/sh
+set -e
+
+# ── Validate required env vars ────────────────────────────────
+if [ -z "$ANTHROPIC_API_KEY" ]; then
+  echo "ERROR: ANTHROPIC_API_KEY is not set." >&2
+  echo "" >&2
+  echo "  docker run -p 3000:3000 -e ANTHROPIC_API_KEY=sk-ant-... claude-web" >&2
+  echo "" >&2
+  echo "  Or via docker-compose with a .env file:" >&2
+  echo "    ANTHROPIC_API_KEY=sk-ant-... docker-compose up" >&2
+  exit 1
+fi
+
+# The API key is forwarded to child PTY processes via process.env,
+# so the claude CLI will pick it up automatically — no config file needed.
+
+echo "Claude Web Terminal starting on port ${PORT:-3000}..."
+if [ -n "$AUTH_TOKEN" ]; then
+  echo "  Auth token protection: enabled"
+fi
+if [ -n "$ALLOWED_ORIGINS" ]; then
+  echo "  Allowed origins: $ALLOWED_ORIGINS"
+fi
+echo "  Max sessions: ${MAX_SESSIONS:-5}"
+
+# Hand off to the PTY WebSocket server
+exec bun /app/src/server/web/pty-server.ts