6. Scope credentials to the container; re-paste PATs on every rebuild#

Date: 2026-05-11

Status#

Accepted

Context#

Claude needs gh/glab to push code, so their token stores (~/.config/gh/, ~/.config/glab-cli/) are bound rw into the sandbox. Fine-grained personal access tokens typically cover several repos, so any token path persisted across devcontainers would let one compromised session reach every repo that PAT touches.

Decision#

Keep PATs container-scoped. No persistent-credential mount — volume, bind, or a re-purposed Docker /cache volume, anywhere — for gh/glab tokens. The re-paste-on-rebuild ceremony (just gh-auth / just glab-auth) is the deliberate cost of keeping the blast radius small. By contrast ~/.claude and ~/.claude.json are cross-container (symlinked via link_terminal_config) because they hold one Claude login, not repo-scoped credentials — don’t conflate the two.

Consequences#

  • Rebuilds re-prompt for the PAT; just gh-auth makes that a few seconds and keeps the token out of shell history.

  • PAT scope discipline (fine-grained, single-repo, short expiry) is the user’s responsibility, documented under “PAT hygiene” in README-CLAUDE.md. The tool keeps the token off disk-history; it does not enforce scope.

  • CLAUDE_SANDBOX_NO_FORGE=1 skips the token binds (and the credential helpers) entirely when a session doesn’t need to push.

  • A “stop re-pasting the PAT” request must surface this trade-off before any shortcut is implemented.