recipe-maintainer/sandbox/entrypoint.sh

#!/usr/bin/env bash

set -euo pipefail

HOST_UID=${HOST_UID:-0}
HOST_GID=${HOST_GID:-0}
DEFAULT_UID=${DEFAULT_UID:-1000}
DEFAULT_GID=${DEFAULT_GID:-1000}

CLAUDE_USER=${CLAUDE_USER:-claude}
CLAUDE_GROUP=${CLAUDE_GROUP:-claude}
CLAUDE_HOME=${CLAUDE_HOME:-/home/${CLAUDE_USER}}

if [ "$HOST_UID" -eq 0 ] && [ "$HOST_GID" -eq 0 ]; then
  HOST_UID=$DEFAULT_UID
  HOST_GID=$DEFAULT_GID
fi

if getent group "$HOST_GID" >/dev/null 2>&1; then
  CLAUDE_GROUP="$(getent group "$HOST_GID" | cut -d: -f1)"
else
  groupadd -g "$HOST_GID" "$CLAUDE_GROUP"
fi

# Ensure home exists, but don't recreate it
if [ ! -d "$CLAUDE_HOME" ]; then
  mkdir -p "$CLAUDE_HOME"
  chown "$HOST_UID:$HOST_GID" "$CLAUDE_HOME"
fi
chown -R "$HOST_UID:$HOST_GID" "$CLAUDE_HOME"

if id -u "$CLAUDE_USER" >/dev/null 2>&1; then
  # Do NOT change -d (home) for existing user
  usermod -u "$HOST_UID" -g "$CLAUDE_GROUP" "$CLAUDE_USER"
else
  # Only use -m when home doesn't already exist
  useradd -u "$HOST_UID" -g "$CLAUDE_GROUP" -d "$CLAUDE_HOME" -s /bin/bash "$CLAUDE_USER"
fi

# Grant passwordless sudo to claude user
echo "$CLAUDE_USER ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers.d/claude
chmod 440 /etc/sudoers.d/claude

install -d -m 0755 -o "$HOST_UID" -g "$HOST_GID" "$CLAUDE_HOME/.local"
install -d -m 0755 -o "$HOST_UID" -g "$HOST_GID" "$CLAUDE_HOME/.local/bin"
install -d -m 0755 -o "$HOST_UID" -g "$HOST_GID" "$CLAUDE_HOME/.config"
install -d -m 0755 -o "$HOST_UID" -g "$HOST_GID" "$CLAUDE_HOME/.claude"
install -d -m 0755 -o "$HOST_UID" -g "$HOST_GID" "$CLAUDE_HOME/.abra"

# Copy Claude binaries to user's local bin (always, to ensure upgrades apply)
cp -r /root/.local/bin/* "$CLAUDE_HOME/.local/bin/" 2>/dev/null || true
chown -R "$HOST_UID:$HOST_GID" "$CLAUDE_HOME/.local/bin"

if [ -d /workspace ]; then
  chown -R "$HOST_UID:$HOST_GID" /workspace 2>/dev/null || true
fi
if [ -d /workspace/target ]; then
  chown -R "$HOST_UID:$HOST_GID" /workspace/target 2>/dev/null || true
fi

# Set up PATH in user's bashrc to avoid "~/.local/bin not in PATH" warning
if ! grep -q 'export PATH="\$HOME/.local/bin:\$PATH"' "$CLAUDE_HOME/.bashrc" 2>/dev/null; then
  echo 'export PATH="$HOME/.local/bin:$PATH"' >> "$CLAUDE_HOME/.bashrc"
  chown "$HOST_UID:$HOST_GID" "$CLAUDE_HOME/.bashrc"
fi

export PATH="$CLAUDE_HOME/.local/bin:$CLAUDE_HOME/.cargo/bin:/usr/local/bin:$PATH"

if [ $# -gt 0 ]; then
  exec gosu "$CLAUDE_USER" "$@"
else
  exec gosu "$CLAUDE_USER" "$CLAUDE_HOME/.local/bin/claude" --dangerously-skip-permissions
fi