@alanbem/dclaude 0.0.0-dev

package/dclaude

@@ -0,0 +1,2031 @@
+#!/bin/bash
+# dclaude - Dockerized Claude Code Launcher
+# https://github.com/alanbem/dclaude
+
+set -euo pipefail
+
+# Configuration
+readonly IMAGE_NAME="${DCLAUDE_REGISTRY:-docker.io}/alanbem/dclaude"
+readonly IMAGE_TAG="${DCLAUDE_TAG:-latest}"
+readonly IMAGE="${IMAGE_NAME}:${IMAGE_TAG}"
+readonly VOLUME_PREFIX="dclaude"
+readonly DEBUG="${DCLAUDE_DEBUG:-false}"
+readonly QUIET="${DCLAUDE_QUIET:-false}"
+readonly REMOVE_CONTAINER="${DCLAUDE_RM:-false}"
+# Docker socket will be detected dynamically unless overridden
+DOCKER_SOCKET="${DCLAUDE_DOCKER_SOCKET:-}"
+readonly MOUNT_CONFIGS="${DCLAUDE_MOUNT_CONFIGS:-false}"
+readonly GIT_AUTH_MODE="${DCLAUDE_GIT_AUTH:-auto}"  # auto, agent-forwarding, key-mount, none
+readonly ENABLE_SYSTEM_CONTEXT="${DCLAUDE_SYSTEM_CONTEXT:-true}"  # Inform Claude about dclaude environment
+
+# Chrome configuration (not readonly to allow --port flag override)
+CHROME_PROFILE="${DCLAUDE_CHROME_PROFILE:-claude}"
+CHROME_PORT="${DCLAUDE_CHROME_PORT:-9222}"
+CHROME_BIN="${DCLAUDE_CHROME_BIN:-}"
+CHROME_FLAGS="${DCLAUDE_CHROME_FLAGS:-}"
+
+# Colors for output (only if terminal supports it)
+if [[ -t 1 ]]; then
+    readonly RED='\033[0;31m'
+    readonly GREEN='\033[0;32m'
+    readonly YELLOW='\033[1;33m'
+    readonly BLUE='\033[0;34m'
+    readonly CYAN='\033[0;36m'
+    readonly NC='\033[0m' # No Color
+else
+    readonly RED=''
+    readonly GREEN=''
+    readonly YELLOW=''
+    readonly BLUE=''
+    readonly CYAN=''
+    readonly NC=''
+fi
+
+# Helper functions
+error() {
+    echo -e "${RED}Error: $1${NC}" >&2
+}
+
+warning() {
+    echo -e "${YELLOW}Warning: $1${NC}" >&2
+}
+
+success() {
+    if [[ "$QUIET" != "true" ]]; then
+        echo -e "${GREEN}$1${NC}" >&2
+    fi
+}
+
+info() {
+    if [[ "$QUIET" != "true" ]]; then
+        echo -e "${BLUE}$1${NC}" >&2
+    fi
+}
+
+debug() {
+    # QUIET overrides DEBUG - if quiet, suppress debug too
+    if [[ "$QUIET" != "true" ]] && [[ "$DEBUG" == "true" ]]; then
+        echo -e "${CYAN}Debug: $1${NC}" >&2
+    fi
+}
+
+# Reset terminal mouse mode after tmux exits
+# Prevents iTerm2 warnings about mouse reporting being left on
+reset_terminal_mouse() {
+    # Disable all mouse reporting modes:
+    # ?1000 - X10 mouse reporting
+    # ?1002 - Cell motion mouse tracking
+    # ?1003 - All motion mouse tracking
+    # ?1006 - SGR extended mouse reporting
+    printf '\033[?1000l\033[?1002l\033[?1003l\033[?1006l'
+}
+
+# Detect platform
+detect_platform() {
+    case "$(uname -s)" in
+        Darwin*)
+            echo "darwin"
+            ;;
+        Linux*)
+            echo "linux"
+            ;;
+        MINGW*|CYGWIN*|MSYS*)
+            echo "windows"
+            ;;
+        *)
+            echo "unknown"
+            ;;
+    esac
+}
+
+# Detect Docker socket path based on platform
+detect_docker_socket() {
+    info "Detecting Docker socket..."
+
+    # Prefer Docker context (tells us the active socket)
+    if command -v docker &> /dev/null && command -v jq &> /dev/null; then
+        debug "Checking Docker context for socket path"
+        local context_output context_socket
+        context_output=$(docker context inspect 2>/dev/null || true)
+        if [[ -n "$context_output" ]]; then
+            context_socket=$(echo "$context_output" | jq -r '.[0].Endpoints.docker.Host' 2>/dev/null | sed 's|unix://||' 2>/dev/null) || true
+            if [[ -n "$context_socket" ]] && [[ -S "$context_socket" ]]; then
+                debug "Docker socket found via context: $context_socket"
+                echo "$context_socket"
+                return 0
+            else
+                debug "Context socket not valid: ${context_socket:-<empty>}"
+            fi
+        else
+            debug "No Docker context found"
+        fi
+    fi
+
+    # Fallback to common socket paths
+    debug "Falling back to filesystem search for Docker socket"
+    local socket_paths=(
+        "$HOME/.docker/run/docker.sock"      # macOS Docker Desktop
+        "/var/run/docker.sock"                # Linux, Docker CE
+        "$HOME/.orbstack/run/docker.sock"    # OrbStack
+        "$HOME/.colima/default/docker.sock"   # Colima
+        "$HOME/.colima/docker.sock"           # Colima alternative
+        "$HOME/.rd/docker.sock"               # Rancher Desktop
+        "/run/user/$(id -u)/docker.sock"      # Rootless Docker on Linux
+    )
+
+    for socket in "${socket_paths[@]}"; do
+        if [[ -S "$socket" ]]; then
+            debug "Docker socket found at: $socket"
+            echo "$socket"
+            return 0
+        fi
+    done
+
+    debug "No Docker socket found"
+    return 1
+}
+
+# Check if Docker is installed
+check_docker() {
+    if ! command -v docker &> /dev/null; then
+        error "Docker is not installed. Please install Docker first."
+        echo "Visit: https://docs.docker.com/get-docker/" >&2
+        exit 1
+    fi
+    debug "Docker found at: $(command -v docker)"
+}
+
+# Check if Docker daemon is running
+check_docker_running() {
+    if ! docker info &> /dev/null; then
+        error "Docker daemon is not running. Please start Docker."
+        exit 1
+    fi
+    debug "Docker daemon is running"
+}
+
+# Find an available port in the specified range
+find_available_port() {
+    local start_port=${1:-20000}
+    local end_port=${2:-65000}
+    local port
+
+    for ((port=start_port; port<=end_port; port++)); do
+        local port_in_use=false
+
+        # Fast check 1: netstat (catches most listening processes)
+        if command -v netstat &>/dev/null; then
+            if netstat -an 2>/dev/null | grep -qE "[.:]$port\s+(LISTEN|ESTABLISHED)" 2>/dev/null; then
+                port_in_use=true
+            fi
+        fi
+
+        # Fast check 2: lsof (more reliable on macOS, catches additional cases)
+        if ! $port_in_use && command -v lsof &>/dev/null; then
+            if lsof -i ":$port" &>/dev/null 2>&1; then
+                port_in_use=true
+            fi
+        fi
+
+        # Comprehensive check: Socket test (catches Docker containers, VMs, kernel-level bindings)
+        # Only run if fast checks didn't detect anything (avoids timeout overhead)
+        if ! $port_in_use; then
+            if timeout 0.1 bash -c "exec 3<>/dev/tcp/localhost/$port" 2>/dev/null; then
+                # Successfully connected - something is listening
+                exec 3<&- 2>/dev/null  # Close connection
+                port_in_use=true
+            fi
+        fi
+
+        if ! $port_in_use; then
+            echo "$port"
+            return 0
+        fi
+    done
+
+    # Fallback: use a random port if no available port found
+    echo $((20000 + RANDOM % 45000))
+}
+
+# Portable timeout function that works on both Linux and macOS
+# Usage: run_with_timeout <seconds> <command...>
+run_with_timeout() {
+    local timeout_seconds=$1
+    shift
+
+    # Try to use timeout command if available (Linux, brew-installed coreutils)
+    if command -v timeout &>/dev/null; then
+        timeout "$timeout_seconds" "$@"
+        return $?
+    elif command -v gtimeout &>/dev/null; then
+        # macOS with coreutils installed via Homebrew
+        gtimeout "$timeout_seconds" "$@"
+        return $?
+    else
+        # Fallback: run command in background and kill after timeout
+        local pid
+        "$@" &
+        pid=$!
+
+        # Sleep in background and kill the process after timeout
+        (
+            sleep "$timeout_seconds"
+            kill -TERM "$pid" 2>/dev/null || true
+        ) &
+        local timer_pid=$!
+
+        # Wait for the command to finish
+        local result
+        if wait "$pid" 2>/dev/null; then
+            result=$?
+            kill -TERM "$timer_pid" 2>/dev/null || true
+            wait "$timer_pid" 2>/dev/null || true
+            return $result
+        else
+            # Command failed or was killed
+            return 124  # Standard timeout exit code
+        fi
+    fi
+}
+
+# Detect network capability (host vs bridge)
+detect_network_capability() {
+    info "Detecting network mode..."
+
+    local cache_dir="${HOME}/.dclaude"
+    local cache_file="${cache_dir}/network-mode"
+    local test_timeout=10
+    local server_container=""
+
+    # Cleanup function for this function's containers
+    cleanup_nettest() {
+        if [[ -n "$server_container" ]]; then
+            debug "Cleaning up test container: $server_container"
+            docker stop "$server_container" &>/dev/null || true
+            docker rm -f "$server_container" &>/dev/null || true
+        fi
+    }
+
+    # Set up trap for cleanup
+    trap cleanup_nettest EXIT
+
+    # Create cache directory if it doesn't exist
+    if [[ ! -d "$cache_dir" ]]; then
+        mkdir -p "$cache_dir" || {
+            debug "Failed to create cache directory, proceeding without cache"
+            cache_file=""
+        }
+    fi
+
+    # Check cache first (valid for 24 hours)
+    if [[ -n "$cache_file" && -f "$cache_file" ]]; then
+        local cache_age
+        if cache_age=$(stat -c %Y "$cache_file" 2>/dev/null) || cache_age=$(stat -f %m "$cache_file" 2>/dev/null); then
+            local current_time
+            current_time=$(date +%s)
+            local age_hours=$(( (current_time - cache_age) / 3600 ))
+
+            if [[ $age_hours -lt 24 ]]; then
+                local cached_mode
+                if cached_mode=$(cat "$cache_file" 2>/dev/null) && [[ "$cached_mode" =~ ^(host|bridge)$ ]]; then
+                    debug "Using cached network mode: $cached_mode (age: ${age_hours}h)"
+                    trap - EXIT
+                    echo "$cached_mode"
+                    return 0
+                fi
+            fi
+        fi
+    fi
+
+    debug "Testing network capabilities..."
+
+    # Ensure alpine:3.19 is available
+    if ! docker image inspect alpine:3.19 &>/dev/null; then
+        debug "Alpine 3.19 image not found, pulling..."
+        if ! docker pull alpine:3.19 &>/dev/null; then
+            debug "Failed to pull alpine:3.19, falling back to bridge mode"
+            trap - EXIT
+            echo "bridge" | tee "$cache_file" 2>/dev/null || echo "bridge"
+            return 0
+        fi
+        debug "Alpine 3.19 image pulled successfully"
+    else
+        debug "Alpine 3.19 image is available"
+    fi
+
+    # Test 1: Basic host networking support
+    debug "Test 1: Basic host networking support"
+    if ! run_with_timeout "$test_timeout" docker run --rm --network host alpine:3.19 \
+        sh -c 'ip addr show lo | grep -q "127\.0\.0\.1"' &>/dev/null; then
+        debug "Host networking not supported (basic test failed)"
+        trap - EXIT
+        echo "bridge" | tee "$cache_file" 2>/dev/null || echo "bridge"
+        return 0
+    fi
+
+    # Test 2: Container-to-container localhost access
+    debug "Test 2: Container-to-container localhost access"
+    local test_port
+    test_port=$(find_available_port)
+    debug "Using dynamic port: $test_port"
+    server_container="dclaude-nettest-$$"
+
+    # Start test server
+    if ! docker run --rm -d --name "$server_container" --network host alpine:3.19 \
+        sh -c "echo 'test-response' | nc -l -p $test_port" &>/dev/null; then
+        debug "Failed to start test server"
+        trap - EXIT
+        echo "bridge" | tee "$cache_file" 2>/dev/null || echo "bridge"
+        return 0
+    fi
+
+    # Wait for server to be ready (max 5 seconds)
+    debug "Waiting for test server to be ready..."
+    local ready=false
+    local wait_count=0
+    local max_wait=50  # 5 seconds (50 * 0.1 seconds)
+
+    while [[ $wait_count -lt $max_wait ]]; do
+        # Use more portable netstat options for Alpine Linux
+        if docker exec "$server_container" sh -c "netstat -tuln 2>/dev/null | grep -q \":$test_port \"" &>/dev/null; then
+            ready=true
+            debug "Test server is ready after $((wait_count * 100))ms"
+            break
+        fi
+        sleep 0.1
+        ((wait_count++))
+    done
+
+    if [[ "$ready" != "true" ]]; then
+        debug "Test server failed to become ready within 5 seconds"
+        cleanup_nettest
+        trap - EXIT
+        echo "bridge" | tee "$cache_file" 2>/dev/null || echo "bridge"
+        return 0
+    fi
+
+    # Test client connection
+    local test_result="bridge"
+    if run_with_timeout 5 docker run --rm --network host alpine:3.19 \
+        sh -c "echo '' | nc localhost $test_port" &>/dev/null; then
+        test_result="host"
+        debug "Host networking fully supported"
+    else
+        debug "Host networking partially supported but localhost access failed"
+    fi
+
+    # Cleanup test server (handled by trap)
+    cleanup_nettest
+
+    # Cache the result
+    if [[ -n "$cache_file" ]]; then
+        echo "$test_result" > "$cache_file" 2>/dev/null || true
+    fi
+
+    # Platform-specific validation of detected mode
+    local platform
+    platform=$(detect_platform)
+    case "$platform" in
+        darwin)
+            if [[ "$test_result" == "host" ]]; then
+                debug "Host networking detected on macOS - validating compatibility"
+                # On macOS, host networking should only work with Docker Desktop beta or OrbStack
+                if ! docker system info 2>/dev/null | grep -qi "orbstack\|desktop.*beta" &>/dev/null; then
+                    debug "Host networking may not work properly on this Docker setup for macOS"
+                    warning "Host networking detected but may not work properly on macOS Docker Desktop (non-beta)"
+                fi
+            fi
+            ;;
+        windows)
+            if [[ "$test_result" == "host" ]]; then
+                debug "Host networking detected on Windows - this is unusual"
+                warning "Host networking detected on Windows - this may indicate WSL2 or special configuration"
+            fi
+            ;;
+        linux)
+            debug "Network mode '$test_result' is expected on Linux platform"
+            ;;
+        *)
+            debug "Unknown platform '$platform' - network mode validation skipped"
+            ;;
+    esac
+
+    # Clear the trap before returning
+    trap - EXIT
+
+    debug "Network capability detection result: $test_result"
+    echo "$test_result"
+}
+
+# Create Docker volumes if they don't exist
+create_volumes() {
+    # Create essential volumes for persistence
+    local volumes=("${VOLUME_PREFIX}-claude" "${VOLUME_PREFIX}-config")
+
+    for volume in "${volumes[@]}"; do
+        if ! docker volume inspect "$volume" &> /dev/null; then
+            info "Creating volume: $volume"
+            if ! docker volume create "$volume" > /dev/null; then
+                error "Failed to create volume: $volume"
+                exit 1
+            fi
+            debug "Volume created successfully: $volume"
+        else
+            debug "Volume exists: $volume"
+        fi
+    done
+}
+
+# Pull or update the Docker image
+update_image() {
+    # Skip updates if DCLAUDE_NO_UPDATE is set
+    if [[ "${DCLAUDE_NO_UPDATE:-false}" == "true" ]]; then
+        debug "Skipping image update (DCLAUDE_NO_UPDATE=true)"
+        # Ensure image exists
+        if ! docker image inspect "$IMAGE" &> /dev/null; then
+            error "Docker image $IMAGE not found locally and updates disabled."
+            error "Either unset DCLAUDE_NO_UPDATE or pull the image manually."
+            exit 1
+        fi
+        return
+    fi
+
+    local current_id=""
+    local new_id=""
+
+    # Get current image ID if exists
+    if docker image inspect "$IMAGE" &> /dev/null; then
+        current_id=$(docker image inspect "$IMAGE" --format='{{.Id}}')
+        debug "Current image ID: ${current_id:0:12}"
+    fi
+
+    # Try to pull latest
+    info "Checking for updates to $IMAGE..."
+    if docker pull "$IMAGE" 2> /dev/null; then
+        new_id=$(docker image inspect "$IMAGE" --format='{{.Id}}' 2>/dev/null || echo "")
+
+        if [[ -z "$new_id" ]]; then
+            warning "Failed to inspect image after pull"
+        elif [[ "$current_id" != "$new_id" ]]; then
+            success "Image updated successfully."
+            debug "New image ID: ${new_id:0:12}"
+        else
+            debug "Image is up to date"
+        fi
+    else
+        if [[ -z "$current_id" ]]; then
+            error "Failed to pull image and no local image exists."
+            exit 1
+        else
+            warning "Could not check for updates, using local image."
+        fi
+    fi
+}
+
+# Get the host path for mounting
+get_host_path() {
+    local host_path
+    host_path=$(pwd) || {
+        error "Failed to get current directory"
+        exit 1
+    }
+
+    # Basic path validation
+    if [[ ! -d "$host_path" ]]; then
+        error "Current directory does not exist: $host_path"
+        exit 1
+    fi
+
+    echo "$host_path"
+}
+
+# Generate deterministic container name from path
+get_container_name() {
+    local path="${1:-$HOST_PATH}"
+    local path_hash
+    path_hash=$(echo -n "$path" | md5sum 2>/dev/null | cut -d' ' -f1 || echo -n "$path" | md5 | cut -d' ' -f1)
+    echo "dclaude-${path_hash:0:12}"
+}
+
+# Generate system context prompt for Claude
+generate_system_context() {
+    local network_mode="${1:-auto}"
+    local git_auth_mode="${2:-auto}"
+    local has_docker="${3:-false}"
+    local platform="${4:-unknown}"
+    local docker_socket="${5:-}"
+
+    cat <<'EOF'
+
+# dclaude Environment Context
+
+You are running inside **dclaude** - a Docker container that emulates the host environment. This is important context for understanding your capabilities and limitations:
+
+## Container Architecture
+- **Host Emulation**: Your current working directory is mounted at the exact same path as on the host
+- **Path Mirroring**: All file paths work identically to native execution (e.g., `/Users/alice/project` in container = same path on host)
+- **Isolated Environment**: While you operate in a container, file operations affect the real host filesystem through volume mounts
+
+## Host Environment
+EOF
+
+    # Platform info
+    case "$platform" in
+        darwin)
+            echo "- **Host OS**: macOS"
+            ;;
+        linux)
+            echo "- **Host OS**: Linux"
+            ;;
+        windows)
+            echo "- **Host OS**: Windows"
+            ;;
+        *)
+            echo "- **Host OS**: Unknown"
+            ;;
+    esac
+
+    # Architecture
+    local arch=$(uname -m 2>/dev/null || echo "unknown")
+    case "$arch" in
+        arm64|aarch64)
+            echo "- **Architecture**: ARM64 (Apple Silicon / ARM)"
+            ;;
+        x86_64|amd64)
+            echo "- **Architecture**: x86_64 (Intel/AMD)"
+            ;;
+        *)
+            echo "- **Architecture**: $arch"
+            ;;
+    esac
+
+    # Docker provider detection from socket path
+    if [[ -n "$docker_socket" ]]; then
+        case "$docker_socket" in
+            */.orbstack/*)
+                echo "- **Docker Provider**: OrbStack (high performance, native macOS integration)"
+                ;;
+            */.docker/run/*)
+                echo "- **Docker Provider**: Docker Desktop"
+                ;;
+            */.colima/*)
+                echo "- **Docker Provider**: Colima"
+                ;;
+            */.rd/*)
+                echo "- **Docker Provider**: Rancher Desktop"
+                ;;
+            /var/run/docker.sock)
+                echo "- **Docker Provider**: Docker Engine (native Linux)"
+                ;;
+            *)
+                echo "- **Docker Provider**: Custom Docker setup"
+                ;;
+        esac
+    fi
+
+    cat <<'EOF'
+
+## Available Capabilities
+EOF
+
+    # Docker access
+    if [[ "$has_docker" == "true" ]]; then
+        cat <<'EOF'
+- **Docker Access**: You have access to the host's Docker daemon via mounted socket
+  - Can build, run, and manage Docker containers
+  - Can execute docker and docker-compose commands
+  - All Docker operations affect the host Docker daemon
+EOF
+    fi
+
+    # Network mode
+    case "$network_mode" in
+        host)
+            cat <<'EOF'
+- **Networking**: Host networking mode enabled
+  - Direct access to `localhost:PORT` services on the host
+  - Can communicate with other containers via localhost
+  - Full network stack sharing with host
+EOF
+            ;;
+        bridge)
+            cat <<'EOF'
+- **Networking**: Bridge networking mode (isolated network)
+  - Cannot directly access `localhost` services
+  - Use `host.docker.internal:PORT` to access host services
+  - Container has isolated network namespace
+EOF
+            ;;
+    esac
+
+    # Git SSH authentication
+    case "$git_auth_mode" in
+        agent-forwarding)
+            cat <<'EOF'
+- **SSH Authentication**: Agent forwarding enabled
+  - SSH keys available via forwarded agent (secure, keys never in container)
+  - Can authenticate to GitHub, GitLab, and other SSH services
+  - Private keys remain on host machine only
+  - **Important**: Keys must be loaded in host's SSH agent (`ssh-add -l` to verify)
+  - On macOS: Proxy container (`dclaude-ssh-proxy-*`) bridges permissions automatically
+  - If git fails with auth errors, user needs to run `ssh-add ~/.ssh/id_ed25519` on host
+  - Socket location in container: $SSH_AUTH_SOCK (typically /tmp/ssh-proxy/agent)
+  - Known hosts pre-configured for: GitHub, GitLab, Bitbucket
+EOF
+            ;;
+        key-mount)
+            cat <<'EOF'
+- **SSH Authentication**: SSH keys mounted (read-only)
+  - Host's ~/.ssh directory mounted into container at /home/claude/.ssh
+  - Can authenticate to GitHub, GitLab, and other SSH services
+  - Keys are read-only, cannot be modified
+  - SSH agent not required - keys read directly from filesystem
+  - Use ssh-add inside container if agent needed
+  - Note: Uses host's known_hosts file (not container's pre-configured one)
+EOF
+            ;;
+        none)
+            cat <<'EOF'
+- **SSH Authentication**: Not configured
+  - SSH keys not available in container
+  - Cannot authenticate to remote Git repositories via SSH
+  - Recommend using HTTPS authentication for Git operations
+  - Or restart with DCLAUDE_GIT_AUTH=agent-forwarding or DCLAUDE_GIT_AUTH=key-mount
+EOF
+            ;;
+    esac
+
+    cat <<'EOF'
+
+## Development Tools Available
+- **Languages**: Node.js 20+, Python 3
+- **Package Managers**: npm, pip, Homebrew/Linuxbrew
+- **Tools**: git, gh (GitHub CLI), docker, docker-compose, curl, tmux, nano
+- **Shell**: bash (your commands execute in bash shell)
+
+## Git Configuration Requirements
+**IMPORTANT**: Before performing any git operations (commit, push, etc.), you MUST:
+1. Check if git is configured: `git config user.name` and `git config user.email`
+2. If either is missing/empty, ASK the user for their git name and email
+3. Configure git with: `git config --global user.name "User Name"` and `git config --global user.email "user@example.com"`
+4. Never assume or make up git credentials - always ask the user first
+
+## Important Notes
+- File operations are performed on the host filesystem (not isolated)
+- Changes persist after container exits (files are on host)
+- System packages can be installed with apt-get, Homebrew, or npm
+- Use relative paths when possible - absolute paths work due to path mirroring
+- Git operations work normally - repository sees correct paths
+
+When suggesting commands or file operations, you can treat this environment as if running natively on the host, with the benefits of containerization for tool isolation.
+EOF
+}
+
+# Handle SSH authentication based on DCLAUDE_GIT_AUTH mode
+# Setup SSH proxy container for macOS
+setup_ssh_proxy_container() {
+    local proxy_container="dclaude-ssh-proxy-$(id -u)"
+
+    # Check if proxy container already exists and is running
+    if docker ps -q -f name="^${proxy_container}$" 2>/dev/null | grep -q .; then
+        debug "SSH proxy container already running"
+        return 0
+    fi
+
+    # Remove any stopped proxy container
+    if docker ps -aq -f name="^${proxy_container}$" 2>/dev/null | grep -q .; then
+        debug "Removing stopped SSH proxy container"
+        docker rm -f "$proxy_container" >/dev/null 2>&1
+    fi
+
+    info "Starting SSH agent proxy container..."
+    debug "Proxy container name: $proxy_container"
+    debug "Bridging macOS SSH agent socket permissions"
+
+    # Create the proxy container that runs socat as root
+    # This container just bridges the permission gap and exits
+    docker run -d \
+        --name "$proxy_container" \
+        -v "/run/host-services/ssh-auth.sock:/run/host-services/ssh-auth.sock:ro" \
+        -v "dclaude-ssh-proxy:/tmp/ssh-proxy" \
+        --rm \
+        alpine:3.19 sh -c '
+            # Install socat
+            apk add --no-cache socat >/dev/null 2>&1
+
+            # Create proxy socket accessible to all users
+            rm -f /tmp/ssh-proxy/agent
+            socat UNIX-LISTEN:/tmp/ssh-proxy/agent,fork,mode=660 \
+                  UNIX-CONNECT:/run/host-services/ssh-auth.sock
+        ' >/dev/null 2>&1
+
+    # Give it a moment to start
+    sleep 0.5
+
+    # Verify the proxy is working
+    if ! docker ps -q -f name="^${proxy_container}$" 2>/dev/null | grep -q .; then
+        error "Failed to start SSH proxy container"
+        return 1
+    fi
+
+    debug "SSH proxy container started successfully"
+    return 0
+}
+
+handle_git_auth() {
+    local docker_args=()
+    local git_auth_mode="${GIT_AUTH_MODE}"
+
+    # If config mounting is enabled and git auth mode is auto, prefer key-mount for consistency
+    if [[ "$MOUNT_CONFIGS" == "true" ]] && [[ "$git_auth_mode" == "auto" ]]; then
+        if [[ -d "${HOME}/.ssh" ]] && [[ -r "${HOME}/.ssh" ]]; then
+            git_auth_mode="key-mount"
+            debug "Git auth: key-mount (DCLAUDE_MOUNT_CONFIGS=true prefers key mounting)"
+        fi
+    fi
+
+    # Auto-detect best method if set to auto
+    if [[ "$git_auth_mode" == "auto" ]]; then
+        if [[ -n "${SSH_AUTH_SOCK:-}" ]] && [[ -S "${SSH_AUTH_SOCK}" ]]; then
+            git_auth_mode="agent-forwarding"
+            debug "Git auth: agent-forwarding (auto-detected active agent)"
+        elif [[ -d "${HOME}/.ssh" ]] && [[ -r "${HOME}/.ssh" ]]; then
+            git_auth_mode="key-mount"
+            debug "Git auth: key-mount (auto-detected SSH directory)"
+        else
+            git_auth_mode="none"
+            debug "Git auth: none (no SSH agent or keys found)"
+        fi
+    fi
+
+    case "$git_auth_mode" in
+        agent-forwarding)
+            if [[ -z "${SSH_AUTH_SOCK:-}" ]]; then
+                warning "SSH agent forwarding requested but SSH_AUTH_SOCK not set"
+                warning "Start SSH agent with: eval \$(ssh-agent) && ssh-add"
+                return 1
+            fi
+
+            if [[ ! -S "${SSH_AUTH_SOCK}" ]]; then
+                warning "SSH agent forwarding requested but socket not found: ${SSH_AUTH_SOCK}"
+                return 1
+            fi
+
+            # Platform-specific socket mounting
+            local platform=$(detect_platform)
+            debug "Setting up SSH agent forwarding for platform: $platform"
+            case "$platform" in
+                linux)
+                    debug "Using direct socket mount: ${SSH_AUTH_SOCK}"
+                    docker_args+=(-v "${SSH_AUTH_SOCK}:/tmp/ssh-agent" -e "SSH_AUTH_SOCK=/tmp/ssh-agent")
+                    info "SSH agent forwarding enabled (Linux)"
+                    ;;
+                darwin)
+                    # On macOS, we need to set up a proxy container first
+                    debug "Setting up SSH proxy container for macOS"
+                    setup_ssh_proxy_container
+
+                    # Now mount the proxied socket from the shared volume
+                    docker_args+=(-v "dclaude-ssh-proxy:/tmp/ssh-proxy:ro"
+                                 -e "SSH_AUTH_SOCK=/tmp/ssh-proxy/agent")
+                    info "SSH agent forwarding enabled via proxy container"
+                    debug "Mounted SSH proxy volume: dclaude-ssh-proxy:/tmp/ssh-proxy"
+                    ;;
+                windows)
+                    warning "SSH agent forwarding not fully supported on Windows"
+                    warning "Consider using key-mount mode instead: DCLAUDE_GIT_AUTH=key-mount"
+                    return 1
+                    ;;
+            esac
+            ;;
+
+        key-mount)
+            if [[ -d "${HOME}/.ssh" ]] && [[ -r "${HOME}/.ssh" ]]; then
+                docker_args+=(-v "${HOME}/.ssh:/home/claude/.ssh:ro")
+                info "SSH key mounting enabled (read-only)"
+                debug "Mounting SSH directory: ${HOME}/.ssh"
+                warning "SSH private keys are accessible in container (read-only)"
+            else
+                warning "SSH key mount requested but ~/.ssh not found or not readable"
+                return 1
+            fi
+            ;;
+
+        none)
+            debug "SSH authentication disabled"
+            ;;
+
+        *)
+            error "Invalid git auth mode: $git_auth_mode (valid: auto, agent-forwarding, key-mount, none)"
+            return 1
+            ;;
+    esac
+
+    # Print arguments separated by null characters for safe parsing (only if we have args)
+    if [[ ${#docker_args[@]} -gt 0 ]]; then
+        printf '%s\0' "${docker_args[@]}"
+    fi
+}
+
+# Mount configuration directories from host
+mount_host_configs() {
+    local docker_args=()
+    local mounted_count=0
+
+    if [[ "$MOUNT_CONFIGS" != "true" ]]; then
+        debug "Config mounting disabled (DCLAUDE_MOUNT_CONFIGS=$MOUNT_CONFIGS)"
+        return 0
+    fi
+
+    info "Mounting host configurations (read-only)"
+    debug "SSH authentication handled separately via DCLAUDE_GIT_AUTH"
+
+    # Docker configuration (docker-cli installed)
+    # Default to true when master switch is enabled
+    if [[ "${DCLAUDE_MOUNT_DOCKER:-true}" == "true" ]] && [[ -d "${HOME}/.docker" ]]; then
+        if [[ -r "${HOME}/.docker" ]]; then
+            docker_args+=(-v "${HOME}/.docker:/home/claude/.docker:ro")
+            debug "Mounting Docker config: ${HOME}/.docker"
+            ((mounted_count++))
+        else
+            warning "Docker config exists but is not readable: ${HOME}/.docker"
+        fi
+    elif [[ "${DCLAUDE_MOUNT_DOCKER:-true}" == "true" ]]; then
+        debug "Docker config not found: ${HOME}/.docker"
+    fi
+
+    # GitHub CLI configuration (github-cli installed)
+    # Default to true when master switch is enabled
+    if [[ "${DCLAUDE_MOUNT_GH:-true}" == "true" ]] && [[ -d "${HOME}/.config/gh" ]]; then
+        if [[ -r "${HOME}/.config/gh" ]]; then
+            docker_args+=(-v "${HOME}/.config/gh:/home/claude/.config/gh:ro")
+            debug "Mounting GitHub CLI config: ${HOME}/.config/gh"
+            ((mounted_count++))
+        else
+            warning "GitHub CLI config exists but is not readable: ${HOME}/.config/gh"
+        fi
+    elif [[ "${DCLAUDE_MOUNT_GH:-true}" == "true" ]]; then
+        debug "GitHub CLI config not found: ${HOME}/.config/gh"
+    fi
+
+    # Git configuration (git installed)
+    # Default to true when master switch is enabled
+    if [[ "${DCLAUDE_MOUNT_GIT:-true}" == "true" ]] && [[ -f "${HOME}/.gitconfig" ]]; then
+        if [[ -r "${HOME}/.gitconfig" ]]; then
+            docker_args+=(-v "${HOME}/.gitconfig:/home/claude/.gitconfig:ro")
+            debug "Mounting Git config: ${HOME}/.gitconfig"
+            ((mounted_count++))
+        else
+            warning "Git config exists but is not readable: ${HOME}/.gitconfig"
+        fi
+    elif [[ "${DCLAUDE_MOUNT_GIT:-true}" == "true" ]]; then
+        debug "Git config not found: ${HOME}/.gitconfig"
+    fi
+
+    # NPM configuration (npm installed)
+    # Default to true when master switch is enabled
+    if [[ "${DCLAUDE_MOUNT_NPM:-true}" == "true" ]] && [[ -f "${HOME}/.npmrc" ]]; then
+        if [[ -r "${HOME}/.npmrc" ]]; then
+            docker_args+=(-v "${HOME}/.npmrc:/home/claude/.npmrc:ro")
+            debug "Mounting NPM config: ${HOME}/.npmrc"
+            ((mounted_count++))
+        else
+            warning "NPM config exists but is not readable: ${HOME}/.npmrc"
+        fi
+    elif [[ "${DCLAUDE_MOUNT_NPM:-true}" == "true" ]]; then
+        debug "NPM config not found: ${HOME}/.npmrc"
+    fi
+
+    # Note: AWS CLI, gcloud, kubectl are NOT installed in the container
+    # These configs will not be mounted unless those tools are added to Dockerfile
+
+    # Security warning with details
+    if [[ $mounted_count -gt 0 ]]; then
+        warning "Mounted $mounted_count configuration directories (read-only)"
+        warning "Security: The following sensitive data is now accessible in the container:"
+        # SSH is now handled separately, don't warn here
+        if [[ "${DCLAUDE_MOUNT_DOCKER:-true}" == "true" ]] && [[ -d "${HOME}/.docker" ]] && [[ -r "${HOME}/.docker" ]]; then
+            warning "  - Docker registry authentication tokens"
+        fi
+        if [[ "${DCLAUDE_MOUNT_GH:-true}" == "true" ]] && [[ -d "${HOME}/.config/gh" ]] && [[ -r "${HOME}/.config/gh" ]]; then
+            warning "  - GitHub CLI authentication tokens"
+        fi
+        if [[ "${DCLAUDE_MOUNT_NPM:-true}" == "true" ]] && [[ -f "${HOME}/.npmrc" ]] && [[ -r "${HOME}/.npmrc" ]]; then
+            warning "  - NPM registry authentication tokens"
+        fi
+        warning "Only use in trusted environments!"
+    fi
+
+    # Print arguments separated by null characters for safe parsing (only if we have args)
+    if [[ ${#docker_args[@]} -gt 0 ]]; then
+        printf '%s\0' "${docker_args[@]}"
+    fi
+}
+
+# Detect TTY availability and return appropriate Docker flags
+detect_tty_flags() {
+    local tty_flags=""
+
+    # Check if stdin is a TTY
+    if [[ -t 0 ]]; then
+        tty_flags="-i"
+    fi
+
+    # Check if stdout is a TTY
+    if [[ -t 1 ]]; then
+        tty_flags="${tty_flags} -t"
+    fi
+
+    # Trim whitespace
+    tty_flags=$(echo $tty_flags | xargs)
+
+    if [[ "$DEBUG" == "true" ]]; then
+        debug "TTY detection: stdin=$(test -t 0 && echo yes || echo no), stdout=$(test -t 1 && echo yes || echo no)"
+        debug "TTY flags: ${tty_flags:-none}"
+    fi
+
+    echo "$tty_flags"
+}
+
+# Check if Claude is being run in print mode (-p/--print)
+# This checks arguments as separate array elements, so -p inside a string won't match
+is_print_mode() {
+    for arg in "$@"; do
+        if [[ "$arg" == "-p" ]] || [[ "$arg" == "--print" ]]; then
+            return 0
+        fi
+    done
+    return 1
+}
+
+# Main execution
+main() {
+    # No argument parsing - pass everything through to Claude
+    # All arguments are preserved as-is for Claude
+
+    info "Verifying environment..."
+    debug "Host path: $HOST_PATH"
+
+    # Check prerequisites
+    check_docker
+    check_docker_running
+
+    # Setup environment
+    create_volumes
+    update_image
+
+    # Platform-specific settings
+    local platform
+    platform=$(detect_platform)
+    debug "Platform detected: $platform"
+
+    # Set network mode based on auto-detection or user preference
+    local network_mode="${DCLAUDE_NETWORK:-auto}"
+    local detection_source="default"
+
+    if [[ "$network_mode" == "auto" || -z "$network_mode" ]]; then
+        # Auto-detect network capability
+        network_mode=$(detect_network_capability)
+        detection_source="auto-detected"
+        debug "Auto-detected network mode: $network_mode"
+
+        # Show warning if using bridge mode
+        if [[ "$network_mode" == "bridge" ]]; then
+            warning "Using bridge networking mode on $platform"
+            info "Bridge mode limitations:"
+            info "  - Cannot access services on localhost (use host.docker.internal instead)"
+            info "  - Cannot access other containers via localhost"
+            info "  - Port mapping required for container services"
+            info ""
+            info "For better localhost access, consider:"
+            info "  - macOS: Enable host networking in Docker Desktop (beta) or use OrbStack"
+            info "  - Windows: Enable host networking in Docker Desktop (beta feature)"
+        else
+            debug "Host networking available - full localhost access enabled"
+        fi
+    elif [[ "$network_mode" =~ ^(host|bridge)$ ]]; then
+        detection_source="user-specified"
+        debug "Using user-specified network mode: $network_mode"
+    else
+        warning "Invalid network mode '$network_mode'. Valid options: host, bridge, auto. Falling back to auto-detection"
+        network_mode=$(detect_network_capability)
+        detection_source="fallback auto-detected"
+        debug "Fallback auto-detected network mode: $network_mode"
+    fi
+    debug "Network mode: $network_mode ($detection_source)"
+
+    # Enhanced debug output for network configuration
+    if [[ "$DEBUG" == "true" ]]; then
+        debug "Network configuration summary:"
+        debug "  - Platform: $platform"
+        debug "  - Network mode: $network_mode"
+        debug "  - Detection source: $detection_source"
+        debug "  - DCLAUDE_NETWORK environment: ${DCLAUDE_NETWORK:-<not set>}"
+        if [[ "$detection_source" =~ auto-detected ]]; then
+            debug "  - Auto-detection performed: yes"
+            if [[ -f "${HOME}/.dclaude/network-mode" ]]; then
+                local cache_age
+                if cache_age=$(stat -c %Y "${HOME}/.dclaude/network-mode" 2>/dev/null) || cache_age=$(stat -f %m "${HOME}/.dclaude/network-mode" 2>/dev/null); then
+                    local current_time
+                    current_time=$(date +%s)
+                    local age_hours=$(( (current_time - cache_age) / 3600 ))
+                    debug "  - Cache used: yes (age: ${age_hours}h)"
+                else
+                    debug "  - Cache used: yes (age: unknown)"
+                fi
+            else
+                debug "  - Cache used: no"
+            fi
+        else
+            debug "  - Auto-detection performed: no"
+        fi
+    fi
+
+    # Detect TTY availability
+    local tty_flags=$(detect_tty_flags)
+
+    # Detect Docker socket early (needed for system context generation)
+    if [[ -z "$DOCKER_SOCKET" ]]; then
+        DOCKER_SOCKET=$(detect_docker_socket) || true
+    fi
+    debug "Docker socket detection: ${DOCKER_SOCKET:-<not found>}"
+
+    # Resolve git auth mode from 'auto' to actual mode (needed for system context)
+    local resolved_git_auth="$GIT_AUTH_MODE"
+    if [[ "$GIT_AUTH_MODE" == "auto" ]]; then
+        # Same auto-detection logic as handle_git_auth()
+        if [[ "$MOUNT_CONFIGS" == "true" ]] && [[ -d "${HOME}/.ssh" ]] && [[ -r "${HOME}/.ssh" ]]; then
+            resolved_git_auth="key-mount"
+            debug "Git auth resolved: key-mount (DCLAUDE_MOUNT_CONFIGS=true)"
+        elif [[ -n "${SSH_AUTH_SOCK:-}" ]] && [[ -S "${SSH_AUTH_SOCK}" ]]; then
+            resolved_git_auth="agent-forwarding"
+            debug "Git auth resolved: agent-forwarding (active agent detected)"
+        elif [[ -d "${HOME}/.ssh" ]] && [[ -r "${HOME}/.ssh" ]]; then
+            resolved_git_auth="key-mount"
+            debug "Git auth resolved: key-mount (SSH directory detected)"
+        else
+            resolved_git_auth="none"
+            debug "Git auth resolved: none (no SSH agent or keys found)"
+        fi
+    else
+        debug "Git auth: $resolved_git_auth (user-specified)"
+    fi
+
+    # Generate system context for Claude (if enabled) - must be done early for all code paths
+    local claude_args=()
+    if [[ "$ENABLE_SYSTEM_CONTEXT" == "true" ]]; then
+        local has_docker="false"
+        [[ -n "$DOCKER_SOCKET" ]] && [[ -S "$DOCKER_SOCKET" ]] && has_docker="true"
+
+        local system_context
+        system_context=$(generate_system_context "$network_mode" "$resolved_git_auth" "$has_docker" "$platform" "$DOCKER_SOCKET")
+
+        claude_args+=("--append-system-prompt" "$system_context")
+        debug "System context enabled (${#system_context} chars, has_docker=$has_docker, git_auth=$resolved_git_auth, platform=$platform)"
+        if [[ "$DEBUG" == "true" ]]; then
+            debug "System context preview: ${system_context:0:100}..."
+        fi
+    else
+        debug "System context disabled (DCLAUDE_SYSTEM_CONTEXT=$ENABLE_SYSTEM_CONTEXT)"
+    fi
+
+    # Generate container name based on path (for reuse when DCLAUDE_RM=false)
+    local container_name=""
+    if [[ "$REMOVE_CONTAINER" == "false" ]]; then
+        # Create deterministic name from path hash
+        container_name=$(get_container_name "$HOST_PATH")
+        debug "Container name: $container_name (path: $HOST_PATH)"
+
+        # Check if container already exists
+        if docker ps -a --format '{{.Names}}' | grep -q "^${container_name}$"; then
+            local container_status=$(docker inspect --format='{{.State.Status}}' "$container_name" 2>/dev/null)
+            debug "Found existing container: $container_name (status: $container_status)"
+
+            if [[ "$container_status" == "running" ]]; then
+                info "Attaching to running container: $container_name"
+            elif [[ "$container_status" == "exited" ]]; then
+                info "Restarting existing container: $container_name"
+                docker start "$container_name" >/dev/null
+
+                # Wait for container to be running
+                local wait_count=0
+                while [[ $wait_count -lt 30 ]]; do
+                    if docker ps -q -f name="^${container_name}$" 2>/dev/null | grep -q .; then
+                        debug "Container restarted successfully"
+                        break
+                    fi
+                    sleep 0.1
+                    ((wait_count++))
+                done
+            fi
+
+            # Check if interactive (TTY available) and not in print mode
+            if [[ -n "$tty_flags" ]] && ! is_print_mode "${claude_args[@]}" "$@"; then
+                # Interactive and not print mode - use tmux for session management
+                local tmux_session
+                if [[ -n "${DCLAUDE_TMUX_SESSION:-}" ]]; then
+                    tmux_session="$DCLAUDE_TMUX_SESSION"
+                    debug "Using custom tmux session name: $tmux_session"
+                else
+                    tmux_session="claude-$(date +%Y%m%d-%H%M%S)"
+                    debug "Generated unique tmux session name: $tmux_session"
+                fi
+
+                # Build env args for docker exec to pass terminal info to tmux session
+                local exec_env_args=()
+                [[ -n "${TERM_PROGRAM:-}" ]] && exec_env_args+=(-e "TERM_PROGRAM=${TERM_PROGRAM}")
+                [[ -n "${TERM_PROGRAM_VERSION:-}" ]] && exec_env_args+=(-e "TERM_PROGRAM_VERSION=${TERM_PROGRAM_VERSION}")
+                [[ -n "${TERM_SESSION_ID:-}" ]] && exec_env_args+=(-e "TERM_SESSION_ID=${TERM_SESSION_ID}")
+                [[ -n "${COLORTERM:-}" ]] && exec_env_args+=(-e "COLORTERM=${COLORTERM}")
+                # Internal env vars for tmux status bar display
+                exec_env_args+=(-e "_DCLAUDE_NET=${network_mode}")
+                exec_env_args+=(-e "_DCLAUDE_TAG=${DCLAUDE_TAG:-latest}")
+                exec_env_args+=(-e "_DCLAUDE_SESSION=${DCLAUDE_TMUX_SESSION:-auto}")
+
+                debug "Creating new tmux session running Claude"
+                debug "Claude args count: ${#claude_args[@]}, user args: $*"
+                info "Starting new Claude session..."
+                docker exec -it -u claude "${exec_env_args[@]}" "$container_name" tmux -f /home/claude/.tmux.conf new-session -s "$tmux_session" claude "${claude_args[@]}" "$@"
+                local tmux_exit=$?
+                reset_terminal_mouse
+                exit $tmux_exit
+            else
+                # Non-interactive or print mode - run claude directly without tmux
+                debug "Non-interactive or print mode, running Claude directly (no tmux)"
+                debug "Claude args count: ${#claude_args[@]}, user args: $*"
+                exec docker exec -u claude -w "$HOST_PATH" "$container_name" claude "${claude_args[@]}" "$@"
+            fi
+        fi
+    fi
+
+    # Prepare Docker run arguments
+    DOCKER_ARGS=(
+        "run"
+    )
+
+    # Add --rm flag if enabled (default: true)
+    if [[ "$REMOVE_CONTAINER" == "true" ]]; then
+        DOCKER_ARGS+=("--rm")
+    else
+        # Use named container for reuse
+        DOCKER_ARGS+=("--name" "$container_name")
+    fi
+
+    # TTY flags will be added only when needed (ephemeral containers)
+    # Persistent containers run in background and shouldn't have TTY/stdin attached
+
+
+    DOCKER_ARGS+=(
+        # Mount current directory
+        -v "${HOST_PATH}:${HOST_PATH}"
+        # Mount persistent Claude configuration volume
+        -v "${VOLUME_PREFIX}-claude:/home/claude/.claude"
+        # Mount persistent config volume (gh, etc.)
+        -v "${VOLUME_PREFIX}-config:/home/claude/.config"
+        # Set working directory
+        -w "${HOST_PATH}"
+        # Network mode
+        --network="$network_mode"
+        # Environment - pass through terminal identification for proper feature detection
+        -e "TERM=${TERM:-xterm-256color}"
+    )
+
+    # Reserve SSH port for remote access (JetBrains Gateway, VS Code Remote, etc.)
+    local ssh_port
+    ssh_port=$(find_available_port 2222 65000)
+    debug "SSH port reserved: $ssh_port"
+    DOCKER_ARGS+=(--label "dclaude.ssh.port=${ssh_port}")
+
+    # Port mapping only needed for bridge mode (host mode shares network stack)
+    if [[ "$network_mode" != "host" ]]; then
+        DOCKER_ARGS+=(-p "${ssh_port}:${ssh_port}")
+        debug "SSH port mapping: ${ssh_port}:${ssh_port} (bridge mode)"
+    else
+        debug "SSH port: ${ssh_port} (host mode, no mapping needed)"
+    fi
+
+    # Pass through terminal program information for proper logo rendering
+    if [[ -n "${TERM_PROGRAM:-}" ]]; then
+        DOCKER_ARGS+=(-e "TERM_PROGRAM=${TERM_PROGRAM}")
+    fi
+    if [[ -n "${TERM_PROGRAM_VERSION:-}" ]]; then
+        DOCKER_ARGS+=(-e "TERM_PROGRAM_VERSION=${TERM_PROGRAM_VERSION}")
+    fi
+    if [[ -n "${TERM_SESSION_ID:-}" ]]; then
+        DOCKER_ARGS+=(-e "TERM_SESSION_ID=${TERM_SESSION_ID}")
+    fi
+    if [[ -n "${COLORTERM:-}" ]]; then
+        DOCKER_ARGS+=(-e "COLORTERM=${COLORTERM}")
+    fi
+
+    # Mount Docker socket if detected (detection done earlier for system context)
+    if [[ -n "$DOCKER_SOCKET" ]] && [[ -S "$DOCKER_SOCKET" ]]; then
+        DOCKER_ARGS+=(-v "${DOCKER_SOCKET}:/var/run/docker.sock")
+        debug "Docker socket mounted: $DOCKER_SOCKET"
+    else
+        warning "Docker socket not found"
+        warning "Container will not have Docker access"
+        debug "Searched standard locations and Docker context"
+    fi
+
+    # Handle SSH authentication (agent forwarding or key mounting)
+    # Use process substitution to preserve null bytes
+    while IFS= read -r -d '' ssh_arg; do
+        [[ -n "$ssh_arg" ]] && DOCKER_ARGS+=("$ssh_arg")
+    done < <(handle_git_auth)
+
+    # Mount host configurations if enabled
+    # Use process substitution to preserve null bytes
+    while IFS= read -r -d '' config_arg; do
+        [[ -n "$config_arg" ]] && DOCKER_ARGS+=("$config_arg")
+    done < <(mount_host_configs)
+
+    # Add any additional environment variables
+    if [[ -n "${CLAUDE_MODEL:-}" ]]; then
+        DOCKER_ARGS+=(-e "CLAUDE_MODEL=${CLAUDE_MODEL}")
+    fi
+
+    if [[ "$DEBUG" == "true" ]]; then
+        debug "Container removal: $REMOVE_CONTAINER (DCLAUDE_RM=${DCLAUDE_RM:-<not set>})"
+        debug "Docker command: docker ${DOCKER_ARGS[*]} $IMAGE $*"
+    fi
+
+    # Run Claude in Docker
+    if [[ "$REMOVE_CONTAINER" == "false" ]]; then
+        # For persistent containers, run tini with tail daemon for zombie reaping
+        # tini will reap zombie processes created by exec commands
+        debug "Starting persistent container with tini + tail daemon"
+
+        # TODO: Add retry logic for SSH port allocation race condition
+        # When multiple dclaude instances start simultaneously, they can both detect
+        # the same SSH port as available before either binds to it. This causes the
+        # second instance to fail with "port is already allocated" error.
+        # Solution: If docker run fails with port conflict, re-detect port and retry (max 3 attempts)
+        # See: SSH_TEST_RESULTS.md - Issue 1: Race Condition in Parallel Container Startup
+
+        # Run in detached mode (-d) and capture output (Container ID) or errors
+        local run_output
+        if ! run_output=$(docker "${DOCKER_ARGS[@]}" -d --entrypoint /usr/bin/tini "$IMAGE" -- tail -f /dev/null 2>&1); then
+            error "Failed to start container: $run_output"
+            exit 1
+        fi
+        
+        debug "Container started successfully: $run_output"
+
+        # Run entrypoint setup as root (for Docker socket permissions, etc.)
+        debug "Running entrypoint initialization"
+        docker exec -u root "$container_name" /usr/local/bin/docker-entrypoint.sh true >/dev/null 2>&1 || true
+
+        # Check if interactive (TTY available) and not in print mode
+        if [[ -n "$tty_flags" ]] && ! is_print_mode "${claude_args[@]}" "$@"; then
+            # Interactive and not print mode - use tmux for session management
+            local tmux_session
+            if [[ -n "${DCLAUDE_TMUX_SESSION:-}" ]]; then
+                tmux_session="$DCLAUDE_TMUX_SESSION"
+                debug "Using custom tmux session name: $tmux_session"
+            else
+                tmux_session="claude-$(date +%Y%m%d-%H%M%S)"
+                debug "Generated unique tmux session name: $tmux_session"
+            fi
+
+            # Build env args for docker exec to pass terminal info to tmux session
+            local exec_env_args=()
+            [[ -n "${TERM_PROGRAM:-}" ]] && exec_env_args+=(-e "TERM_PROGRAM=${TERM_PROGRAM}")
+            [[ -n "${TERM_PROGRAM_VERSION:-}" ]] && exec_env_args+=(-e "TERM_PROGRAM_VERSION=${TERM_PROGRAM_VERSION}")
+            [[ -n "${TERM_SESSION_ID:-}" ]] && exec_env_args+=(-e "TERM_SESSION_ID=${TERM_SESSION_ID}")
+            [[ -n "${COLORTERM:-}" ]] && exec_env_args+=(-e "COLORTERM=${COLORTERM}")
+            # Internal env vars for tmux status bar display
+            exec_env_args+=(-e "_DCLAUDE_NET=${network_mode}")
+            exec_env_args+=(-e "_DCLAUDE_TAG=${DCLAUDE_TAG:-latest}")
+            exec_env_args+=(-e "_DCLAUDE_SESSION=${DCLAUDE_TMUX_SESSION:-auto}")
+
+            debug "Creating new tmux session running Claude"
+            debug "Claude args count: ${#claude_args[@]}, user args: $*"
+            info "Starting new Claude session..."
+            docker exec -it -u claude "${exec_env_args[@]}" "$container_name" tmux -f /home/claude/.tmux.conf new-session -s "$tmux_session" claude "${claude_args[@]}" "$@"
+            local tmux_exit=$?
+            reset_terminal_mouse
+            exit $tmux_exit
+        else
+            # Non-interactive or print mode - run claude directly without tmux
+            debug "Non-interactive or print mode, running Claude directly (no tmux)"
+            debug "Claude args count: ${#claude_args[@]}, user args: $*"
+            exec docker exec -u claude -w "$HOST_PATH" "$container_name" claude "${claude_args[@]}" "$@"
+        fi
+    else
+        # Ephemeral container - run directly
+        # Add TTY flags here as we are running interactively
+        if [[ -n "$tty_flags" ]]; then
+            DOCKER_ARGS+=($tty_flags)
+        fi
+        debug "Claude args count: ${#claude_args[@]}, user args: $*"
+        exec docker "${DOCKER_ARGS[@]}" "$IMAGE" "${claude_args[@]}" "$@"
+    fi
+}
+
+
+
+# Subcommand: exec into container
+cmd_exec() {
+    # Generate container name from path hash (same logic as main)
+    local container_name=$(get_container_name "$HOST_PATH")
+
+
+    debug "Looking for container: $container_name (path: $HOST_PATH)"
+
+    # Check if container exists
+    if ! docker ps -a --format '{{.Names}}' | grep -q "^${container_name}$"; then
+        error "No container found for this directory"
+        info "Run 'DCLAUDE_RM=false dclaude' first to create a persistent container"
+        exit 1
+    fi
+
+    local container_status=$(docker inspect --format='{{.State.Status}}' "$container_name" 2>/dev/null)
+    debug "Container status: $container_status"
+
+    if [[ "$container_status" != "running" ]]; then
+        if [[ "$container_status" == "exited" ]]; then
+            info "Restarting existing container: $container_name"
+            docker start "$container_name" >/dev/null
+            debug "Container restarted successfully"
+        else
+            error "Container $container_name is in unexpected state: $container_status"
+            info "Remove it with: docker rm $container_name"
+            exit 1
+        fi
+    fi
+
+    # Detect TTY availability
+    local tty_flags=$(detect_tty_flags)
+
+    # Exec into container as claude user
+    if [[ $# -eq 0 ]]; then
+        # No command specified, open bash shell
+        info "Opening shell in container: $container_name"
+        debug "Exec command: docker exec $tty_flags -u claude -w $HOST_PATH $container_name bash"
+        exec docker exec $tty_flags -u claude -w "$HOST_PATH" "$container_name" bash
+    else
+        # Execute specific command
+        info "Executing command in container: $container_name"
+        debug "Exec command: docker exec $tty_flags -u claude -w $HOST_PATH $container_name $*"
+        exec docker exec $tty_flags -u claude -w "$HOST_PATH" "$container_name" "$@"
+    fi
+}
+
+# Subcommand: authenticate GitHub CLI
+cmd_gh() {
+    # Generate container name based on current directory
+    local container_name=$(get_container_name "$HOST_PATH")
+
+    # Check if container exists
+    if ! docker ps -a --format '{{.Names}}' | grep -q "^${container_name}$"; then
+        error "No container found for this directory"
+        info "Run 'dclaude' first to create a container"
+        exit 1
+    fi
+
+    # Check if container is running
+    local container_status=$(docker inspect --format='{{.State.Status}}' "$container_name" 2>/dev/null)
+    if [[ "$container_status" != "running" ]]; then
+        if [[ "$container_status" == "exited" ]]; then
+            info "Restarting container: $container_name"
+            docker start "$container_name" >/dev/null
+        else
+            error "Container $container_name is in unexpected state: $container_status"
+            exit 1
+        fi
+    fi
+
+    info "Starting GitHub CLI authentication..."
+    exec docker exec -it -u claude "$container_name" gh auth login
+}
+
+# Subcommand: attach to existing tmux session
+cmd_attach() {
+    local session_name="${1:-${DCLAUDE_TMUX_SESSION:-}}"
+
+    if [[ -z "$session_name" ]]; then
+        error "No session name provided"
+        info "Usage: dclaude attach <session-name>"
+        info "   or: DCLAUDE_TMUX_SESSION=<name> dclaude attach"
+        exit 1
+    fi
+
+    # Generate container name based on current directory
+    local container_name=$(get_container_name "$HOST_PATH")
+
+
+    # Check if container exists
+    if ! docker ps -a --format '{{.Names}}' | grep -q "^${container_name}$"; then
+        error "No container found for this directory"
+        info "Run 'dclaude' first to create a container"
+        exit 1
+    fi
+
+    # Check if container is running
+    local container_status=$(docker inspect --format='{{.State.Status}}' "$container_name" 2>/dev/null)
+    if [[ "$container_status" != "running" ]]; then
+        if [[ "$container_status" == "exited" ]]; then
+            info "Restarting container: $container_name"
+            docker start "$container_name" >/dev/null
+        else
+            error "Container $container_name is in unexpected state: $container_status"
+            exit 1
+        fi
+    fi
+
+    # Check if session exists
+    if ! docker exec -u claude "$container_name" tmux has-session -t "$session_name" 2>/dev/null; then
+        error "Session '$session_name' not found in container"
+        info "Available sessions:"
+        docker exec -u claude "$container_name" tmux list-sessions 2>/dev/null || echo "  (no sessions running)"
+        exit 1
+    fi
+
+    # Build env args for docker exec
+    local exec_env_args=()
+    [[ -n "${TERM_PROGRAM:-}" ]] && exec_env_args+=(-e "TERM_PROGRAM=${TERM_PROGRAM}")
+    [[ -n "${TERM_PROGRAM_VERSION:-}" ]] && exec_env_args+=(-e "TERM_PROGRAM_VERSION=${TERM_PROGRAM_VERSION}")
+    [[ -n "${TERM_SESSION_ID:-}" ]] && exec_env_args+=(-e "TERM_SESSION_ID=${TERM_SESSION_ID}")
+    [[ -n "${COLORTERM:-}" ]] && exec_env_args+=(-e "COLORTERM=${COLORTERM}")
+
+    # Attach to existing session
+    info "Attaching to session: $session_name"
+    docker exec -it -u claude "${exec_env_args[@]}" "$container_name" tmux -f /home/claude/.tmux.conf attach-session -t "$session_name"
+    local tmux_exit=$?
+    reset_terminal_mouse
+    exit $tmux_exit
+}
+
+# Subcommand: launch Chrome with DevTools and ensure MCP configured
+cmd_chrome() {
+    local setup_only=false
+
+    # Parse flags
+    while [[ $# -gt 0 ]]; do
+        case "$1" in
+            --setup-only)
+                setup_only=true
+                shift
+                ;;
+            --port=*)
+                CHROME_PORT="${1#*=}"
+                shift
+                ;;
+            *)
+                error "Unknown option: $1"
+                info "Usage: dclaude chrome [--setup-only] [--port=PORT]"
+                exit 1
+                ;;
+        esac
+    done
+
+    info "Setting up Chrome DevTools integration"
+
+    # 1. Detect Chrome binary
+    local chrome_bin="$CHROME_BIN"
+    if [[ -z "$chrome_bin" ]]; then
+        debug "Auto-detecting Chrome binary"
+        if [[ "$(uname)" == "Darwin" ]]; then
+            # macOS
+            if [[ -f "/Applications/Google Chrome.app/Contents/MacOS/Google Chrome" ]]; then
+                chrome_bin="/Applications/Google Chrome.app/Contents/MacOS/Google Chrome"
+            elif [[ -f "/Applications/Chromium.app/Contents/MacOS/Chromium" ]]; then
+                chrome_bin="/Applications/Chromium.app/Contents/MacOS/Chromium"
+            fi
+        elif [[ "$(uname)" == "Linux" ]]; then
+            # Linux
+            chrome_bin=$(command -v google-chrome || command -v chromium-browser || command -v chromium || echo "")
+        fi
+
+        if [[ -z "$chrome_bin" ]]; then
+            error "Chrome not found. Set DCLAUDE_CHROME_BIN to specify location"
+            exit 1
+        fi
+        debug "Found Chrome: $chrome_bin"
+    fi
+
+    # 2. Setup profile directory
+    local profile_dir="$HOST_PATH/.dclaude/chrome/profiles/$CHROME_PROFILE"
+    mkdir -p "$profile_dir"
+    debug "Profile directory: $profile_dir"
+
+    # 3. Check/create .mcp.json
+    local mcp_json="$HOST_PATH/.mcp.json"
+    local mcp_port=""
+    local port_mismatch=false
+
+    if [[ -f "$mcp_json" ]]; then
+        debug "Found existing .mcp.json"
+        # Extract port from --browserUrl in .mcp.json
+        mcp_port=$(jq -r '.mcpServers.chrome.args[]? | select(startswith("--browserUrl=")) | split(":")[-1]' "$mcp_json" 2>/dev/null || echo "")
+
+        if [[ -n "$mcp_port" && "$mcp_port" != "$CHROME_PORT" ]]; then
+            port_mismatch=true
+        fi
+    else
+        debug "Creating .mcp.json"
+        cat > "$mcp_json" << EOF
+{
+  "mcpServers": {
+    "chrome": {
+      "command": "npx",
+      "args": [
+        "-y",
+        "chrome-devtools-mcp@latest",
+        "--browserUrl=http://localhost:${CHROME_PORT}"
+      ]
+    }
+  }
+}
+EOF
+        success "Created .mcp.json with Chrome MCP server (port ${CHROME_PORT})"
+    fi
+
+    # 4. Warn if port mismatch
+    if [[ "$port_mismatch" == "true" ]]; then
+        warning "Port mismatch detected!"
+        echo ""
+        echo "  Chrome will launch on port:    ${CHROME_PORT}"
+        echo "  MCP expects (.mcp.json):       ${mcp_port}"
+        echo ""
+        warning "MCP will not be able to connect until .mcp.json is updated"
+        echo ""
+    fi
+
+    # 5. Exit if setup-only
+    if [[ "$setup_only" == "true" ]]; then
+        success "Setup complete (--setup-only mode)"
+        exit 0
+    fi
+
+    # 6. Check if Chrome already running on this port
+    if curl -s "http://localhost:${CHROME_PORT}/json/version" >/dev/null 2>&1; then
+        success "Chrome already running on port ${CHROME_PORT}"
+        curl -s "http://localhost:${CHROME_PORT}/json/version" | jq -r '"  Browser: " + .Browser'
+        exit 0
+    fi
+
+    # 7. Launch Chrome
+    info "Launching Chrome with remote debugging on port ${CHROME_PORT}"
+
+    local chrome_args=(
+        "--user-data-dir=$profile_dir"
+        "--remote-debugging-port=$CHROME_PORT"
+        "--no-first-run"
+        "--no-default-browser-check"
+        "--disable-default-apps"
+        "--disable-sync"
+        "--allow-insecure-localhost"
+    )
+
+    # Add user-specified flags
+    if [[ -n "$CHROME_FLAGS" ]]; then
+        debug "Adding custom flags: $CHROME_FLAGS"
+        read -ra custom_flags <<< "$CHROME_FLAGS"
+        chrome_args+=("${custom_flags[@]}")
+    fi
+
+    debug "Chrome command: $chrome_bin ${chrome_args[*]}"
+
+    # Launch Chrome in background
+    "$chrome_bin" "${chrome_args[@]}" >/dev/null 2>&1 &
+    local chrome_pid=$!
+
+    # 8. Wait for Chrome to be ready
+    info "Waiting for Chrome to start..."
+    local wait_count=0
+    while [[ $wait_count -lt 30 ]]; do
+        if curl -s "http://localhost:${CHROME_PORT}/json/version" >/dev/null 2>&1; then
+            success "Chrome is ready on port ${CHROME_PORT}"
+            curl -s "http://localhost:${CHROME_PORT}/json/version" | jq -r '"  Browser: " + .Browser + "\n  Protocol: " + ."Protocol-Version" + "\n  WebSocket: " + .webSocketDebuggerUrl'
+            echo ""
+            success "Chrome DevTools ready for MCP integration!"
+            info "Next step: Run 'dclaude' to start Claude with Chrome MCP"
+            exit 0
+        fi
+        sleep 0.5
+        ((wait_count++))
+    done
+
+    error "Chrome failed to start or remote debugging port not accessible"
+    exit 1
+}
+
+# Subcommand: pull latest image
+cmd_pull() {
+    info "Pulling latest image: $IMAGE"
+    if docker pull "$IMAGE"; then
+        success "Image pulled successfully"
+    else
+        error "Failed to pull image: $IMAGE"
+        exit 1
+    fi
+}
+
+# Subcommand: update Claude CLI inside container
+cmd_update() {
+    local container_name=$(get_container_name "$HOST_PATH")
+
+    # Check if container exists
+    if ! docker ps -a --format '{{.Names}}' | grep -q "^${container_name}$"; then
+        error "No container found for this directory"
+        info "Run 'dclaude' first to create a persistent container"
+        exit 1
+    fi
+
+    local container_status=$(docker inspect --format='{{.State.Status}}' "$container_name" 2>/dev/null)
+
+    if [[ "$container_status" != "running" ]]; then
+        error "Container is not running"
+        info "Start it with 'dclaude' first"
+        exit 1
+    fi
+
+    info "Updating Claude CLI..."
+    local npm_output
+    if npm_output=$(docker exec -u claude "$container_name" npm update -g @anthropic-ai/claude-code 2>&1); then
+        # Show command and output together, indented to align with "Debug: " prefix
+        debug "npm update -g @anthropic-ai/claude-code
+$(echo "$npm_output" | sed 's/^/       /')"
+        local new_version=$(docker exec -u claude "$container_name" claude --version 2>/dev/null | head -1)
+        success "Claude CLI updated: $new_version"
+    else
+        debug "npm update -g @anthropic-ai/claude-code
+$(echo "$npm_output" | sed 's/^/       /')"
+        error "Failed to update Claude CLI"
+        exit 1
+    fi
+    exit 0
+}
+
+# Subcommand: stop container for current directory
+cmd_stop() {
+    local container_name=$(get_container_name "$HOST_PATH")
+
+    # Check if container exists
+    if ! docker ps -a --format '{{.Names}}' | grep -q "^${container_name}$"; then
+        info "No container found for this directory"
+        debug "Container name would be: $container_name"
+        exit 0
+    fi
+
+    local container_status=$(docker inspect --format='{{.State.Status}}' "$container_name" 2>/dev/null)
+
+    if [[ "$container_status" == "running" ]]; then
+        # Count active tmux sessions
+        local session_count
+        session_count=$(docker exec -u claude "$container_name" tmux list-sessions 2>/dev/null | wc -l | tr -d '[:space:]') || session_count=0
+
+        if [[ "$session_count" =~ ^[0-9]+$ ]] && [[ "$session_count" -gt 0 ]]; then
+            info "Stopping container $container_name ($session_count active session(s))..."
+        else
+            info "Stopping container $container_name..."
+        fi
+
+        if docker stop "$container_name" >/dev/null; then
+            success "Container stopped"
+        else
+            error "Failed to stop container"
+            exit 1
+        fi
+    else
+        info "Container $container_name is not running (status: $container_status)"
+    fi
+    exit 0
+}
+
+# Subcommand: SSH server for remote access (JetBrains Gateway, debugging, etc.)
+cmd_ssh() {
+    local action=""
+
+    # Parse flags
+    while [[ $# -gt 0 ]]; do
+        case "$1" in
+            --stop)
+                action="stop"
+                shift
+                ;;
+            --help|-h)
+                cat << 'SSH_HELP'
+dclaude ssh - SSH Server for Remote Access
+
+Usage:
+  dclaude ssh              Start SSH server and show connection info
+  dclaude ssh --stop       Stop SSH server
+
+Connection:
+  ssh claude@localhost -p <port>
+  Username: claude
+  Password: claude
+
+Use Cases:
+  - JetBrains Gateway (PhpStorm, IntelliJ, WebStorm, etc.)
+  - Remote debugging
+  - SFTP file transfer
+  - VS Code Remote SSH
+
+JetBrains Gateway Setup:
+  1. Start container: dclaude
+  2. Start SSH: dclaude ssh
+  3. Open JetBrains Gateway
+  4. New Connection → SSH → localhost:<port shown above>
+  5. Username: claude, Password: claude
+  6. Gateway will download and install IDE backend automatically
+  7. Select your project directory
+
+SSH_HELP
+                exit 0
+                ;;
+            *)
+                error "Unknown option: $1"
+                info "Usage: dclaude ssh [--stop]"
+                exit 1
+                ;;
+        esac
+    done
+
+    local container_name=$(get_container_name "$HOST_PATH")
+
+    # Check if container exists
+    if ! docker ps -a --format '{{.Names}}' | grep -q "^${container_name}$"; then
+        error "No container found for this directory"
+        info "Run 'dclaude' first to create a persistent container"
+        exit 1
+    fi
+
+    local container_status=$(docker inspect --format='{{.State.Status}}' "$container_name" 2>/dev/null)
+
+    if [[ "$container_status" != "running" ]]; then
+        if [[ "$container_status" == "exited" ]]; then
+            info "Starting container: $container_name"
+            docker start "$container_name" >/dev/null
+            sleep 1
+        else
+            error "Container $container_name is in unexpected state: $container_status"
+            exit 1
+        fi
+    fi
+
+    # Get SSH port from container label
+    local ssh_port
+    ssh_port=$(docker inspect --format='{{index .Config.Labels "dclaude.ssh.port"}}' "$container_name" 2>/dev/null)
+
+    if [[ -z "$ssh_port" ]]; then
+        error "SSH port not configured for this container"
+        echo ""
+        info "This container was created with an older version of dclaude."
+        info "To enable SSH, recreate the container:"
+        echo ""
+        echo "  dclaude rm -f"
+        echo "  dclaude"
+        echo "  dclaude ssh"
+        echo ""
+        exit 1
+    fi
+
+    case "$action" in
+        stop)
+            if docker exec "$container_name" pgrep -x sshd >/dev/null 2>&1; then
+                info "Stopping SSH server..."
+                docker exec -u root "$container_name" pkill -x sshd 2>/dev/null || true
+                success "SSH server stopped"
+            else
+                info "SSH server is not running"
+            fi
+            ;;
+
+        "")
+            # Default: start SSH and show connection info
+            # Start SSH if not running
+            if docker exec "$container_name" pgrep -x sshd >/dev/null 2>&1; then
+                info "SSH server already running"
+            else
+                info "Starting SSH server on port $ssh_port..."
+                docker exec -u root "$container_name" sh -c "
+                    if [ ! -f /etc/ssh/ssh_host_rsa_key ]; then
+                        ssh-keygen -A >/dev/null 2>&1
+                    fi
+                    /usr/sbin/sshd -p $ssh_port
+                "
+                success "SSH server started"
+            fi
+
+            echo ""
+            echo "SSH Connection"
+            echo "=============="
+            echo "  Host:     localhost"
+            echo "  Port:     $ssh_port"
+            echo "  Username: claude"
+            echo "  Password: claude"
+            echo ""
+            echo "  ssh claude@localhost -p $ssh_port"
+            echo ""
+            ;;
+    esac
+
+    exit 0
+}
+
+# Subcommand: remove container for current directory
+cmd_rm() {
+    local force=false
+
+    # Parse flags
+    while [[ $# -gt 0 ]]; do
+        case "$1" in
+            -f|--force)
+                force=true
+                shift
+                ;;
+            *)
+                error "Unknown option: $1"
+                info "Usage: dclaude rm [-f|--force]"
+                exit 1
+                ;;
+        esac
+    done
+
+    local container_name=$(get_container_name "$HOST_PATH")
+
+    # Check if container exists
+    if ! docker ps -a --format '{{.Names}}' | grep -q "^${container_name}$"; then
+        info "No container found for this directory"
+        debug "Container name would be: $container_name"
+        exit 0
+    fi
+
+    local container_status=$(docker inspect --format='{{.State.Status}}' "$container_name" 2>/dev/null)
+
+    if [[ "$container_status" == "running" ]]; then
+        if [[ "$force" == "true" ]]; then
+            # Count active tmux sessions
+            local session_count
+            session_count=$(docker exec -u claude "$container_name" tmux list-sessions 2>/dev/null | wc -l | tr -d '[:space:]') || session_count=0
+
+            if [[ "$session_count" =~ ^[0-9]+$ ]] && [[ "$session_count" -gt 0 ]]; then
+                info "Removing running container $container_name ($session_count active session(s))..."
+            else
+                info "Removing running container $container_name..."
+            fi
+
+            if docker rm -f "$container_name" >/dev/null; then
+                success "Container removed"
+            else
+                error "Failed to remove container"
+                exit 1
+            fi
+        else
+            error "Container $container_name is running"
+            info "Stop it first with: dclaude stop"
+            info "Or force remove with: dclaude rm -f"
+            exit 1
+        fi
+    else
+        info "Removing container $container_name..."
+        if docker rm "$container_name" >/dev/null; then
+            success "Container removed"
+        else
+            error "Failed to remove container"
+            exit 1
+        fi
+    fi
+    exit 0
+}
+
+# Initialize HOST_PATH once for all commands
+HOST_PATH=$(get_host_path)
+
+# Handle subcommands
+if [[ $# -gt 0 ]]; then
+    case "$1" in
+        new)
+            # Explicit "new" command - shift and pass remaining args to main
+            shift
+            # Fall through to main function
+            ;;
+        attach)
+            shift
+            cmd_attach "$@"
+            ;;
+        exec|shell|bash)
+            shift
+            cmd_exec "$@"
+            ;;
+        chrome)
+            shift
+            cmd_chrome "$@"
+            ;;
+        gh)
+            shift
+            cmd_gh "$@"
+            ;;
+        pull)
+            shift
+            cmd_pull "$@"
+            ;;
+        update)
+            shift
+            cmd_update "$@"
+            ;;
+        stop)
+            shift
+            cmd_stop "$@"
+            ;;
+        rm)
+            shift
+            cmd_rm "$@"
+            ;;
+        ssh)
+            shift
+            cmd_ssh "$@"
+            ;;
+        --help|-h|help)
+            cat << 'EOF'
+dclaude - Dockerized Claude Code Launcher
+
+Usage:
+  dclaude [options]           Start new Claude session (default)
+  dclaude new [options]       Start new Claude session (explicit)
+  dclaude attach <session>    Attach to existing tmux session
+  dclaude pull                Pull latest Docker image
+  dclaude update              Update Claude CLI inside container
+  dclaude stop                Stop container for current directory
+  dclaude rm [-f]             Remove container for current directory
+  dclaude ssh                 Start SSH server for remote access
+  dclaude chrome [options]    Launch Chrome with DevTools and MCP integration
+  dclaude gh                  Authenticate GitHub CLI (runs gh auth login)
+  dclaude exec [command]      Execute command in container (default: bash)
+  dclaude shell               Open bash shell in container
+  dclaude --help              Show this help
+
+Environment Variables:
+  DCLAUDE_TAG                Docker image tag (default: latest)
+  DCLAUDE_RM                 Remove container on exit (default: false)
+  DCLAUDE_DEBUG              Enable debug output (default: false)
+  DCLAUDE_MOUNT_CONFIGS      Mount host configs (default: false)
+  DCLAUDE_GIT_AUTH           SSH auth for Git: auto, agent-forwarding, key-mount, none
+  DCLAUDE_NETWORK            Network mode: auto, host, bridge
+  DCLAUDE_DOCKER_SOCKET      Override Docker socket path
+  DCLAUDE_TMUX_SESSION       Custom tmux session name (default: claude-TIMESTAMP)
+  DCLAUDE_CHROME_BIN         Chrome executable path (auto-detected if not set)
+  DCLAUDE_CHROME_PROFILE     Chrome profile name (default: claude)
+  DCLAUDE_CHROME_PORT        Chrome debugging port (default: 9222)
+  DCLAUDE_CHROME_FLAGS       Additional Chrome flags (default: empty)
+
+Examples:
+  # Start new Claude session (auto-generated session name)
+  dclaude
+  dclaude new
+
+  # Start with custom session name (role-based workflows)
+  DCLAUDE_TMUX_SESSION=claude-architect dclaude
+  dclaude new --dangerously-skip-permissions
+
+  # Attach to existing named session
+  dclaude attach claude-architect
+  DCLAUDE_TMUX_SESSION=claude-architect dclaude attach
+
+  # Start with ephemeral container (removed on exit)
+  DCLAUDE_RM=true dclaude
+
+  # Update image and restart container
+  dclaude pull                                   # Pull latest image
+  dclaude update                                 # Update Claude CLI in container
+  dclaude stop                                   # Stop container (preserves it)
+  dclaude rm                                     # Remove stopped container
+  dclaude rm -f                                  # Force remove running container
+
+  # SSH server for remote access (JetBrains Gateway, VS Code Remote, etc.)
+  dclaude ssh                                  # Start SSH server, show connection info
+  dclaude ssh --stop                           # Stop SSH server
+
+  # Launch Chrome with DevTools for MCP integration
+  dclaude chrome
+  dclaude chrome --port=9223                    # Custom debugging port
+  dclaude chrome --setup-only                   # Just create .mcp.json, don't launch
+  DCLAUDE_CHROME_PROFILE=testing dclaude chrome # Use different profile
+
+  # Authenticate GitHub CLI (persists in dclaude-config volume)
+  dclaude gh
+
+  # Open bash shell in running container
+  dclaude exec
+
+  # Run command in container
+  dclaude exec npm install
+
+For more information: https://github.com/alanbem/dclaude
+EOF
+            exit 0
+            ;;
+    esac
+fi
+
+# Handle signals
+
+trap 'exit 130' INT
+trap 'exit 143' TERM
+
+# Run main function
+main "$@"