@alanbem/dclaude 0.0.13 → 0.0.15

package/README.md

@@ -1,29 +1,31 @@
-# dclaude
+# dclaude — Dockerized Claude Code
 
+[![CI/CD](https://github.com/alanbem/dclaude/actions/workflows/ci-cd.yml/badge.svg)](https://github.com/alanbem/dclaude/actions/workflows/ci-cd.yml)
 [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
-[![Docker Hub](https://img.shields.io/docker/v/alanbem/dclaude?label=Docker%20Hub)](https://hub.docker.com/r/alanbem/dclaude)
+[![Docker Pulls](https://img.shields.io/docker/pulls/alanbem/dclaude)](https://hub.docker.com/r/alanbem/dclaude)
 [![npm](https://img.shields.io/npm/v/@alanbem/dclaude)](https://www.npmjs.com/package/@alanbem/dclaude)
 
-Run Claude Code CLI in Docker - no local installation needed. Full MCP support, persistent sessions, and seamless host integration.
+Run Claude Code CLI in Docker — no local installation needed. Full MCP support, persistent sessions, and seamless host integration.
 
 ## Why dclaude?
 
 **Claude Code CLI is powerful, but installing it locally means:**
-- Node.js version conflicts
-- Global npm packages cluttering your system
 - MCP servers needing specific Python/Node setups
 - Different behavior across machines
+- Claude has access to your entire filesystem
 
 **dclaude solves this by running Claude in a container that feels native:**
+- **Safer `--dangerously-skip-permissions`** - container isolation means Claude can only access your project, not your whole system
 - Your files appear at the same paths (no `/app` or `/workspace` confusion)
 - Docker commands work (socket is mounted)
 - SSH keys and git config just work
 - Homebrew included - easy migration from local macOS setup
 - Works on Linux, macOS, and Windows
-- **Safer `--dangerously-skip-permissions`** - container isolation means Claude can only access your project, not your whole system
 
 ## Quick Start
 
+> **Prerequisite:** A Docker-compatible runtime such as [Docker Desktop](https://docs.docker.com/get-docker/), [OrbStack](https://orbstack.dev/), or [Colima](https://github.com/abiosoft/colima) must be installed and running.
+
 ### Install via NPM (Recommended)
 
 ```bash
@@ -42,6 +44,8 @@ sudo ln -s ~/tools/dclaude/dclaude /usr/local/bin/dclaude
 dclaude
 ```
 
+> **First run:** The Docker image (~1GB) is pulled automatically on first launch. You'll be prompted to authenticate with your Anthropic account.
+
 ## Basic Usage
 
 **dclaude passes all arguments directly to Claude CLI** - use it exactly as you would use `claude`:
@@ -69,9 +73,10 @@ dclaude exec brew install ripgrep
 dclaude creates a container that mirrors your host environment:
 
 1. **Path Mirroring**: Your current directory is mounted at the *same path*
-   - On host: `/Users/alice/projects/myapp`
-   - In container: `/Users/alice/projects/myapp`
-   - All your file paths just work
+   ```
+   Host:      /Users/alice/projects/myapp ──mount──> Container: /Users/alice/projects/myapp
+   ```
+   No `/app` or `/workspace` confusion — all your file paths just work
 
 2. **Docker Access**: The Docker socket is mounted, so Claude can build images, run containers, and manage compose stacks
 
@@ -112,7 +117,7 @@ DCLAUDE_GIT_AUTH=agent-forwarding dclaude
 DCLAUDE_GIT_AUTH=key-mount dclaude
 ```
 
-Make sure your SSH key is loaded: `ssh-add -l`
+dclaude warns you if no keys are loaded and suggests `dclaude ssh keys` to load them automatically (see also [SSH Key and Server Management](#ssh-key-and-server-management)).
 
 ### Homebrew Support
 
@@ -132,25 +137,68 @@ dclaude gh                        # Interactive GitHub login
 dclaude exec gh pr list           # Use gh commands
 ```
 
-### SSH Server for IDEs
+### Git Configuration
+
+SSH agent forwarding provides authentication for git, but git also needs your identity (name/email) for commits. Use `dclaude git` to configure this:
+
+```bash
+dclaude git                       # Configure git name/email in container
+```
+
+This reads your host's `~/.gitconfig` and offers to copy the identity into the container's persistent volume.
 
-Connect JetBrains Gateway, VS Code Remote, or any SSH client:
+### SSH Key and Server Management
+
+Load SSH keys and start SSH server for JetBrains Gateway, VS Code Remote, or any SSH client (see also [SSH Authentication](#ssh-authentication)):
 
 ```bash
-dclaude ssh                       # Start SSH server, shows port
+dclaude ssh                       # Load keys + start SSH server
+dclaude ssh keys                  # Load SSH keys into agent
+dclaude ssh server                # Start SSH server, shows port
+dclaude ssh server --stop         # Stop SSH server
 # Connect: ssh claude@localhost -p <port>
 # Password: claude
 ```
 
 ### Chrome DevTools Integration
 
-Control Chrome via MCP for browser automation:
+Control Chrome via MCP for browser automation. Chrome runs on the host with remote debugging; Claude connects from the container:
 
 ```bash
-dclaude chrome                    # Launch Chrome with DevTools
+dclaude chrome                    # Launch Chrome with DevTools + create .mcp.json
+dclaude chrome --port=9223        # Use custom debugging port
+dclaude chrome --setup-only       # Create .mcp.json without launching Chrome
 dclaude                           # Claude can now interact with the browser
 ```
 
+Chrome profiles are stored per-project in `.dclaude.d/chrome/profiles/`. Customize with `DCLAUDE_CHROME_PROFILE`, `DCLAUDE_CHROME_PORT`, `DCLAUDE_CHROME_BIN`, and `DCLAUDE_CHROME_FLAGS`.
+
+### AWS CLI Integration
+
+AWS CLI v2 is pre-installed in the container. Configure how AWS credentials are provided:
+
+```bash
+# Auto (default): mounts ~/.aws from host if it exists, otherwise no config
+dclaude
+
+# Mount host's ~/.aws directory (read-write, shared with host)
+DCLAUDE_AWS_CLI=mount dclaude
+
+# Use isolated Docker volume (persists across container recreations)
+DCLAUDE_AWS_CLI=volume dclaude
+
+# No AWS config mounting
+DCLAUDE_AWS_CLI=none dclaude
+```
+
+**Volume mode** provides isolated AWS config per namespace:
+
+```bash
+dclaude aws configure                  # Copy ~/.aws/config (profiles, regions) into container
+dclaude aws login                      # Run 'aws login' in container
+dclaude aws login --profile staging    # Login with specific profile
+```
+
 ### iTerm2 Shell Integration
 
 If you use iTerm2 on macOS, dclaude automatically enables [iTerm2 Shell Integration](https://iterm2.com/documentation-shell-integration.html):
@@ -173,6 +221,7 @@ dclaude automatically tells Claude about its container environment so it can giv
 - **Network mode** - Whether `localhost` works or needs `host.docker.internal`
 - **Docker access** - Whether Docker commands are available
 - **SSH auth method** - How git authentication is configured
+- **AWS CLI** - Whether and how AWS credentials are configured
 - **Path mirroring** - That file paths match the host
 
 This helps Claude understand its environment without you explaining it. Disable if needed:
@@ -181,6 +230,24 @@ This helps Claude understand its environment without you explaining it. Disable
 DCLAUDE_SYSTEM_CONTEXT=false dclaude
 ```
 
+## Container Management
+
+```bash
+# Session management
+dclaude new                       # Start a new Claude session
+dclaude attach <session>          # Reattach to a named tmux session
+DCLAUDE_TMUX_SESSION=reviewer dclaude  # Start a named session
+
+# Container lifecycle
+dclaude stop                      # Stop container for current directory
+dclaude rm                        # Remove container (add -f to force)
+
+# Maintenance
+dclaude pull                      # Pull latest Docker image
+dclaude update                    # Update Claude CLI inside container
+dclaude shell                     # Open a bash shell (alias for exec)
+```
+
 ## Environment Variables
 
 | Variable | Default | Description |
@@ -195,7 +262,10 @@ DCLAUDE_SYSTEM_CONTEXT=false dclaude
 | `DCLAUDE_QUIET` | `false` | Suppress info messages |
 | `DCLAUDE_NO_UPDATE` | `false` | Skip image update check |
 | `DCLAUDE_SYSTEM_CONTEXT` | `true` | Inform Claude about container environment |
+| `DCLAUDE_AWS_CLI` | `auto` | AWS config: `auto`, `mount`, `volume`, `none` |
+| `DCLAUDE_TMUX_SESSION` | `claude-TIMESTAMP` | Custom tmux session name for concurrent sessions |
 | `DCLAUDE_ITERM2` | `true` | Enable iTerm2 shell integration (only affects iTerm2) |
+| `DCLAUDE_CA_CERT` | (none) | Path to CA certificate for corporate SSL inspection |
 
 ## Configuration File
 
@@ -206,6 +276,7 @@ Create a `.dclaude` file at your project root to configure dclaude for that dire
 NAMESPACE=mycompany
 NETWORK=host
 DEBUG=true
+CA_CERT=certs/corporate-ca.pem
 ```
 
 dclaude walks up the directory tree to find `.dclaude` files. Any dclaude session started from that directory or any subdirectory will use these settings.
@@ -220,6 +291,10 @@ dclaude walks up the directory tree to find `.dclaude` files. Any dclaude sessio
 | `MOUNT_ROOT` | Mount directory (relative to config file, or absolute path) |
 | `DEBUG` | Enable debug output (`true`, `false`) |
 | `CHROME_PORT` | Chrome DevTools port |
+| `AWS_CLI` | AWS config mode (`mount`, `volume`, `none`) |
+| `CA_CERT` | Path to CA certificate for corporate SSL inspection (relative to config file, or absolute) |
+
+Config file variables are the unprefixed equivalents of `DCLAUDE_*` environment variables (e.g., `NAMESPACE` in `.dclaude` = `DCLAUDE_NAMESPACE` env var).
 
 **Precedence:** Environment variables override `.dclaude` file settings.
 
@@ -315,18 +390,19 @@ DCLAUDE_NETWORK=bridge dclaude
 |----------|--------|-------|
 | Linux | Full support | Host networking available |
 | macOS | Full support | Host networking with OrbStack or Docker Desktop beta |
-| Windows | Full support | WSL2/Docker Desktop, host networking with beta features |
+| Windows | Full support | Requires WSL2; host networking with Docker Desktop beta features |
 
 ## What's Included
 
 The container includes:
 - **Ubuntu 24.04 LTS** base
-- **Claude Code CLI** (latest)
+- **Claude Code CLI** (latest, AMD64 and ARM64/Apple Silicon)
 - **Node.js 20+**, **Python 3** with pip
 - **Homebrew/Linuxbrew** for package management
 - **Docker CLI** and **Docker Compose**
 - **Git**, **GitHub CLI** (`gh`), common dev tools
 - **tmux** for session management
+- **AWS CLI v2** for cloud operations
 - **SSH server** for IDE integration
 
 ## Troubleshooting
@@ -384,6 +460,21 @@ mv problematic-dir problematic-dir.tmp && mv problematic-dir.tmp problematic-dir
 
 Upgrading to the latest OrbStack version may also help.
 
+## Shell Completions
+
+Tab completion is available for bash and zsh:
+
+```bash
+# Bash — add to ~/.bashrc
+source "$(npm root -g)/@alanbem/dclaude/completions/dclaude.bash"
+
+# Zsh — add to ~/.zshrc
+source "$(npm root -g)/@alanbem/dclaude/completions/dclaude.zsh"
+
+# Source install — use the repo path directly
+source ~/tools/dclaude/completions/dclaude.bash
+```
+
 ## Project Structure
 
 ```text
@@ -393,7 +484,9 @@ Upgrading to the latest OrbStack version may also help.
 │   ├── Dockerfile          # Container image definition
 │   ├── README.md           # Docker Hub documentation
 │   ├── usr/local/bin/
-│   │   └── docker-entrypoint.sh
+│   │   ├── docker-entrypoint.sh
+│   │   ├── claude-launcher.sh
+│   │   └── tmux-wrapper.sh
 │   └── home/claude/
 │       └── .tmux.conf
 ├── .github/workflows/      # CI/CD (lint, scan, publish)

package/dclaude

@@ -135,6 +135,21 @@ load_config_file() {
                         fi
                     fi
                     ;;
+                AWS_CLI)
+                    [[ -z "${DCLAUDE_AWS_CLI:-}" ]] && DCLAUDE_AWS_CLI="$value"
+                    ;;
+                CA_CERT)
+                    if [[ -z "${DCLAUDE_CA_CERT:-}" ]]; then
+                        # Resolve relative paths relative to config file's directory
+                        if [[ "$value" != /* ]]; then
+                            local config_dir
+                            config_dir=$(dirname "$config_file")
+                            DCLAUDE_CA_CERT=$(cd "$config_dir" && realpath "$value" 2>/dev/null)
+                        else
+                            DCLAUDE_CA_CERT="$value"
+                        fi
+                    fi
+                    ;;
             esac
         fi
     done < "$config_file"
@@ -151,6 +166,12 @@ readonly DEBUG="${DCLAUDE_DEBUG:-false}"
 readonly GIT_AUTH_MODE="${DCLAUDE_GIT_AUTH:-auto}"  # auto, agent-forwarding, key-mount, none
 readonly NAMESPACE="${DCLAUDE_NAMESPACE:-}"
 CHROME_PORT="${DCLAUDE_CHROME_PORT:-9222}"
+readonly AWS_CLI_MODE="${DCLAUDE_AWS_CLI:-auto}"  # auto, mount, volume, none
+# Resolve CA_CERT relative paths (env var: relative to PWD, config file: already resolved)
+if [[ -n "${DCLAUDE_CA_CERT:-}" && "${DCLAUDE_CA_CERT}" != /* ]]; then
+    DCLAUDE_CA_CERT=$(realpath "$DCLAUDE_CA_CERT" 2>/dev/null) || DCLAUDE_CA_CERT="$PWD/$DCLAUDE_CA_CERT"
+fi
+readonly CA_CERT="${DCLAUDE_CA_CERT:-}"  # Path to CA certificate for corporate proxies
 
 # Show config file if loaded (always at info level, details at debug)
 if [[ -n "$DCLAUDE_CONFIG_FILE" ]]; then
@@ -161,6 +182,8 @@ if [[ -n "$DCLAUDE_CONFIG_FILE" ]]; then
         [[ -n "${DCLAUDE_GIT_AUTH:-}" ]] && debug "  GIT_AUTH=$DCLAUDE_GIT_AUTH"
         [[ -n "${DCLAUDE_CHROME_PORT:-}" ]] && debug "  CHROME_PORT=$DCLAUDE_CHROME_PORT"
         [[ -n "${DCLAUDE_MOUNT_ROOT:-}" ]] && debug "  MOUNT_ROOT=$DCLAUDE_MOUNT_ROOT"
+        [[ -n "${DCLAUDE_AWS_CLI:-}" ]] && debug "  AWS_CLI=$DCLAUDE_AWS_CLI"
+        [[ -n "$CA_CERT" ]] && debug "  CA_CERT=$CA_CERT"
     fi
 fi
 
@@ -510,6 +533,36 @@ get_volume_name() {
     fi
 }
 
+# Get AWS volume name (includes namespace if set)
+get_aws_volume_name() {
+    if [[ -n "$NAMESPACE" ]]; then
+        echo "${VOLUME_PREFIX}-${NAMESPACE}-aws"
+    else
+        echo "${VOLUME_PREFIX}-aws"
+    fi
+}
+
+# Resolve AWS CLI mode from configured value
+# auto → mount (if ~/.aws exists) or none
+resolve_aws_cli_mode() {
+    case "$AWS_CLI_MODE" in
+        mount|volume|none)
+            echo "$AWS_CLI_MODE"
+            ;;
+        auto)
+            if [[ -d "${HOME}/.aws" ]]; then
+                echo "mount"
+            else
+                echo "none"
+            fi
+            ;;
+        *)
+            warning "Unknown AWS_CLI mode: $AWS_CLI_MODE (using none)"
+            echo "none"
+            ;;
+    esac
+}
+
 # Create Docker volumes if they don't exist
 create_volumes() {
     # Create essential volume for Claude CLI persistence
@@ -526,6 +579,24 @@ create_volumes() {
     else
         debug "Volume exists: $volume"
     fi
+
+    # Create AWS volume if volume mode is active
+    local aws_mode
+    aws_mode=$(resolve_aws_cli_mode)
+    if [[ "$aws_mode" == "volume" ]]; then
+        local aws_volume
+        aws_volume=$(get_aws_volume_name)
+        if ! docker volume inspect "$aws_volume" &> /dev/null; then
+            info "Creating AWS volume: $aws_volume"
+            if ! docker volume create "$aws_volume" > /dev/null; then
+                error "Failed to create volume: $aws_volume"
+                exit 1
+            fi
+            debug "Volume created successfully: $aws_volume"
+        else
+            debug "Volume exists: $aws_volume"
+        fi
+    fi
 }
 
 # Pull or update the Docker image
@@ -660,6 +731,7 @@ generate_system_context() {
     local has_docker="${3:-false}"
     local platform="${4:-unknown}"
     local docker_socket="${5:-}"
+    local aws_cli_mode="${6:-none}"
 
     cat <<'EOF'
 
@@ -806,8 +878,36 @@ EOF
 ## Development Tools Available
 - **Languages**: Node.js 20+, Python 3
 - **Package Managers**: npm, pip, Homebrew/Linuxbrew
-- **Tools**: git, gh (GitHub CLI), docker, docker-compose, curl, tmux, nano
+- **Tools**: git, gh (GitHub CLI), docker, docker-compose, aws (AWS CLI v2), curl, tmux, nano
 - **Shell**: bash (your commands execute in bash shell)
+EOF
+
+    # AWS CLI context
+    case "$aws_cli_mode" in
+        mount)
+            cat <<'EOF'
+- **AWS CLI**: Configured — credentials mounted from host's `~/.aws` directory
+  - All host AWS profiles, SSO config, and credentials are available
+  - Changes to AWS config (e.g., `aws sso login`) are shared with host
+EOF
+            ;;
+        volume)
+            cat <<'EOF'
+- **AWS CLI**: Configured — credentials stored in persistent Docker volume
+  - AWS config is isolated from host and persists across container recreations
+  - Run `aws configure` or `aws configure sso` to set up credentials
+EOF
+            ;;
+        *)
+            cat <<'EOF'
+- **AWS CLI**: Installed but no credentials configured
+  - User can set `DCLAUDE_AWS_CLI=mount` when launching dclaude to use host's `~/.aws` config
+  - User can set `DCLAUDE_AWS_CLI=volume` when launching dclaude for isolated persistent config
+EOF
+            ;;
+    esac
+
+    cat <<'EOF'
 
 ## Git Configuration Requirements
 **IMPORTANT**: Before performing any git operations (commit, push, etc.), you MUST:
@@ -1573,14 +1673,27 @@ main() {
         debug "Git auth: $resolved_git_auth (user-specified)"
     fi
 
+    # Warn if agent-forwarding is active but no keys are loaded
+    if [[ "$resolved_git_auth" == "agent-forwarding" ]]; then
+        local ssh_add_rc=0
+        ssh-add -l >/dev/null 2>&1 || ssh_add_rc=$?
+        if [[ $ssh_add_rc -eq 1 ]]; then
+            warning "SSH agent has no keys loaded — SSH won't work inside container."
+            warning "Run 'dclaude ssh keys' to load your keys."
+        fi
+    fi
+
     # Generate system context for Claude (if enabled) - must be done early for all code paths
     local claude_args=()
     if [[ "$ENABLE_SYSTEM_CONTEXT" == "true" ]]; then
         local has_docker="false"
         [[ -n "$DOCKER_SOCKET" ]] && [[ -S "$DOCKER_SOCKET" ]] && has_docker="true"
 
+        local resolved_aws_cli_mode
+        resolved_aws_cli_mode=$(resolve_aws_cli_mode)
+
         local system_context
-        system_context=$(generate_system_context "$network_mode" "$resolved_git_auth" "$has_docker" "$platform" "$DOCKER_SOCKET")
+        system_context=$(generate_system_context "$network_mode" "$resolved_git_auth" "$has_docker" "$platform" "$DOCKER_SOCKET" "$resolved_aws_cli_mode")
 
         claude_args+=("--append-system-prompt" "$system_context")
         debug "System context enabled (${#system_context} chars, has_docker=$has_docker, git_auth=$resolved_git_auth, platform=$platform)"
@@ -1793,6 +1906,49 @@ main() {
         [[ -n "$ssh_arg" ]] && DOCKER_ARGS+=("$ssh_arg")
     done < <(handle_git_auth)
 
+    # Handle AWS CLI configuration mounting
+    local resolved_aws_mode
+    resolved_aws_mode=$(resolve_aws_cli_mode)
+    # Pass mode to entrypoint so it knows whether to chown .aws (volume only)
+    DOCKER_ARGS+=(-e "DCLAUDE_AWS_CLI_MODE=${resolved_aws_mode}")
+    case "$resolved_aws_mode" in
+        mount)
+            if [[ -d "${HOME}/.aws" ]]; then
+                DOCKER_ARGS+=(-v "${HOME}/.aws:/home/claude/.aws")
+                info "AWS CLI: mounting host ~/.aws"
+                debug "AWS config mounted from host: ${HOME}/.aws"
+            else
+                warning "AWS_CLI=mount but ~/.aws not found, skipping"
+            fi
+            ;;
+        volume)
+            local aws_volume
+            aws_volume=$(get_aws_volume_name)
+            DOCKER_ARGS+=(-v "${aws_volume}:/home/claude/.aws")
+            debug "AWS config using volume: $aws_volume"
+            ;;
+        none)
+            debug "AWS CLI config mounting disabled"
+            ;;
+    esac
+
+    # Handle CA certificate for corporate proxies / SSL inspection
+    # The cert file must be within the mounted directory tree to be accessible inside the container
+    if [[ -n "$CA_CERT" ]]; then
+        if [[ ! -f "$CA_CERT" ]]; then
+            warning "CA certificate not found: $CA_CERT"
+        elif [[ "$CA_CERT" != "$MOUNT_ROOT"* ]]; then
+            warning "CA certificate is outside the mounted directory: $CA_CERT"
+            warning "It must be within: $MOUNT_ROOT"
+        else
+            DOCKER_ARGS+=(
+                -e "NODE_EXTRA_CA_CERTS=${CA_CERT}"
+                -e "SSL_CERT_FILE=${CA_CERT}"
+            )
+            info "CA certificate: $CA_CERT"
+        fi
+    fi
+
     # Add any additional environment variables
     if [[ -n "${CLAUDE_MODEL:-}" ]]; then
         DOCKER_ARGS+=(-e "CLAUDE_MODEL=${CLAUDE_MODEL}")
@@ -2269,8 +2425,117 @@ cmd_stop() {
     exit 0
 }
 
-# Subcommand: SSH server for remote access (JetBrains Gateway, debugging, etc.)
+# Subcommand: SSH — dispatches to 'keys', 'server', or both
 cmd_ssh() {
+    local rc=0
+    case "${1:-}" in
+        keys)
+            shift
+            cmd_ssh_keys "$@" || rc=$?
+            ;;
+        server)
+            shift
+            cmd_ssh_server "$@" || rc=$?
+            ;;
+        --help|-h)
+            cat << 'SSH_HELP'
+dclaude ssh - SSH Key and Server Management
+
+Usage:
+  dclaude ssh              Load SSH keys into agent and start SSH server
+  dclaude ssh keys         Load SSH keys into agent
+  dclaude ssh server       Start SSH server and show connection info
+  dclaude ssh server --stop  Stop SSH server
+
+SSH_HELP
+            exit 0
+            ;;
+        "")
+            # Bare 'dclaude ssh': load keys (non-fatal), then start server
+            cmd_ssh_keys "$@" || true
+            echo ""
+            cmd_ssh_server "$@" || rc=$?
+            ;;
+        *)
+            error "Unknown subcommand: $1"
+            info "Usage: dclaude ssh [keys | server]"
+            exit 1
+            ;;
+    esac
+    exit "$rc"
+}
+
+# Subcommand: SSH key loading
+cmd_ssh_keys() {
+    # Parse flags
+    while [[ $# -gt 0 ]]; do
+        case "$1" in
+            --help|-h)
+                cat << 'SSH_KEYS_HELP'
+dclaude ssh keys - Load SSH Keys into Agent
+
+Usage:
+  dclaude ssh keys         Detect and load SSH keys from ~/.ssh/
+
+Detects private keys (id_rsa, id_ed25519, etc.) in ~/.ssh/ and loads
+them into the SSH agent via ssh-add. May prompt for passphrases.
+
+SSH_KEYS_HELP
+                return 0
+                ;;
+            *)
+                error "Unknown option: $1"
+                info "Usage: dclaude ssh keys"
+                return 1
+                ;;
+        esac
+    done
+
+    local ssh_dir="${HOME}/.ssh"
+    if [[ ! -d "$ssh_dir" ]]; then
+        error "No ~/.ssh directory found"
+        return 1
+    fi
+
+    # Detect private key files
+    local keys=()
+    for key_file in "$ssh_dir"/id_*; do
+        [[ -f "$key_file" ]] || continue
+        # Skip public keys and certificates
+        [[ "$key_file" == *.pub ]] && continue
+        [[ "$key_file" == *-cert.pub ]] && continue
+        keys+=("$key_file")
+    done
+
+    if [[ ${#keys[@]} -eq 0 ]]; then
+        warning "No SSH keys found in ~/.ssh/"
+        info "Generate a key with: ssh-keygen -t ed25519"
+        return 1
+    fi
+
+    info "Loading SSH keys..."
+    local loaded=0
+    for key_file in "${keys[@]}"; do
+        local display_path="~/.ssh/$(basename "$key_file")"
+        if ssh-add "$key_file" 2>/dev/null; then
+            success "  $display_path"
+            loaded=$((loaded + 1))
+        else
+            warning "  $display_path (failed — wrong passphrase or unsupported key)"
+        fi
+    done
+
+    echo ""
+    if [[ $loaded -gt 0 ]]; then
+        success "$loaded key(s) loaded into SSH agent."
+    else
+        error "No keys were loaded"
+        return 1
+    fi
+}
+
+# Subcommand: SSH server for remote access (JetBrains Gateway, debugging, etc.)
+cmd_ssh_server() {
     local action=""
 
     # Parse flags
@@ -2281,12 +2546,12 @@ cmd_ssh() {
                 shift
                 ;;
             --help|-h)
-                cat << 'SSH_HELP'
-dclaude ssh - SSH Server for Remote Access
+                cat << 'SSH_SERVER_HELP'
+dclaude ssh server - SSH Server for Remote Access
 
 Usage:
-  dclaude ssh              Start SSH server and show connection info
-  dclaude ssh --stop       Stop SSH server
+  dclaude ssh server         Start SSH server and show connection info
+  dclaude ssh server --stop  Stop SSH server
 
 Connection:
   ssh claude@localhost -p <port>
@@ -2301,20 +2566,20 @@ Use Cases:
 
 JetBrains Gateway Setup:
   1. Start container: dclaude
-  2. Start SSH: dclaude ssh
+  2. Start SSH: dclaude ssh server
   3. Open JetBrains Gateway
   4. New Connection → SSH → localhost:<port shown above>
   5. Username: claude, Password: claude
   6. Gateway will download and install IDE backend automatically
   7. Select your project directory
 
-SSH_HELP
-                exit 0
+SSH_SERVER_HELP
+                return 0
                 ;;
             *)
                 error "Unknown option: $1"
-                info "Usage: dclaude ssh [--stop]"
-                exit 1
+                info "Usage: dclaude ssh server [--stop]"
+                return 1
                 ;;
         esac
     done
@@ -2325,7 +2590,7 @@ SSH_HELP
     if ! docker ps -a --format '{{.Names}}' | grep -q "^${container_name}$"; then
         error "No container found for this directory"
         info "Run 'dclaude' first to create a persistent container"
-        exit 1
+        return 1
     fi
 
     local container_status=$(docker inspect --format='{{.State.Status}}' "$container_name" 2>/dev/null)
@@ -2337,7 +2602,7 @@ SSH_HELP
             sleep 1
         else
             error "Container $container_name is in unexpected state: $container_status"
-            exit 1
+            return 1
         fi
     fi
 
@@ -2353,9 +2618,9 @@ SSH_HELP
         echo ""
         echo "  dclaude rm -f"
         echo "  dclaude"
-        echo "  dclaude ssh"
+        echo "  dclaude ssh server"
         echo ""
-        exit 1
+        return 1
     fi
 
     case "$action" in
@@ -2397,8 +2662,6 @@ SSH_HELP
             echo ""
             ;;
     esac
-
-    exit 0
 }
 
 # Subcommand: remove container for current directory
@@ -2477,6 +2740,133 @@ cmd_rm() {
 }
 
 # Subcommand: configure git identity
+cmd_aws_configure() {
+    local container_name="$1"
+
+    # This subcommand only makes sense for volume mode
+    local resolved_mode
+    resolved_mode=$(resolve_aws_cli_mode)
+    if [[ "$resolved_mode" != "volume" ]]; then
+        error "dclaude aws configure is only for AWS_CLI=volume mode"
+        if [[ "$resolved_mode" == "mount" ]]; then
+            info "Current mode is 'mount' — host's ~/.aws is already available in the container"
+        else
+            info "Set DCLAUDE_AWS_CLI=volume to use persistent AWS volume"
+        fi
+        exit 1
+    fi
+
+    echo ""
+    echo "AWS CLI Configuration"
+    echo "─────────────────────"
+
+    # Check existing config in container
+    local existing_config
+    existing_config=$(docker exec -u claude "$container_name" cat /home/claude/.aws/config 2>/dev/null || echo "")
+
+    if [[ -n "$existing_config" ]]; then
+        echo "Current config in container:"
+        echo "$existing_config" | sed 's/^/  /'
+        echo ""
+        read -p "Overwrite with host config? [y/N]: " overwrite
+        if [[ "$overwrite" != "y" && "$overwrite" != "Y" ]]; then
+            exit 0
+        fi
+    fi
+
+    # Check host config
+    if [[ ! -f "${HOME}/.aws/config" ]]; then
+        error "No ~/.aws/config found on host"
+        info "Run 'aws configure sso' on your host first, then re-run this command"
+        exit 1
+    fi
+
+    echo "Found on host:"
+    sed 's/^/  /' "${HOME}/.aws/config"
+    echo ""
+    info "Only config (profiles, regions, SSO URLs) will be copied — no credentials or tokens"
+    echo ""
+    read -p "Copy to container? [Y/n]: " copy
+    if [[ "$copy" == "n" || "$copy" == "N" ]]; then
+        exit 0
+    fi
+
+    # Copy config file into container (docker cp copies as root, fix ownership after)
+    docker exec -u claude "$container_name" mkdir -p /home/claude/.aws
+    docker cp "${HOME}/.aws/config" "${container_name}:/home/claude/.aws/config"
+    docker exec "$container_name" chown claude:claude /home/claude/.aws /home/claude/.aws/config
+    docker exec "$container_name" chmod 600 /home/claude/.aws/config
+
+    echo ""
+    success "AWS config copied to container"
+    info "Run 'dclaude aws login' or 'aws login' inside dclaude to authenticate"
+    exit 0
+}
+
+cmd_aws_login() {
+    local container_name="$1"
+    shift
+
+    local tty_flags
+    tty_flags=$(detect_tty_flags)
+
+    info "Starting AWS login..."
+    # shellcheck disable=SC2086
+    exec docker exec $tty_flags -u claude "$container_name" aws login "$@"
+}
+
+cmd_aws() {
+    local container_name=$(get_container_name "$HOST_PATH")
+
+    # Check if container exists
+    if ! docker ps -a --format '{{.Names}}' | grep -q "^${container_name}$"; then
+        error "No container found for this directory"
+        info "Run 'dclaude' first to create a container"
+        exit 1
+    fi
+
+    # Check if container is running
+    local container_status=$(docker inspect --format='{{.State.Status}}' "$container_name" 2>/dev/null)
+    if [[ "$container_status" != "running" ]]; then
+        if [[ "$container_status" == "exited" ]]; then
+            info "Starting container: $container_name"
+            docker start "$container_name" >/dev/null
+            sleep 1
+        else
+            error "Container $container_name is in unexpected state: $container_status"
+            exit 1
+        fi
+    fi
+
+    # Dispatch subcommands
+    local subcmd="${1:-}"
+    case "$subcmd" in
+        configure)
+            shift
+            cmd_aws_configure "$container_name" "$@"
+            ;;
+        login)
+            shift
+            cmd_aws_login "$container_name" "$@"
+            ;;
+        --help|-h|"")
+            echo "Usage:"
+            echo "  dclaude aws configure    Copy AWS config from host (volume mode)"
+            echo "  dclaude aws login        Run AWS login in container"
+            echo "  dclaude aws login --profile <name>  Login with specific profile"
+            exit 0
+            ;;
+        *)
+            error "Unknown subcommand: $subcmd"
+            echo "Usage:"
+            echo "  dclaude aws configure    Copy AWS config from host (volume mode)"
+            echo "  dclaude aws login        Run AWS login in container"
+            echo "  dclaude aws login --profile <name>  Login with specific profile"
+            exit 1
+            ;;
+    esac
+}
+
 cmd_git() {
     local container_name=$(get_container_name "$HOST_PATH")
 
@@ -2616,6 +3006,10 @@ if [[ $# -gt 0 ]]; then
             shift
             cmd_git "$@"
             ;;
+        aws)
+            shift
+            cmd_aws "$@"
+            ;;
         --help|-h|help)
             cat << 'EOF'
 dclaude - Dockerized Claude Code Launcher
@@ -2628,8 +3022,12 @@ Usage:
   dclaude update              Update Claude CLI inside container
   dclaude stop                Stop container for current directory
   dclaude rm [-f]             Remove container for current directory
-  dclaude ssh                 Start SSH server for remote access
+  dclaude ssh                 Load SSH keys and start SSH server
+  dclaude ssh keys            Load SSH keys into agent
+  dclaude ssh server          Start SSH server for remote access
   dclaude git                 Configure git identity (name/email)
+  dclaude aws configure       Copy AWS config from host to container (volume mode)
+  dclaude aws login           Run AWS login in container
   dclaude chrome [options]    Launch Chrome with DevTools and MCP integration
   dclaude gh                  Authenticate GitHub CLI (runs gh auth login)
   dclaude exec [command]      Execute command in container (default: bash)
@@ -2644,6 +3042,7 @@ Environment Variables:
   DCLAUDE_GIT_AUTH           SSH auth for Git: auto, agent-forwarding, key-mount, none
   DCLAUDE_NETWORK            Network mode: auto, host, bridge
   DCLAUDE_MOUNT_ROOT         Mount parent directory (absolute or relative path)
+  DCLAUDE_AWS_CLI            AWS config mode: auto, mount, volume, none
   DCLAUDE_DOCKER_SOCKET      Override Docker socket path
   DCLAUDE_TMUX_SESSION       Custom tmux session name (default: claude-TIMESTAMP)
   DCLAUDE_CHROME_BIN         Chrome executable path (auto-detected if not set)
@@ -2655,6 +3054,7 @@ Configuration File (.dclaude):
   Create a .dclaude file at project root to configure dclaude for that tree:
     NAMESPACE=mycompany
     NETWORK=host
+    AWS_CLI=mount
     DEBUG=true
     MOUNT_ROOT=.           # Mount config file's directory
     MOUNT_ROOT=..          # Mount parent of config file's directory
@@ -2693,9 +3093,11 @@ Examples:
   dclaude rm                                     # Remove stopped container
   dclaude rm -f                                  # Force remove running container
 
-  # SSH server for remote access (JetBrains Gateway, VS Code Remote, etc.)
-  dclaude ssh                                  # Start SSH server, show connection info
-  dclaude ssh --stop                           # Stop SSH server
+  # SSH key and server management
+  dclaude ssh                                  # Load keys + start SSH server
+  dclaude ssh keys                             # Load SSH keys into agent
+  dclaude ssh server                           # Start SSH server, show connection info
+  dclaude ssh server --stop                    # Stop SSH server
 
   # Launch Chrome with DevTools for MCP integration
   dclaude chrome

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@alanbem/dclaude",
-  "version": "0.0.13",
+  "version": "0.0.15",
   "description": "Dockerized Claude Code CLI launcher with MCP support",
   "main": "dclaude",
   "bin": {