@paulduvall/claude-dev-toolkit 0.0.1-alpha.11 → 0.0.1-alpha.13

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2024 Paul Duvall
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -20,7 +20,7 @@ claude
 - **Security Hooks**: Automated security validation and governance
 - **Configuration Templates**: Pre-configured settings for different workflows
 - **Interactive Setup Wizard**: Guided installation with customization options
-- **JavaScript Test Suite**: 100% test coverage with 10 comprehensive test suites
+- **JavaScript Test Suite**: 25 test suites validating package structure, commands, and integration
 
 ## 🎯 Quick Start
 
@@ -166,11 +166,11 @@ npm run lint             # Code linting
 ```
 
 ### Test Coverage
-- **10 Test Suites**: 100% passing
-- **Command Validation**: All 58 commands validated
-- **Security Tests**: Comprehensive security pattern validation
-- **Integration Tests**: End-to-end workflow testing
-- **Configuration Tests**: Template and setup validation
+- **25 Test Suites**: Package structure, CLI, and command validation
+- **Command Validation**: All commands validated for structure and naming
+- **Security Tests**: Credential exposure and placeholder detection
+- **Integration Tests**: Hook and subagent workflow testing
+- **Shell Tests**: 8 bash test suites for hooks and lib modules
 
 ### Architecture
 - **Self-Contained Package**: No dependencies on repository cloning
@@ -288,7 +288,7 @@ npm test
 - ✅ **Symlink Consolidation**: Eliminated duplicate directories
 - ✅ **JavaScript Migration**: Complete test suite migration from Python
 - ✅ **Enhanced Templates**: Fixed configuration template issues
-- ✅ **100% Test Coverage**: All 10 test suites passing
+- ✅ **Test Suites**: Package structure and command validation
 - ✅ **58 Total Commands**: 13 active + 45 experimental commands
 - ✅ **Security Enhancements**: Comprehensive security hook system
 

package/bin/claude-commands

@@ -19,36 +19,75 @@ program
 program
     .command('list')
     .description('List all available commands')
+    .addHelpText('after', `
+Examples:
+  $ claude-commands list              # List all installed commands
+  $ claude-commands list --active     # Show only production commands
+  $ claude-commands list --experiments # Show only experimental commands`)
     .option('-a, --active', 'Show only active commands')
     .option('-e, --experiments', 'Show only experimental commands')
     .action((options) => {
         const claudeDir = path.join(os.homedir(), '.claude', 'commands');
-        
+        const pkgDir = path.join(__dirname, '..', 'commands');
+
         console.log('📦 Claude Custom Commands\n');
-        
-        if (fs.existsSync(claudeDir)) {
-            const allCommands = fs.readdirSync(claudeDir)
+
+        // Determine source: installed commands or package commands
+        const sourceDir = fs.existsSync(claudeDir) ? claudeDir : null;
+
+        if (sourceDir) {
+            let allCommands = fs.readdirSync(sourceDir)
                 .filter(f => f.endsWith('.md'))
                 .map(f => f.replace('.md', ''))
                 .sort();
-            
+
+            // Apply --active/--experiments filters using package source dirs
+            if (options.active || options.experiments) {
+                const activeDir = path.join(pkgDir, 'active');
+                const expDir = path.join(pkgDir, 'experiments');
+                const activeSet = new Set();
+                const expSet = new Set();
+
+                if (fs.existsSync(activeDir)) {
+                    fs.readdirSync(activeDir)
+                        .filter(f => f.endsWith('.md'))
+                        .forEach(f => activeSet.add(f.replace('.md', '')));
+                }
+                if (fs.existsSync(expDir)) {
+                    fs.readdirSync(expDir)
+                        .filter(f => f.endsWith('.md'))
+                        .forEach(f => expSet.add(f.replace('.md', '')));
+                }
+
+                if (options.active) {
+                    allCommands = allCommands.filter(cmd => activeSet.has(cmd));
+                } else if (options.experiments) {
+                    allCommands = allCommands.filter(cmd => expSet.has(cmd));
+                }
+            }
+
             if (allCommands.length > 0) {
-                console.log('🚀 Available Commands:');
+                const label = options.active ? 'Active' : options.experiments ? 'Experimental' : 'Available';
+                console.log(`🚀 ${label} Commands:`);
                 allCommands.forEach(cmd => console.log(`  /${cmd}`));
                 console.log(`\n📊 Total: ${allCommands.length} commands`);
             } else {
-                console.log('  No commands found');
+                console.log('  No commands found matching filter');
             }
         } else {
             console.log('  Commands directory not found');
+            console.log('  Run: claude-commands install');
         }
-        
-        console.log('\n💡 Usage: Try /xhelp in Claude Code to see all commands');
     });
 
 program
     .command('install')
     .description('Install command sets to ~/.claude/commands/')
+    .addHelpText('after', `
+Examples:
+  $ claude-commands install            # Install active commands (default)
+  $ claude-commands install --all      # Install all commands
+  $ claude-commands install --dry-run  # Preview without changes`)
     .option('--active', 'Install production-ready commands (default)')
     .option('--experiments', 'Install experimental commands only')
     .option('--all', 'Install both active and experimental')
@@ -153,6 +192,11 @@ program
 program
     .command('setup')
     .description('Setup the Claude Dev Toolkit with custom commands and configuration')
+    .addHelpText('after', `
+Examples:
+  $ claude-commands setup                            # Interactive setup
+  $ claude-commands setup --type basic --commands all # Basic config, all commands
+  $ claude-commands setup --dry-run                   # Preview setup actions`)
     .option('--type <template>', 'Configuration template to apply (basic, comprehensive, security-focused)')
     .option('--commands <set>', 'Command set to install (active, experiments, all, none)')
     .option('--skip-configure', 'Skip configuration step')
@@ -328,4 +372,23 @@ program
         }
     });
 
+program
+    .command('uninstall')
+    .description('Remove all installed commands, hooks, and subagents')
+    .addHelpText('after', `
+Examples:
+  $ claude-commands uninstall           # Remove all installed files
+  $ claude-commands uninstall --dry-run # Preview what would be removed`)
+    .option('--dry-run', 'Preview what would be removed without deleting')
+    .option('--keep-settings', 'Keep settings.json intact')
+    .action((options) => {
+        const uninstaller = require('../lib/uninstall-command');
+        try {
+            uninstaller.execute(options);
+        } catch (error) {
+            console.error(`Uninstall failed: ${error.message}`);
+            process.exit(1);
+        }
+    });
+
 program.parse(process.argv);

package/commands/active/xcontinue.md

@@ -0,0 +1,92 @@
+---
+description: Continue an execution plan from where it left off across sessions
+tags: [workflow, execution-plan, session-continuity, automation]
+---
+
+# Execution Plan Continuation
+
+Resume a multi-step execution plan, picking up at the next incomplete task.
+
+## Usage Examples
+
+**Resume the current plan:**
+```
+/xcontinue
+```
+
+**Help and options:**
+```
+/xcontinue help
+/xcontinue --help
+```
+
+## Implementation
+
+If $ARGUMENTS contains "help" or "--help":
+Display this usage information and exit.
+
+### Step 1: Find the Execution Plan
+
+Search for execution plan files in the current directory:
+
+```bash
+find . -maxdepth 2 -iname "*plan*" -name "*.md" ! -path "*/node_modules/*" ! -path "*/.git/*" 2>/dev/null
+```
+
+- Common names: `EXECUTION_PLAN.md`, `PLAN.md`, `execution-plan.md`
+
+If no plan file is found:
+- Tell the user: "No execution plan found in this directory."
+- Suggest creating one with a basic template:
+
+```markdown
+# Execution Plan
+
+| # | Task | Status | Notes |
+|---|------|--------|-------|
+| 1 | [First task] | [ ] pending | |
+| 2 | [Second task] | [ ] pending | |
+```
+
+Stop and wait for user input.
+
+### Step 2: Parse Plan Progress
+
+Read the plan file and identify:
+- **Completed tasks**: Lines with `[x]`, `done`, or checkmarks
+- **Pending tasks**: Lines with `[ ]`, `pending`, or unchecked items
+- **In-progress tasks**: Lines with `in-progress` or `in progress`
+
+Display a progress summary:
+```
+Progress: X of Y tasks complete
+Next task: [description of next pending task]
+```
+
+If all tasks are complete:
+- Congratulate the user
+- Summarize what was accomplished
+- Suggest cleanup: "Consider deleting the plan file if work is done."
+- Stop execution.
+
+### Step 3: Execute Next Task
+
+Pick the first task with status `pending` or `[ ]`:
+1. Read the task description and any acceptance criteria
+2. Implement the task fully
+3. Run validation if applicable (tests, lint, build)
+4. Verify acceptance criteria pass
+
+### Step 4: Update Plan and Handoff
+
+After completing the task:
+1. Update the plan file — mark the task as `[x] done` with a timestamp
+2. Update any counters (Done/Remaining) in the plan header
+3. Tell the user:
+
+```
+Task #N complete: [brief summary]
+Run /clear then /xcontinue to proceed to the next task.
+```
+
+This handoff protocol ensures context stays fresh across sessions.

package/commands/active/xexplore.md

@@ -0,0 +1,94 @@
+---
+description: Explore a codebase topic before making changes (read-only)
+tags: [exploration, codebase, discovery, read-only]
+---
+
+# Codebase Exploration
+
+Comprehensively search the codebase for a topic before making any changes. Read-only — no files are modified.
+
+## Usage Examples
+
+**Explore a topic:**
+```
+/xexplore authentication
+```
+
+**Explore a specific area:**
+```
+/xexplore database migrations
+```
+
+**Help and options:**
+```
+/xexplore help
+/xexplore --help
+```
+
+## Implementation
+
+If $ARGUMENTS contains "help" or "--help":
+Display this usage information and exit.
+
+If $ARGUMENTS is empty:
+Tell the user: "Please provide a topic to explore. Example: /xexplore authentication"
+Stop and wait for input.
+
+### Step 1: Search by File Name
+
+Find files whose names match the topic:
+
+```bash
+find . -iname "*$ARGUMENTS*" ! -path "*/node_modules/*" ! -path "*/.git/*" ! -path "*/vendor/*" 2>/dev/null | head -30
+```
+
+### Step 2: Search by Content
+
+Grep the codebase for the topic keyword:
+- Search all source files for content matching $ARGUMENTS
+- Capture file paths and line numbers for key matches
+- Limit to first 20 matches per file to avoid flooding
+
+### Step 3: Search Configuration
+
+Check config files specifically:
+- `*.json`, `*.yaml`, `*.yml`, `*.toml`, `*.env*`, `*.ini`
+- Look for the topic in config values, keys, and comments
+
+### Step 4: Search Tests
+
+Find test files related to the topic:
+- Patterns: `*test*`, `*spec*`, `__tests__/`
+- Check both file names and file content
+
+### Step 5: Search Documentation
+
+Check docs for the topic:
+- `*.md` files, `docs/` directory, `README*`
+- Wiki or guide references
+
+### Step 6: Report
+
+Present findings in a structured inventory:
+
+```
+## Exploration Report: [topic]
+
+### Source Files (N found)
+- path/to/file.ts:42 — [matching line preview]
+
+### Tests (N found)
+- tests/path/to/test.ts:15 — [matching line preview]
+
+### Configuration (N found)
+- config/settings.json:8 — [matching line preview]
+
+### Documentation (N found)
+- docs/guide.md:23 — [matching line preview]
+```
+
+If nothing is found:
+- Tell the user: "No matches found for '[topic]'."
+- Suggest broadening the search or trying alternate terms.
+
+**Do NOT make any changes to any files. This command is read-only.**

package/commands/active/xverify.md

@@ -0,0 +1,80 @@
+---
+description: "Verify references before taking action — catch fabricated URLs, placeholder IDs, and unverified claims"
+tags: ["verification", "quality", "safety", "pre-action"]
+---
+
+# Pre-Action Verification
+
+Scan proposed changes, generated content, or referenced artifacts for fabricated URLs, placeholder IDs, nonexistent file paths, and unverified references. Run this before committing, publishing, or acting on generated content.
+
+## Usage Examples
+
+**Verify current staged changes:**
+```
+/xverify
+```
+
+**Verify a specific file:**
+```
+/xverify README.md
+```
+
+**Verify generated documentation:**
+```
+/xverify docs/
+```
+
+## What Gets Checked
+
+### URLs and Endpoints
+- HTTP/HTTPS URLs: attempt to confirm they are plausible (check format, known domains)
+- API endpoints: verify they match project routes or documented APIs
+- Flag common fabrication patterns: `example.com` placeholders, sequential IDs, lorem ipsum domains
+
+### File Paths and References
+- Verify referenced file paths exist on disk
+- Check import/require statements resolve to real modules
+- Flag references to deleted or renamed files
+
+### IDs and Tokens
+- Flag placeholder patterns: `xxx`, `TODO`, `FIXME`, `your-*-here`, `placeholder`
+- Check for hardcoded test IDs that may not be valid in production
+- Flag UUIDs or IDs that appear fabricated (all zeros, sequential)
+
+### Claims and Assertions
+- Cross-check version numbers against package.json or lock files
+- Verify command names match actual available commands
+- Check that referenced environment variables are documented
+
+## Output Format
+
+For each issue found, report:
+1. **File and line** where the reference appears
+2. **What was found** (the suspicious reference)
+3. **Why it's suspicious** (pattern match or verification failure)
+4. **Suggested fix** (if determinable)
+
+## Implementation
+
+When invoked:
+
+1. **Determine scope**: If a file or directory argument is provided, scan that. Otherwise scan staged git changes (`git diff --cached`), or if nothing is staged, scan recent modifications.
+
+2. **Extract references**: Parse the scoped content for:
+   - URLs (http/https links)
+   - File paths (relative and absolute)
+   - Import/require statements
+   - Version strings
+   - Environment variable references
+   - Command names with `/x` prefix
+
+3. **Verify each reference**:
+   - File paths: check `fs.existsSync` or equivalent
+   - URLs: validate format, flag known placeholder domains
+   - Versions: cross-check against package.json
+   - Commands: cross-check against slash-commands/active/ and experiments/
+   - Env vars: check against .env.example or documentation
+
+4. **Report findings**: Group by severity (error, warning, info) and output a summary table.
+
+5. **Exit cleanly**: This is a read-only verification. No files are modified.

package/commands/experiments/xdevcontainer.md

@@ -0,0 +1,238 @@
+---
+description: Set up Anthropic's official devcontainer for running Claude Code with --dangerously-skip-permissions safely
+tags: [devcontainer, security, isolation, docker, autonomous, permissions]
+---
+
+Set up a secure devcontainer environment based on Anthropic's official reference implementation.
+
+Reference: https://docs.anthropic.com/en/docs/claude-code/devcontainer
+
+First, check the current environment and any existing configuration:
+!ls -la .devcontainer/ 2>/dev/null || echo "No existing devcontainer configuration"
+!which docker 2>/dev/null && docker --version || echo "Docker not installed"
+!which devcontainer 2>/dev/null && devcontainer --version || echo "devcontainer CLI not installed"
+!echo "ANTHROPIC_API_KEY is $([ -n \"$ANTHROPIC_API_KEY\" ] && echo 'set' || echo 'NOT SET')"
+
+Based on $ARGUMENTS, perform the appropriate devcontainer operation:
+
+## 1. Create Devcontainer (default, --create, --setup)
+
+If creating a new devcontainer configuration or no arguments provided:
+
+### Recommended Security Configuration
+
+Create `.devcontainer/devcontainer.json`:
+```json
+{
+  "name": "Claude Code Sandbox",
+  "build": {
+    "dockerfile": "Dockerfile"
+  },
+  "features": {
+    "ghcr.io/devcontainers/features/node:1": {},
+    "ghcr.io/devcontainers/features/python:1": {},
+    "ghcr.io/devcontainers/features/git:1": {},
+    "ghcr.io/devcontainers/features/github-cli:1": {},
+    "ghcr.io/devcontainers/features/aws-cli:1": {},
+    "ghcr.io/devcontainers/features/docker-in-docker:1": {}
+  },
+  "postCreateCommand": "npm install -g @anthropic-ai/claude-code && pip install --user boto3 requests",
+  "remoteEnv": {
+    "ANTHROPIC_API_KEY": "${localEnv:ANTHROPIC_API_KEY}",
+    "GITHUB_TOKEN": "${localEnv:GITHUB_TOKEN}",
+    "AWS_ACCESS_KEY_ID": "${localEnv:AWS_ACCESS_KEY_ID}",
+    "AWS_SECRET_ACCESS_KEY": "${localEnv:AWS_SECRET_ACCESS_KEY}",
+    "AWS_DEFAULT_REGION": "${localEnv:AWS_DEFAULT_REGION}"
+  },
+  "runArgs": [
+    "--cap-drop=ALL",
+    "--security-opt=no-new-privileges"
+  ],
+  "mounts": [],
+  "customizations": {
+    "vscode": {
+      "extensions": [
+        "anthropic.claude-code"
+      ],
+      "settings": {
+        "terminal.integrated.defaultProfile.linux": "bash"
+      }
+    }
+  }
+}
+```
+
+Create `.devcontainer/Dockerfile`:
+```dockerfile
+# Anthropic's recommended devcontainer for Claude Code
+# Reference: https://docs.anthropic.com/en/docs/claude-code/devcontainer
+FROM mcr.microsoft.com/devcontainers/base:ubuntu
+
+# Security labels
+LABEL org.opencontainers.image.title="Claude Code Sandbox"
+LABEL org.opencontainers.image.description="Secure container for running Claude Code with --dangerously-skip-permissions"
+LABEL org.opencontainers.image.vendor="Generated by setup-devcontainer.sh"
+
+# Install essential security tools
+RUN apt-get update && apt-get install -y \
+    curl \
+    ca-certificates \
+    gnupg \
+    lsb-release \
+    && apt-get clean && rm -rf /var/lib/apt/lists/*
+
+# Network firewall - only allow specific domains
+RUN apt-get update && apt-get install -y iptables dnsutils && \
+    apt-get clean && rm -rf /var/lib/apt/lists/*
+
+# Create firewall setup script (runs at container start)
+# Rules are processed in order - first match wins
+RUN echo '#!/bin/bash' > /usr/local/bin/setup-firewall.sh && \
+    echo 'set -e' >> /usr/local/bin/setup-firewall.sh && \
+    echo 'iptables -A OUTPUT -o lo -j ACCEPT' >> /usr/local/bin/setup-firewall.sh && \
+    echo 'iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT' >> /usr/local/bin/setup-firewall.sh && \
+    echo 'iptables -A OUTPUT -p udp --dport 53 -j ACCEPT' >> /usr/local/bin/setup-firewall.sh && \
+    echo 'iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT' >> /usr/local/bin/setup-firewall.sh && \
+    echo 'iptables -A OUTPUT -p tcp -d api.anthropic.com --dport 443 -j ACCEPT' >> /usr/local/bin/setup-firewall.sh && \
+    echo 'iptables -A OUTPUT -p tcp -d github.com --dport 443 -j ACCEPT' >> /usr/local/bin/setup-firewall.sh && \
+    echo 'iptables -A OUTPUT -p tcp -d registry.npmjs.org --dport 443 -j ACCEPT' >> /usr/local/bin/setup-firewall.sh && \
+    echo 'iptables -A OUTPUT -p tcp -d pypi.org --dport 443 -j ACCEPT' >> /usr/local/bin/setup-firewall.sh && \
+    echo 'iptables -A OUTPUT -p tcp -d files.pythonhosted.org --dport 443 -j ACCEPT' >> /usr/local/bin/setup-firewall.sh && \
+    echo 'iptables -A OUTPUT -p tcp --dport 443 -j DROP' >> /usr/local/bin/setup-firewall.sh && \
+    echo 'iptables -A OUTPUT -p tcp --dport 80 -j DROP' >> /usr/local/bin/setup-firewall.sh && \
+    chmod +x /usr/local/bin/setup-firewall.sh
+
+# Create non-root user workspace
+RUN mkdir -p /workspace && chown vscode:vscode /workspace
+WORKDIR /workspace
+
+# Default to non-root user
+USER vscode
+
+# Health check
+HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 \
+    CMD curl -sf https://api.anthropic.com/health || exit 1
+```
+
+Key security features:
+- **`--cap-drop=ALL`**: Drops all Linux capabilities
+- **`--security-opt=no-new-privileges`**: Prevents privilege escalation
+- **Network firewall**: Only allows traffic to allowlisted domains
+- **No mounts**: Isolates from host filesystem
+
+## 2. Using the Setup Script (--script)
+
+If the user wants to use the automated setup script:
+!ls -la setup-devcontainer.sh 2>/dev/null || echo "Script not in current directory"
+
+Run the setup script:
+```bash
+# Full setup with recommended security
+./setup-devcontainer.sh
+
+# Minimal setup (Node.js and Git only)
+./setup-devcontainer.sh --minimal
+
+# Skip network firewall restrictions
+./setup-devcontainer.sh --no-network-firewall
+
+# Preview what would be created
+./setup-devcontainer.sh --dry-run
+
+# Strict mode for CI (fails if prerequisites missing)
+./setup-devcontainer.sh --strict
+
+# Add custom domains for enterprise private registries
+./setup-devcontainer.sh --allow-domain internal.registry.com
+
+# Or use environment variable for extra domains
+DEVCONTAINER_EXTRA_DOMAINS="internal.registry.com,npm.mycompany.com" ./setup-devcontainer.sh
+```
+
+## 3. Start Container (--start, --up)
+
+If starting the devcontainer:
+!docker ps -a | grep -i devcontainer | head -3 || echo "No devcontainer running"
+
+Start commands:
+```bash
+# Using VS Code
+# Cmd/Ctrl+Shift+P → "Dev Containers: Reopen in Container"
+
+# Using devcontainer CLI
+devcontainer up --workspace-folder .
+devcontainer exec --workspace-folder . claude --dangerously-skip-permissions
+```
+
+## 4. Security Validation (--validate, --check)
+
+If validating the devcontainer security:
+!cat .devcontainer/devcontainer.json 2>/dev/null | grep -E "(cap-drop|no-new-privileges|mounts)" || echo "Security settings not found"
+!cat .devcontainer/Dockerfile 2>/dev/null | grep -E "(iptables|DROP)" || echo "Firewall rules not found"
+
+Verify:
+- [ ] `--cap-drop=ALL` is present in runArgs
+- [ ] `--security-opt=no-new-privileges` is present
+- [ ] Network firewall rules block unauthorized outbound traffic
+- [ ] No host filesystem mounts configured
+
+## 5. Cleanup (--cleanup, --remove)
+
+If cleaning up devcontainer:
+```bash
+# Stop and remove container
+devcontainer down --workspace-folder .
+
+# Remove configuration (optional)
+rm -rf .devcontainer/
+```
+
+## Comparison: /sandbox vs Devcontainer
+
+| Aspect | Claude's `/sandbox` | Devcontainer |
+|--------|---------------------|--------------|
+| **Purpose** | Run code snippets safely | Run Claude itself isolated |
+| **Scope** | Ephemeral execution | Persistent dev environment |
+| **What's isolated** | Your code | The entire Claude session |
+| **Use case** | "Test this script" | "Let Claude work autonomously" |
+| **Flag enabled** | N/A | `--dangerously-skip-permissions` |
+
+## Security Considerations
+
+**Safe for:**
+- Your own trusted projects
+- Development and testing workflows
+- CI/CD automation with Claude
+
+**Avoid for:**
+- Untrusted repositories (prompt injection risk)
+- Projects with sensitive credentials you haven't reviewed
+- Production systems
+
+**Remember:** Even with isolation, credentials inside the container are accessible to Claude. Only pass credentials you're comfortable with Claude having access to.
+
+## Quick Start
+
+```bash
+# 1. Set API key
+export ANTHROPIC_API_KEY="sk-ant-..."
+
+# 2. Run setup script (or create files manually)
+./setup-devcontainer.sh
+
+# 3. Open in VS Code and reopen in container
+code . && # Cmd+Shift+P → "Dev Containers: Reopen in Container"
+
+# 4. Run Claude with full autonomy
+claude --dangerously-skip-permissions
+```
+
+Think step by step about the user's devcontainer needs and provide:
+
+1. **Environment Assessment**: Current setup, Docker availability, existing configuration
+2. **Security Recommendation**: Appropriate isolation level based on use case
+3. **Implementation**: Create or modify devcontainer configuration
+4. **Validation**: Verify security settings are correctly applied
+5. **Usage Instructions**: How to start and use the devcontainer
+
+If no specific operation is provided, assess the current environment and help create a secure devcontainer configuration using Anthropic's recommended approach.