Skip to content

Commit ad0cc69

Browse files
stranmaclaude
andcommitted
fix: address CodeRabbit review feedback
- Replace grep -v '^$' with sed '/^$/d' to avoid errexit on empty input (critical: script dies when no WebFetch domains configured) - Add missing telemetry domains to built-in allowlist docs - Clarify restart vs rebuild for settings changes Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
1 parent c480fdc commit ad0cc69

3 files changed

Lines changed: 5 additions & 5 deletions

File tree

.devcontainer/init-firewall.sh

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -131,7 +131,7 @@ for settings_file in "$SETTINGS_DIR/settings.json" "$SETTINGS_DIR/settings.local
131131
fi
132132
done
133133

134-
UNIQUE_DOMAINS=$(echo "$WEBFETCH_DOMAINS" | tr ' ' '\n' | sort -u | grep -v '^$')
134+
UNIQUE_DOMAINS=$(printf '%s\n' "$WEBFETCH_DOMAINS" | tr ' ' '\n' | sed '/^$/d' | sort -u)
135135
if [ -n "$UNIQUE_DOMAINS" ]; then
136136
while read -r domain; do
137137
if [[ "$domain" == \** ]]; then

docs/DECISIONS.md

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -200,5 +200,5 @@ When a decision is superseded or obsolete, delete it (git history preserves the
200200
- Only `allow` and `ask` lists are scanned (not `deny`) -- denied domains should never be whitelisted
201201
- Bare `WebFetch` (no domain qualifier) is ignored -- it grants tool permission but has no domain to resolve
202202
- Wildcard domains (e.g., `*.example.com`) are skipped with a warning -- DNS cannot resolve wildcard patterns to IPs
203-
- Empty domain values filtered by `grep -v '^$'` -- defensive against `WebFetch(domain:)` edge case
204-
- Changes require container rebuild to take effect -- firewall runs once at startup, not dynamically
203+
- Empty domain values filtered by `sed '/^$/d'` instead of `grep -v '^$'` -- grep exits non-zero on empty input under `set -euo pipefail`
204+
- WebFetch settings changes take effect on container restart (`init-firewall.sh` runs from `postStartCommand`); permission tier changes require rebuild (`onCreateCommand` copies tier to `settings.local.json`)

docs/DEVCONTAINER_PERMISSIONS.md

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -51,7 +51,7 @@ Regardless of tier, these layers provide defense-in-depth:
5151

5252
The devcontainer firewall (`init-firewall.sh`) restricts all outbound traffic to a built-in allowlist plus domains from Claude Code permission settings.
5353

54-
**Built-in domains** (always allowed): PyPI, GitHub (via API CIDR ranges), Anthropic/Claude, VS Code Marketplace, uv/Astral.
54+
**Built-in domains** (always allowed): PyPI, GitHub (via API CIDR ranges), Anthropic/Claude, VS Code Marketplace, uv/Astral, plus telemetry endpoints (`sentry.io`, `statsig.anthropic.com`, `statsig.com`).
5555

5656
**WebFetch domain auto-whitelisting**: The firewall scans `.claude/settings.json` and `.claude/settings.local.json` for `WebFetch(domain:...)` patterns in `allow` and `ask` lists. Matched domains are resolved via DNS and added to the ipset allowlist.
5757

@@ -62,7 +62,7 @@ The devcontainer firewall (`init-firewall.sh`) restricts all outbound traffic to
6262
| `WebFetch` (bare) | Ignored (no domain to resolve) |
6363
| `WebFetch(domain:)` (empty) | Filtered out |
6464

65-
Changes to WebFetch settings take effect on container rebuild (`devcontainer rebuild`).
65+
Changes to WebFetch settings in `.claude/settings.json` or `.claude/settings.local.json` take effect on container restart. Changes to `.devcontainer/permissions/*.json` require a full rebuild (`devcontainer rebuild`).
6666

6767
## Tier Comparison
6868

0 commit comments

Comments
 (0)