37 lines
1.5 KiB
YAML
37 lines
1.5 KiB
YAML
# DeerFlow — CLI auth overlay (OPT-IN, NOT loaded by default)
|
|
#
|
|
# Bind-mounts the host Claude Code / Codex CLI config dirs into the gateway so:
|
|
# - ClaudeChatModel / Codex model providers can reuse the CLI subscription
|
|
# login (~/.claude/.credentials.json, ~/.codex/auth.json), and
|
|
# - ACP agents (acp_agents in config.yaml) that run the claude/codex CLI
|
|
# inside the container can read their config.
|
|
#
|
|
# SECURITY: these mounts expose the ENTIRE ~/.claude and ~/.codex dirs
|
|
# (conversation history, projects, global config, long-lived credentials) into
|
|
# the gateway container, read-only. A gateway compromise leaks all of it. That
|
|
# is why they are NOT mounted by default.
|
|
#
|
|
# Prefer passing only a token via env instead (no directory exposure):
|
|
# CLAUDE_CODE_OAUTH_TOKEN / ANTHROPIC_AUTH_TOKEN for Claude, CODEX_AUTH_PATH
|
|
# for a single Codex auth file — see .env.example and SECURITY.md.
|
|
# Use this overlay only when you need the full CLI config (e.g. ACP adapters
|
|
# that run the CLI in-container and read more than just the credential file).
|
|
#
|
|
# Manual use (works with both prod and dev compose):
|
|
# docker compose -f docker-compose.yaml -f docker-compose.cli-auth.yaml up -d
|
|
services:
|
|
gateway:
|
|
volumes:
|
|
- type: bind
|
|
source: ${HOME:?HOME must be set}/.claude
|
|
target: /root/.claude
|
|
read_only: true
|
|
bind:
|
|
create_host_path: true
|
|
- type: bind
|
|
source: ${HOME:?HOME must be set}/.codex
|
|
target: /root/.codex
|
|
read_only: true
|
|
bind:
|
|
create_host_path: true
|