refactor(workspaces): make claude-cli (and future providers) inherit from base — share entrypoint, hooks, security hardening

[NeuralEmpowerment]

Context

providers/workspaces/base/ and providers/workspaces/claude-cli/ are currently independent images, not parent/child. base/ is FROM debian:bookworm-slim; claude-cli/ is FROM node:22-slim. They each install their own (overlapping but non-identical) system packages, security hardening, user setup, etc.

This came up in #159 when adding the operator Co-authored-by: git hook to the workspace. The hook was placed in providers/workspaces/claude-cli/scripts/git-hooks/prepare-commit-msg because that's where it was actually needed — but architecturally it (and many other workspace concerns) should live once and be inherited by every workspace provider.

Proposed direction

Make claude-cli/Dockerfile actually inherit from a shared base image:

FROM agentic-base:latest AS claude-cli
# only claude-cli-specific layers (Node.js, Claude CLI, plugins) go here

…and consolidate into base/:

• system packages: git, curl, ca-certificates, jq, procps, gnupg
• uv install + Python managed by uv (from chore(workspace): cleanup, uv-base Dockerfile, Claude CLI 2.1.126 #157)
• non-root agent user setup, /workspace skeleton (ADR-036)
• security hardening: setuid stripping, capability drops
• entrypoint scaffolding + workspace-shipped git hooks (operator attribution from feat(workspace): operator Co-authored-by trailer on every workspace commit #158)
• the env-var contract (GIT_AUTHOR_*, GITHUB_TOKEN, SYN_OPERATOR_*, etc.)

claude-cli/ would then add only what's actually claude-specific: Node.js + npm install of @anthropic-ai/claude-code, the plugin baking, LSP servers, and any claude-specific entrypoint extensions.

What this enables

• Future workspace providers (e.g. cursor-cli, codex-cli, generic-llm) inherit operator attribution, observability, security hardening, env-var contract for free.
• Single source of truth for "what every workspace must have."
• Consistent base for security audits and supply-chain attestation (cosign signing, SBOMs).

Why not now

#159 is scoped to issue #158 (operator attribution) and is already merge-ready. This refactor is meaningfully larger:

• Reconciling Debian-slim vs Node-slim base (or moving Node into the base image)
• Splitting the entrypoint into base + provider-specific extension points
• Updating scripts/build-provider.py to know about layered builds
• Possibly reconciling manifest.yaml schema between providers

Best done as a focused PR once there's a second active workspace provider to validate the abstraction against (otherwise we'd be designing for hypothetical second consumers).

Acceptance criteria

• claude-cli/Dockerfile starts with FROM agentic-base:...
• All system packages, security hardening, entrypoint scaffolding, and workspace-shipped git hooks live in base/ only
• Existing just test-workspace integration tests still pass
• At least one new provider (real or stub) demonstrates that adding a workspace requires only provider-specific layers, not duplicating base concerns

Related

• feat(workspace): operator Co-authored-by trailer on every workspace commit #158 (operator attribution — the trigger for this discussion)
• feat(workspace): operator Co-authored-by trailer #159 (the PR that hit the wall)
• ADR-027 (Provider-Based Workspace Images) — would need an addendum or successor ADR to capture the inheritance model