Replace npm Claude Code with native binary installation (#11)

* Replace npm Claude Code with native binary installation

The Anthropic devcontainer feature installed Claude Code via npm as root,
making the package directory unwritable by the vscode user. This caused
the in-session auto-updater to fail with EACCES on every update attempt.

Replaces ghcr.io/anthropics/devcontainer-features/claude-code (npm) with
a new ./features/claude-code-native feature that uses Anthropic's official
native installer (https://claude.ai/install.sh). The native binary installs
to ~/.local/bin/claude owned by the container user, so claude update works
without permission issues.

* Fix CodeRabbit review issues and update stale documentation

- CHANGELOG: split entries into Changed (user outcomes) and Fixed (script fixes)
- install.sh: require curl explicitly, add semver validation, quote TARGET in su command, remove dead if/else
- setup-update-claude.sh: use PIPESTATUS[0] to capture timeout exit code instead of tee
- setup.sh: pin update log to /workspaces/.tmp/claude-update.log with override support
- notify-hook, mcp-qdrant: update installsAfter from old npm feature to ./features/claude-code-native
- check-setup.sh: remove stale /usr/local/bin/claude fallback

* fix(native-installer): POSIX compat, bash installer, onboarding hook

- Replace &>/dev/null with >/dev/null 2>&1 (POSIX)
- Require curl only (not wget) — matches official installer dependency
- Use bash instead of sh for piping installer (it requires bash)
- Quote ${TARGET} in su -c to prevent word splitting
- Pre-create ~/.local/state and ~/.claude directories
- Add 99-claude-onboarding.sh post-start hook to ensure
  hasCompletedOnboarding is set when token auth is configured

---------

Co-authored-by: AnExiledDev <AnExiledDev@users.noreply.github.com>

Author: AnExiledDev

.devcontainer/CHANGELOG.md

@@ -10,8 +10,15 @@
 #### Skills
 - **worktree** — New skill for git worktree creation, management, and cleanup. Covers `EnterWorktree` tool, `--worktree` CLI flag, `.worktreeinclude` setup, worktree naming conventions, cleanup lifecycle, and CodeForge integration (Project Manager auto-detection, agent isolation). Includes two reference files: manual worktree commands and parallel workflow patterns.
 
+#### Claude Code Installation
+- **Post-start onboarding hook** (`99-claude-onboarding.sh`) — ensures `hasCompletedOnboarding: true` in `.claude.json` when token auth is configured; catches overwrites from Claude Code CLI/extension that race with `postStartCommand`
+
 ### Changed
 
+#### Claude Code Installation
+- **Claude Code now installs as a native binary** — uses Anthropic's official installer (`https://claude.ai/install.sh`) via new `./features/claude-code-native` feature, replacing the npm-based `ghcr.io/anthropics/devcontainer-features/claude-code:1.0.5`
+- **In-session auto-updater now works without root** — native binary at `~/.local/bin/claude` is owned by the container user, so `claude update` succeeds without permission issues
+
 #### System Prompt
 - **`<git_worktrees>` section** — Updated to document Claude Code native worktree convention (`<repo>/.claude/worktrees/`) as the recommended approach alongside the legacy `.worktrees/` convention. Added `EnterWorktree` tool guidance, `.worktreeinclude` file documentation, and path convention comparison table.
 
@@ -48,6 +55,15 @@
 
 ### Fixed
 
+#### Claude Code Installation
+- **Update script no longer silently discards errors** — background update output now captured to log file instead of being discarded via `&>/dev/null`
+- **Update script simplified to native-binary-only** — removed npm fallback and `claude install` bootstrap code; added 60s timeout and transitional npm cleanup
+- **Alias resolution simplified** — `_CLAUDE_BIN` now resolves directly to native binary path (removed npm and `/usr/local/bin` fallbacks)
+- **POSIX redirect** — replaced `&>/dev/null` with `>/dev/null 2>&1` in dependency check for portability
+- **Installer shell** — changed `sh -s` to `bash -s` when piping the official installer (it requires bash)
+- **Unquoted `${TARGET}`** — quoted variable in `su -c` command to prevent word splitting
+- **Directory prep** — added `~/.local/state` and `~/.claude` pre-creation; consolidated `chown` to cover entire `~/.local` tree
+
 #### Plugin Marketplace
 - **`marketplace.json` schema fix** — changed all 11 plugin `source` fields from bare names (e.g., `"codeforge-lsp"`) to relative paths (`"./plugins/codeforge-lsp"`) so `claude plugin marketplace add` passes schema validation and all plugins register correctly
 

.devcontainer/CLAUDE.md

@@ -173,4 +173,4 @@ Labels are `custom-text` widgets with `merge: "no-padding"` so they fuse visuall
 
 ## Features
 
-Custom features in `./features/` follow the [devcontainer feature spec](https://containers.dev/implementors/features/). Every local feature supports `"version": "none"` to skip installation. Claude Code is installed via `ghcr.io/anthropics/devcontainer-features/claude-code:1`.
+Custom features in `./features/` follow the [devcontainer feature spec](https://containers.dev/implementors/features/). Every local feature supports `"version": "none"` to skip installation. Claude Code is installed as a native binary via `./features/claude-code-native` (uses Anthropic's official installer at `https://claude.ai/install.sh`).

.devcontainer/devcontainer.json

@@ -45,7 +45,7 @@
 	},
 
 	// Feature install order: external runtimes first (Node, uv, Rust, Bun),
-	// then Claude Code (needs Node), then custom features.
+	// then Claude Code native binary (no Node dependency), then custom features.
 	// npm-dependent features (agent-browser, ccusage, ccburn, claude-session-dashboard,
 	// biome, lsp-servers) must come after Node. uv-dependent features (ruff, claude-monitor) must
 	// come after uv. cargo-dependent features (ccms) must come after Rust.
@@ -57,7 +57,7 @@
 		"ghcr.io/devcontainers-extra/features/uv",
 		"ghcr.io/rails/devcontainer/features/bun",
 		"ghcr.io/devcontainers/features/rust",
-		"ghcr.io/anthropics/devcontainer-features/claude-code",
+		"./features/claude-code-native",
 		"./features/tmux",
 		"./features/agent-browser",
 		"./features/claude-monitor",
@@ -96,7 +96,7 @@
 		},
 		// Uncomment to add Go runtime (not installed by default):
 		// "ghcr.io/devcontainers/features/go:1": {},
-		"ghcr.io/anthropics/devcontainer-features/claude-code:1.0.5": {},
+		"./features/claude-code-native": {},
 		"./features/tmux": {},
 		"./features/ccusage": {
 			"version": "latest",

.devcontainer/features/claude-code-native/README.md

@@ -0,0 +1,47 @@
+# Claude Code CLI (Native Binary)
+
+Installs [Claude Code](https://docs.anthropic.com/en/docs/claude-code) as a native binary using Anthropic's official installer.
+
+Unlike the npm-based installation (`ghcr.io/anthropics/devcontainer-features/claude-code`), this feature installs the native binary directly to `~/.local/bin/claude`. The binary is owned by the container user, so the in-session auto-updater works without permission issues.
+
+## Options
+
+| Option | Default | Description |
+|--------|---------|-------------|
+| `version` | `latest` | `latest`, `stable`, or a specific semver (e.g., `2.1.52`). Set to `none` to skip. |
+| `username` | `automatic` | Container user to install for. `automatic` detects from `$_REMOTE_USER`. |
+
+## How it works
+
+1. Downloads the official installer from `https://claude.ai/install.sh`
+2. Runs it as the target user (not root)
+3. The installer handles platform detection, checksum verification, and binary placement
+4. Binary is installed to `~/.local/bin/claude` with versions stored in `~/.local/share/claude/versions/`
+
+## Usage
+
+```json
+{
+    "features": {
+        "./features/claude-code-native": {}
+    }
+}
+```
+
+With version pinning:
+
+```json
+{
+    "features": {
+        "./features/claude-code-native": {
+            "version": "2.1.52"
+        }
+    }
+}
+```
+
+## Why native over npm?
+
+The npm installation (`npm install -g @anthropic-ai/claude-code`) runs as root during the Docker build, creating a package owned by `root`. When the container user tries to auto-update Claude Code in-session, it fails with `EACCES` because it can't write to the root-owned package directory.
+
+The native binary installs to `~/.local/` under the container user's ownership, so `claude update` works without elevated permissions.

.devcontainer/features/claude-code-native/devcontainer-feature.json

@@ -0,0 +1,29 @@
+{
+	"id": "claude-code-native",
+	"version": "1.0.0",
+	"name": "Claude Code CLI (Native Binary)",
+	"description": "Installs Claude Code CLI as a native binary via the official Anthropic installer",
+	"documentationURL": "https://docs.anthropic.com/en/docs/claude-code",
+	"options": {
+		"version": {
+			"type": "string",
+			"description": "Version to install: 'latest', 'stable', or a specific semver. Use 'none' to skip.",
+			"default": "latest"
+		},
+		"username": {
+			"type": "string",
+			"description": "Container user to install for",
+			"default": "automatic"
+		}
+	},
+	"customizations": {
+		"vscode": {
+			"extensions": [
+				"anthropic.claude-code"
+			]
+		}
+	},
+	"installsAfter": [
+		"ghcr.io/devcontainers/features/common-utils:2"
+	]
+}

.devcontainer/features/claude-code-native/install.sh

@@ -0,0 +1,129 @@
+#!/bin/bash
+set -euo pipefail
+
+VERSION="${VERSION:-latest}"
+USERNAME="${USERNAME:-automatic}"
+
+# Skip installation if version is "none"
+if [ "${VERSION}" = "none" ]; then
+	echo "[claude-code-native] Skipping installation (version=none)"
+	exit 0
+fi
+
+echo "[claude-code-native] Starting installation..."
+echo "[claude-code-native] Version: ${VERSION}"
+
+# === VALIDATE DEPENDENCIES ===
+# The official installer (claude.ai/install.sh) requires curl internally
+if ! command -v curl >/dev/null 2>&1; then
+	echo "[claude-code-native] ERROR: curl is required"
+	echo "  Ensure common-utils feature is installed first"
+	exit 1
+fi
+
+# === DETECT USER ===
+if [ "${USERNAME}" = "auto" ] || [ "${USERNAME}" = "automatic" ]; then
+	if [ -n "${_REMOTE_USER:-}" ]; then
+		USERNAME="${_REMOTE_USER}"
+	elif getent passwd vscode >/dev/null 2>&1; then
+		USERNAME="vscode"
+	elif getent passwd node >/dev/null 2>&1; then
+		USERNAME="node"
+	elif getent passwd codespace >/dev/null 2>&1; then
+		USERNAME="codespace"
+	else
+		USERNAME="root"
+	fi
+fi
+
+USER_HOME=$(getent passwd "${USERNAME}" | cut -d: -f6)
+if [ -z "${USER_HOME}" ]; then
+	echo "[claude-code-native] ERROR: Could not determine home directory for ${USERNAME}"
+	exit 1
+fi
+
+echo "[claude-code-native] Installing for user: ${USERNAME} (home: ${USER_HOME})"
+
+# === PREPARE DIRECTORIES ===
+mkdir -p "${USER_HOME}/.local/bin"
+mkdir -p "${USER_HOME}/.local/share/claude"
+mkdir -p "${USER_HOME}/.local/state"
+mkdir -p "${USER_HOME}/.claude"
+chown -R "${USERNAME}:" "${USER_HOME}/.local" "${USER_HOME}/.claude"
+
+# === DETERMINE TARGET ===
+# The official installer accepts: stable, latest, or a specific semver
+TARGET="${VERSION}"
+if [ "${TARGET}" != "latest" ] && [ "${TARGET}" != "stable" ]; then
+	if ! echo "${TARGET}" | grep -qE '^[0-9]+\.[0-9]+\.[0-9]+$'; then
+		echo "[claude-code-native] ERROR: Invalid version '${TARGET}'"
+		echo "  Use 'latest', 'stable', or a semver (e.g., 2.1.52)"
+		exit 1
+	fi
+fi
+
+# === INSTALL ===
+# The official Anthropic installer handles:
+# - Platform detection (linux/darwin, x64/arm64, glibc/musl)
+# - Manifest download and checksum verification
+# - Binary download to ~/.local/bin/claude (symlink to ~/.local/share/claude/versions/*)
+echo "[claude-code-native] Downloading official installer..."
+
+if [ "${USERNAME}" = "root" ]; then
+	curl -fsSL https://claude.ai/install.sh | bash -s -- "${TARGET}"
+else
+	su - "${USERNAME}" -c "curl -fsSL https://claude.ai/install.sh | bash -s -- \"${TARGET}\""
+fi
+
+# === VERIFICATION ===
+CLAUDE_BIN="${USER_HOME}/.local/bin/claude"
+
+if [ -x "${CLAUDE_BIN}" ]; then
+	INSTALLED_VERSION=$(su - "${USERNAME}" -c "${CLAUDE_BIN} --version 2>/dev/null" || echo "unknown")
+	echo "[claude-code-native] ✓ Claude Code installed: ${INSTALLED_VERSION}"
+	echo "[claude-code-native]   Binary: ${CLAUDE_BIN}"
+else
+	echo "[claude-code-native] ERROR: Installation failed — ${CLAUDE_BIN} not found or not executable"
+	echo "[claude-code-native] Expected binary at: ${CLAUDE_BIN}"
+	ls -la "${USER_HOME}/.local/bin/" 2>/dev/null || true
+	exit 1
+fi
+
+# === POST-START HOOK ===
+# Ensures hasCompletedOnboarding is set when token auth is configured.
+# Runs as the LAST post-start hook (99- prefix) to catch overwrites from
+# Claude Code CLI/extension that may race with postStartCommand.
+HOOK_DIR="/usr/local/devcontainer-poststart.d"
+mkdir -p "$HOOK_DIR"
+cat > "$HOOK_DIR/99-claude-onboarding.sh" << 'HOOK_EOF'
+#!/bin/bash
+# Ensure hasCompletedOnboarding: true in .claude.json when token auth exists.
+# Runs after all setup scripts to catch any overwrites by Claude Code CLI/extension.
+_USERNAME="${SUDO_USER:-${USER:-vscode}}"
+_USER_HOME=$(getent passwd "$_USERNAME" 2>/dev/null | cut -d: -f6)
+_USER_HOME="${_USER_HOME:-/home/$_USERNAME}"
+CLAUDE_DIR="${CLAUDE_CONFIG_DIR:-${_USER_HOME}/.claude}"
+CLAUDE_JSON="$CLAUDE_DIR/.claude.json"
+CRED_FILE="$CLAUDE_DIR/.credentials.json"
+
+# Only act when token auth is configured
+[ -f "$CRED_FILE" ] || exit 0
+
+if [ -f "$CLAUDE_JSON" ]; then
+    if ! grep -q '"hasCompletedOnboarding"' "$CLAUDE_JSON" 2>/dev/null; then
+        if command -v jq >/dev/null 2>&1; then
+            jq '. + {"hasCompletedOnboarding": true}' "$CLAUDE_JSON" > "${CLAUDE_JSON}.tmp" && \
+                mv "${CLAUDE_JSON}.tmp" "$CLAUDE_JSON"
+        else
+            sed -i '$ s/}$/,\n  "hasCompletedOnboarding": true\n}/' "$CLAUDE_JSON"
+        fi
+        echo "[claude-onboarding] Injected hasCompletedOnboarding into .claude.json"
+    fi
+else
+    printf '{\n  "hasCompletedOnboarding": true\n}\n' > "$CLAUDE_JSON"
+    echo "[claude-onboarding] Created .claude.json with hasCompletedOnboarding"
+fi
+HOOK_EOF
+chmod +x "$HOOK_DIR/99-claude-onboarding.sh"
+
+echo "[claude-code-native] Installation complete"

.devcontainer/features/mcp-qdrant/devcontainer-feature.json

@@ -50,6 +50,6 @@
   "installsAfter": [
     "ghcr.io/devcontainers/features/python:1",
     "ghcr.io/devcontainers/features/common-utils:2",
-    "ghcr.io/anthropics/devcontainer-features/claude-code:1"
+    "./features/claude-code-native"
   ]
 }

.devcontainer/features/notify-hook/devcontainer-feature.json

@@ -23,6 +23,6 @@
   },
   "installsAfter": [
     "ghcr.io/devcontainers/features/common-utils:2",
-    "ghcr.io/anthropics/devcontainer-features/claude-code:1"
+    "./features/claude-code-native"
   ]
 }

.devcontainer/scripts/check-setup.sh

@@ -34,7 +34,7 @@ warn_check() {
 echo ""
 echo "Core:"
 check "Claude Code installed" "command -v claude"
-warn_check "Claude native binary" "[ -x ~/.local/bin/claude ] || [ -x /usr/local/bin/claude ]"
+warn_check "Claude native binary" "[ -x ~/.local/bin/claude ]"
 check "cc alias configured" "grep -q 'alias cc=' ~/.bashrc 2>/dev/null || grep -q 'alias cc=' ~/.zshrc 2>/dev/null"
 check "Config directory exists" "[ -d '${CLAUDE_CONFIG_DIR:-$HOME/.claude}' ]"
 check "Settings file exists" "[ -f '${CLAUDE_CONFIG_DIR:-$HOME/.claude}/settings.json' ]"

.devcontainer/scripts/setup-aliases.sh

@@ -80,14 +80,8 @@ if [ "\$TERM" = "xterm" ] || [ -z "\$TERM" ]; then
 fi
 export COLORTERM="\${COLORTERM:-truecolor}"
 
-# Prefer native binary over npm-installed version
-if [ -x "\$HOME/.local/bin/claude" ]; then
-    _CLAUDE_BIN="\$HOME/.local/bin/claude"
-elif [ -x /usr/local/bin/claude ]; then
-    _CLAUDE_BIN=/usr/local/bin/claude
-else
-    _CLAUDE_BIN=claude
-fi
+# Native binary (installed by claude-code-native feature)
+_CLAUDE_BIN="\$HOME/.local/bin/claude"
 
 # ChromaTerm wrapper (if ct is installed, wrap claude through it)
 if command -v ct >/dev/null 2>&1; then