Drop PATH symlinks in favour of profile hooks; run claude-code as user

chapterjason · claude · chapterjason · commit 4bf74f201414 · 2026-04-23T16:45:15.000Z
scripts/nvm/install.sh:
- Remove the /usr/local/bin/{node,npm,npx,corepack} symlinks.
- /etc/profile.d/nvm.sh now calls `nvm use default` after sourcing nvm,
  so node/npm land on PATH via the default alias on shell source.

scripts/web-shell/install.sh:
- Drop the /usr/local/bin/web-shell symlink.
- Systemd unit's ExecStart and the non-systemd login-shell fallback use
  the absolute $WS_BIN ($NPM_PREFIX/bin/web-shell) resolved at install.

scripts/claude-code/install.sh:
- Runs as the remote user instead of root+HOME+chown (see Dockerfile).
- Appends a PATH hook to ~/.profile that runtime-checks whether
  $HOME/.local/bin is already in $PATH and only prepends if not.
- /etc/home-persist.d/claude-code.json written via sudo tee.

src/base/Dockerfile:
- Split the install loop: nvm / rtk / context-mode / web-shell /
  home-persist as root, claude-code as the remote user (upstream
  installer writes land in $HOME with correct ownership).

main.tf:
- coder_script.lifecycle_init sources ~/.profile at the top so PATH
  hooks apply before context-mode / rtk post-create hooks run
  (they look up `claude` on PATH).

Co-Authored-By: Claude Opus 4.7 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/main.tf b/main.tf
@@ -308,6 +308,10 @@ resource "coder_script" "lifecycle_init" {
   script             = <<-EOT
     set -e
 
+    # Source ~/.profile so PATH hooks (e.g. $HOME/.local/bin from claude-code)
+    # take effect for the post-create scripts invoked below.
+    [ -f "$HOME/.profile" ] && . "$HOME/.profile"
+
     user_paths="${data.coder_parameter.home_persist_paths.value}"
     if [ -n "$user_paths" ]; then
       paths_json='[]'
diff --git a/scripts/claude-code/install.sh b/scripts/claude-code/install.sh
@@ -1,38 +1,28 @@
 #!/usr/bin/env bash
-# claude-code installer.
+# claude-code installer. Runs as the workspace user (see src/base/Dockerfile).
 set -e
 
-USER_NAME="${_REMOTE_USER:-${USERNAME:-root}}"
-if [ "$USER_NAME" = "root" ]; then
-  USER_GROUP="root"
-else
-  USER_GROUP="$(id -gn "$USER_NAME")"
-fi
-
-USER_HOME="$(getent passwd "$USER_NAME" | cut -d: -f6)"
-
-HOME="$USER_HOME" curl -fsSL https://claude.ai/install.sh | HOME="$USER_HOME" bash
+curl -fsSL https://claude.ai/install.sh | bash
 
-if [ ! -x "$USER_HOME/.local/bin/claude" ]; then
-  echo "claude-code: expected $USER_HOME/.local/bin/claude after install, but it was not found." >&2
+if [ ! -x "$HOME/.local/bin/claude" ]; then
+  echo "claude-code: expected $HOME/.local/bin/claude after install, but it was not found." >&2
   exit 1
 fi
 
-# The upstream installer runs as root with HOME=$USER_HOME and writes into
-# $HOME/.claude, $HOME/.local AND $HOME/.cache (its own state dir plus
-# node-gyp from any native-module compile). Chown all three so nothing is
-# left root-owned on the remote user's home. .cache is guarded because it
-# may not exist on minimal installs.
-chown -R "$USER_NAME:$USER_GROUP" "$USER_HOME/.claude" "$USER_HOME/.local"
-if [ -d "$USER_HOME/.cache" ]; then
-  chown -R "$USER_NAME:$USER_GROUP" "$USER_HOME/.cache"
+# PATH hook in ~/.profile — if-check at source time only prepends
+# $HOME/.local/bin when it's not already in $PATH.
+cat >> "$HOME/.profile" <<EOF
+
+if ! echo ":\$PATH:" | grep -q ":\$HOME/.local/bin:"; then
+  export PATH="\$HOME/.local/bin:\$PATH"
 fi
+EOF
 
 # Declare the HOME paths Claude Code needs persisted. The home-persist
 # resolver reads every /etc/home-persist.d/*.json at workspace start and
-# symlinks these into /mnt/home-persist.
-mkdir -p /etc/home-persist.d
-cat > /etc/home-persist.d/claude-code.json <<'EOF'
+# symlinks these into /mnt/home-persist. /etc/home-persist.d is root-owned.
+sudo mkdir -p /etc/home-persist.d
+sudo tee /etc/home-persist.d/claude-code.json >/dev/null <<'EOF'
 {
   "source": "claude-code",
   "paths": [".claude/", ".claude.json"]
diff --git a/scripts/nvm/install.sh b/scripts/nvm/install.sh
@@ -30,8 +30,12 @@ curl -fsSL "https://raw.githubusercontent.com/nvm-sh/nvm/v${NVM_VERSION}/install
 
 cat >/etc/profile.d/nvm.sh <<EOF
 export NVM_DIR="$NVM_DIR"
-[ -s "\$NVM_DIR/nvm.sh" ] && \\. "\$NVM_DIR/nvm.sh"
-[ -s "\$NVM_DIR/bash_completion" ] && \\. "\$NVM_DIR/bash_completion"
+if [ -s "\$NVM_DIR/nvm.sh" ]; then
+  \\. "\$NVM_DIR/nvm.sh"
+  [ -s "\$NVM_DIR/bash_completion" ] && \\. "\$NVM_DIR/bash_completion"
+  # Activate the default alias if present — puts node/npm/npx on PATH.
+  [ -s "\$NVM_DIR/alias/default" ] && nvm use default >/dev/null 2>&1
+fi
 EOF
 chmod 644 /etc/profile.d/nvm.sh
 
@@ -75,12 +79,6 @@ if [ "$NODE_VERSION" != "none" ]; then
   # shellcheck disable=SC2086
   nvm install $NVM_INSTALL_ARG
   nvm alias default "$NVM_ALIAS_TARGET"
-
-  NODE_BIN_DIR="$(dirname "$(nvm which default)")"
-  for bin in node npm npx corepack; do
-    [ -x "$NODE_BIN_DIR/$bin" ] || continue
-    ln -sf "$NODE_BIN_DIR/$bin" "/usr/local/bin/$bin"
-  done
 fi
 
 chown -R "$USER_NAME:$USER_GROUP" "$NVM_DIR"
diff --git a/scripts/web-shell/install.sh b/scripts/web-shell/install.sh
@@ -82,17 +82,14 @@ curl -fsSL -o "$TMPDIR/web-shell.tgz" "$TARBALL_URL"
 
 npm install -g "$TMPDIR/web-shell.tgz"
 
-# 5. Stable symlink at /usr/local/bin/web-shell — the nvm prefix isn't on the
-# systemd service PATH.
+# 5. Resolve the absolute path to the binary so the systemd unit doesn't
+# depend on $PATH / symlinks at service start time.
 NPM_PREFIX="$(npm config get prefix)"
 WS_BIN="$NPM_PREFIX/bin/web-shell"
 if [ ! -x "$WS_BIN" ]; then
   echo "web-shell: $WS_BIN missing after npm install." >&2
   exit 1
 fi
-if [ "$WS_BIN" != "/usr/local/bin/web-shell" ]; then
-  ln -sf "$WS_BIN" /usr/local/bin/web-shell
-fi
 
 # 6. Systemd unit. We always write it — even when systemd isn't PID 1 right
 # now, a later rebase onto a systemd base won't need to reinstall.
@@ -110,7 +107,7 @@ WorkingDirectory=${USER_HOME}
 Environment=HOME=${USER_HOME}
 Environment=HOST=127.0.0.1
 Environment=PORT=${WS_PORT}
-ExecStart=/usr/local/bin/web-shell
+ExecStart=${WS_BIN}
 Restart=on-failure
 RestartSec=1
 
@@ -142,7 +139,7 @@ else
 # supervisor is used instead.
 if ! pgrep -u "\$(id -u)" -f '/usr/local/bin/web-shell' >/dev/null 2>&1; then
   HOST='127.0.0.1' PORT='${WS_PORT}' \\
-    nohup sh -c 'while true; do /usr/local/bin/web-shell; sleep 1; done' \\
+    nohup sh -c 'while true; do ${WS_BIN}; sleep 1; done' \\
     > /tmp/web-shell.log 2>&1 &
   disown >/dev/null 2>&1 || true
 fi
diff --git a/src/base/Dockerfile b/src/base/Dockerfile
@@ -77,11 +77,19 @@ USER root
 # env var the devcontainer CLI used at feature-install time.
 ENV _REMOTE_USER=${USERNAME}
 
+# System-wide installers run as root.
 RUN --mount=type=bind,source=scripts,target=/scripts \
-    for s in nvm claude-code rtk context-mode web-shell home-persist; do \
+    for s in nvm rtk context-mode web-shell home-persist; do \
       bash "/scripts/$s/install.sh"; \
     done
 
+# Per-user installers run as the remote user directly — upstream installer
+# writes land in $HOME with correct ownership; no root+chown dance.
+USER ${USERNAME}
+RUN --mount=type=bind,source=scripts,target=/scripts \
+    bash "/scripts/claude-code/install.sh"
+USER root
+
 # Coder agent: systemd unit runs /etc/coder/agent-init.sh as the workspace
 # user after dockerd is up. The script itself is uploaded at container-create
 # time by the Terraform template (kreuzwerker/docker `upload` block).
