fix: validate completions output before writing; document two-mount requirement (#8)

PKramek · web-flow · commit 23abf35e93e0 · 2026-04-07T22:51:52.000+02:00
Closes #7 ## Bug 1 — Fish (and bash/zsh) completions corrupted at build time `claude completions <shell>` runs at image build time when Claude Code is unauthenticated. The CLI exits 0 but writes an error message to stdout (e.g. `Not logged in · Please run /login`). The previous direct redirect saved that error verbatim into the completions file, causing fish to print parse errors on every shell start. **Fix:** capture output into a variable and validate the prefix before writing: | Shell | Valid prefix | |-------|-------------| | fish | `complete` | | bash | `_` or `#` | | zsh | `#compdef` | Invalid or empty output is skipped with a warning; no file is written. ## Bug 2 — Onboarding re-triggers when only `~/.claude` is mounted Claude Code stores preferences and onboarding state in `~/.claude.json` — a sibling of `~/.claude/`, not inside it. The previous README guidance mounted only the directory, so `~/.claude.json` was never persisted and the onboarding wizard re-ran on every container start. **Fix:** update `README.md`, `src/claude-code/README.md`, and the `mountHostConfig` logged snippet to document that two mounts are required and warn that `~/.claude.json` must exist on the host before the container starts (Docker creates it as a directory if absent). ## Test plan - [ ] CI passes (ShellCheck, shfmt, all scenario tests) - [ ] Build a container with fish installed — confirm no parse errors on shell start - [ ] Build with `mountHostConfig: true` — confirm logged snippet shows both mounts
diff --git a/README.md b/README.md
@@ -104,24 +104,37 @@ browser window. Works in VS Code's integrated terminal with no extra configurati
 }
 ```
 
-**3. Mount host `~/.claude`.** Share your full host config — API keys, session tokens, preferences
-— directly into the container:
+**3. Mount host `~/.claude` and `~/.claude.json`.** Share your full host config — API keys,
+session tokens, preferences — directly into the container.
+
+Claude Code splits its persistent state across two locations:
+
+- `~/.claude/` — session transcripts, project memory, MCP server configuration
+- `~/.claude.json` — global settings, onboarding state, theme, account metadata
+
+Both must be mounted. Mounting only the directory leaves `~/.claude.json` absent, causing the
+onboarding wizard to re-run and all preferences to reset on every container start.
 
 ```json
 {
   "mounts": [
-    "source=${localEnv:HOME}/.claude,target=/home/vscode/.claude,type=bind,consistency=cached,readonly"
+    "source=${localEnv:HOME}/.claude,target=/home/vscode/.claude,type=bind,consistency=cached,readonly",
+    "source=${localEnv:HOME}/.claude.json,target=/home/vscode/.claude.json,type=bind,consistency=cached,readonly"
   ]
 }
 ```
 
 > ⚠️ **Security:** This exposes your API keys inside the container. Only do this in trusted
-> environments. Adjust the `target` path to match your container user's home directory (`/root`,
+> environments. Adjust both `target` paths to match your container user's home directory (`/root`,
 > `/home/node`, etc.). The `readonly` flag prevents Claude Code from writing settings or session
 > data back to the host — if you need bidirectional sync, remove it and accept the risk.
 >
-> Set `mountHostConfig: true` in the feature options to get this snippet printed at build time with
-> your actual home directory path pre-filled.
+> **Note:** `~/.claude.json` must exist on the host before the container starts — Docker creates it
+> as a directory if absent. Run `claude` on the host at least once, or bootstrap it with:
+> `echo '{}' > ~/.claude.json`
+>
+> Set `mountHostConfig: true` in the feature options to get this two-mount snippet printed at build
+> time with your actual home directory path pre-filled.
 
 ## Tested Base Images
 
diff --git a/src/claude-code/README.md b/src/claude-code/README.md
@@ -68,15 +68,23 @@ Claude Code requires authentication. Three options:
    }
    ```
 
-3. **Mount host config:** Use the `mountHostConfig` option to get the mount
-   snippet, then add it to `mounts` in your `devcontainer.json`. Adjust the
-   `target` path to match your container user's home directory.
+3. **Mount host config:** Use the `mountHostConfig` option to get the two-mount
+   snippet, then add both entries to `mounts` in your `devcontainer.json`. Two
+   mounts are required: `~/.claude/` holds session data and MCP config;
+   `~/.claude.json` holds global settings and onboarding state. Mounting only
+   the directory causes the onboarding wizard to re-run on every container
+   start. Adjust both `target` paths to match your container user's home
+   directory.
 
 ## Notes
 
 - Node.js >= 18 is required. If not present, this feature installs the current
   LTS release automatically.
-- Shell completions are installed for bash, zsh, and fish if those directories
-  exist in the container.
+- Shell completions for bash, zsh, and fish are attempted at build time.
+  Because `claude completions` requires authentication, completions are only
+  installed if credentials are available during the build (e.g., via
+  `ANTHROPIC_API_KEY`). To install completions after logging in, run
+  `claude completions bash > /usr/share/bash-completion/completions/claude`
+  (adjust path and shell name as needed).
 - The `enableMcpServers` option creates a starter config with secure permissions
   (`chmod 600`) owned by the container user.
diff --git a/src/claude-code/install.sh b/src/claude-code/install.sh
@@ -525,6 +525,10 @@ setup_completions() {
 
     log_info "Installing shell completions..."
 
+    # Escape character for portable ANSI stripping (works with GNU sed and busybox sed).
+    local esc
+    esc=$(printf '\033')
+
     # Bash completions
     local bash_comp_dir=""
     if [[ -d /usr/share/bash-completion/completions ]]; then
@@ -533,17 +537,56 @@ setup_completions() {
         bash_comp_dir="/etc/bash_completion.d"
     fi
     if [[ -n "${bash_comp_dir}" ]]; then
-        timeout 30 claude completions bash </dev/null >"${bash_comp_dir}/claude" 2>/dev/null || {
-            log_warn "Failed to install bash completions."
-        }
+        local bash_comp_raw=""
+        local bash_comp_output=""
+        bash_comp_raw=$(timeout 30 claude completions bash </dev/null 2>/dev/null) || true
+        # Strip \r (CRLF), ANSI codes, and known Node.js warning lines, then keep
+        # everything from the first non-blank line onwards.  This is more robust than
+        # anchoring on a specific first character, since the completion format varies
+        # across Claude Code versions and some wrap the script in an `if` block.
+        bash_comp_output=$(printf '%s' "${bash_comp_raw}" |
+            tr -d '\r' |
+            sed "s/${esc}\[[0-9;]*[a-zA-Z]//g" |
+            sed '/^(node:[0-9]/d; /^Use .* --trace-warnings/d' |
+            sed -n '/[^ ]/,$p')
+        local bash_comp_first=""
+        bash_comp_first=$(printf '%s' "${bash_comp_output}" | head -n1)
+        if [[ "${bash_comp_first}" == _* ]] || [[ "${bash_comp_first}" == "#"* ]] ||
+            [[ "${bash_comp_first}" == "if "* ]] || [[ "${bash_comp_first}" == "function "* ]]; then
+            printf '%s\n' "${bash_comp_output}" >"${bash_comp_dir}/claude"
+        elif printf '%s' "${bash_comp_output}" | grep -qi -e 'not logged in' -e '/login'; then
+            log_debug "Skipping bash completions: authentication required (expected during build)."
+        elif [[ -n "${bash_comp_raw}" ]]; then
+            log_warn "Skipping bash completions: output does not look like a valid completion script."
+        else
+            log_debug "Skipping bash completions: no output from claude completions bash."
+        fi
     fi
 
     # Zsh completions — only if zsh is installed
     if command -v zsh >/dev/null 2>&1; then
         mkdir -p /usr/share/zsh/site-functions 2>/dev/null || true
-        timeout 30 claude completions zsh </dev/null >/usr/share/zsh/site-functions/_claude 2>/dev/null || {
-            log_warn "Failed to install zsh completions."
-        }
+        local zsh_comp_raw=""
+        local zsh_comp_output=""
+        zsh_comp_raw=$(timeout 30 claude completions zsh </dev/null 2>/dev/null) || true
+        # Strip \r, ANSI codes, and Node.js warning preamble; keep from first non-blank line.
+        zsh_comp_output=$(printf '%s' "${zsh_comp_raw}" |
+            tr -d '\r' |
+            sed "s/${esc}\[[0-9;]*[a-zA-Z]//g" |
+            sed '/^(node:[0-9]/d; /^Use .* --trace-warnings/d' |
+            sed -n '/[^ ]/,$p')
+        local zsh_comp_first=""
+        zsh_comp_first=$(printf '%s' "${zsh_comp_output}" | head -n1)
+        if [[ "${zsh_comp_first}" == _* ]] || [[ "${zsh_comp_first}" == "#"* ]] ||
+            [[ "${zsh_comp_first}" == "if "* ]] || [[ "${zsh_comp_first}" == "function "* ]]; then
+            printf '%s\n' "${zsh_comp_output}" >/usr/share/zsh/site-functions/_claude
+        elif printf '%s' "${zsh_comp_output}" | grep -qi -e 'not logged in' -e '/login'; then
+            log_debug "Skipping zsh completions: authentication required (expected during build)."
+        elif [[ -n "${zsh_comp_raw}" ]]; then
+            log_warn "Skipping zsh completions: output does not look like a valid completion script."
+        else
+            log_debug "Skipping zsh completions: no output from claude completions zsh."
+        fi
     fi
 
     # Fish completions
@@ -555,12 +598,29 @@ setup_completions() {
         fi
     done
     if [[ -n "${fish_comp_dir}" ]]; then
-        timeout 30 claude completions fish </dev/null >"${fish_comp_dir}/claude.fish" 2>/dev/null || {
-            log_warn "Failed to install fish completions."
-        }
+        local fish_comp_raw=""
+        local fish_comp_output=""
+        fish_comp_raw=$(timeout 30 claude completions fish </dev/null 2>/dev/null) || true
+        # Strip \r, ANSI codes, and Node.js warning preamble; keep from first non-blank line.
+        fish_comp_output=$(printf '%s' "${fish_comp_raw}" |
+            tr -d '\r' |
+            sed "s/${esc}\[[0-9;]*[a-zA-Z]//g" |
+            sed '/^(node:[0-9]/d; /^Use .* --trace-warnings/d' |
+            sed -n '/[^ ]/,$p')
+        local fish_comp_first=""
+        fish_comp_first=$(printf '%s' "${fish_comp_output}" | head -n1)
+        if [[ "${fish_comp_first}" == "complete"* ]] || [[ "${fish_comp_first}" == "#"* ]]; then
+            printf '%s\n' "${fish_comp_output}" >"${fish_comp_dir}/claude.fish"
+        elif printf '%s' "${fish_comp_output}" | grep -qi -e 'not logged in' -e '/login'; then
+            log_debug "Skipping fish completions: authentication required (expected during build)."
+        elif [[ -n "${fish_comp_raw}" ]]; then
+            log_warn "Skipping fish completions: output does not look like a valid completion script."
+        else
+            log_debug "Skipping fish completions: no output from claude completions fish."
+        fi
     fi
 
-    log_info "Shell completions installed."
+    log_info "Shell completions setup complete."
 }
 
 setup_completions
@@ -608,13 +668,22 @@ setup_mount_docs() {
     log_info "============================================================"
     log_info "HOST CONFIG MOUNTING"
     log_info "============================================================"
-    log_info "To mount your host Claude config, add this to your"
-    log_info "devcontainer.json:"
+    log_info "Claude Code stores state in two separate locations:"
+    log_info "  ~/.claude/      session data, MCP config, project memory"
+    log_info "  ~/.claude.json  global settings, onboarding state, theme"
+    log_info ""
+    log_info "Both must be mounted to persist preferences across rebuilds."
+    log_info "Add both entries to your devcontainer.json:"
     log_info ""
     log_info '  "mounts": ['
-    log_info "    \"source=\${localEnv:HOME}/.claude,target=${REMOTE_USER_HOME}/.claude,type=bind,consistency=cached,readonly\""
+    log_info "    \"source=\${localEnv:HOME}/.claude,target=${REMOTE_USER_HOME}/.claude,type=bind,consistency=cached,readonly\","
+    log_info "    \"source=\${localEnv:HOME}/.claude.json,target=${REMOTE_USER_HOME}/.claude.json,type=bind,consistency=cached,readonly\""
     log_info '  ]'
     log_info ""
+    log_info "NOTE: ~/.claude.json must exist on the host before the container"
+    log_info "starts — Docker creates it as a directory if absent. Run 'claude'"
+    log_info "on the host at least once, or: echo '{}' > ~/.claude.json"
+    log_info ""
     log_info "NOTE: This exposes your API keys inside the container."
     log_info "See README for security considerations."
     log_info "============================================================"
diff --git a/test/claude-code/default_options.sh b/test/claude-code/default_options.sh
@@ -7,22 +7,56 @@ source "${SCRIPT_DIR}/test.sh"
 echo "=== Scenario: default_options ==="
 core_assertions
 
-echo "--- Completions ---"
-# At least one completion directory should have the claude file
-FOUND_COMPLETIONS=false
-for path in \
-    /usr/share/bash-completion/completions/claude \
-    /etc/bash_completion.d/claude \
-    /usr/share/zsh/site-functions/_claude \
-    /usr/share/fish/vendor_completions.d/claude.fish \
-    /usr/share/fish/completions/claude.fish; do
-    if [[ -f "${path}" ]]; then
-        FOUND_COMPLETIONS=true
-        pass "Completion file found: ${path}"
+echo "--- Completions: bash ---"
+if [[ -d /usr/share/bash-completion/completions ]]; then
+    if [[ -f /usr/share/bash-completion/completions/claude ]]; then
+        check_completion_file_contents /usr/share/bash-completion/completions/claude "_" "#" "if"
+    else
+        pass "Bash completion not written — install skipped (no valid output from completions command)"
     fi
-done
-if [[ "${FOUND_COMPLETIONS}" == "false" ]]; then
-    fail "No shell completion files found"
+elif [[ -d /etc/bash_completion.d ]]; then
+    if [[ -f /etc/bash_completion.d/claude ]]; then
+        check_completion_file_contents /etc/bash_completion.d/claude "_" "#" "if"
+    else
+        pass "Bash completion not written — install skipped (no valid output from completions command)"
+    fi
+else
+    pass "Bash completion directory absent — skipping bash completion check"
+fi
+
+echo "--- Completions: zsh ---"
+if command -v zsh >/dev/null 2>&1; then
+    if [[ -f /usr/share/zsh/site-functions/_claude ]]; then
+        check_completion_file_contents /usr/share/zsh/site-functions/_claude "#compdef" "#"
+    else
+        pass "Zsh completion not written — install skipped (no valid output from completions command)"
+    fi
+else
+    pass "zsh not installed — skipping zsh completion check"
+fi
+
+echo "--- Completions: fish ---"
+# Attempt to install fish so the fish completion path is exercised.
+# This is a best-effort step: non-apt images (Alpine, Arch, etc.) will silently skip.
+apt-get install -y --no-install-recommends fish >/dev/null 2>&1 || true
+if command -v fish >/dev/null 2>&1; then
+    mkdir -p /usr/share/fish/vendor_completions.d
+    # Re-run setup_completions in a subshell so that only the function is sourced,
+    # not the full install script (which would re-install claude).
+    # The install script is persisted to a stable path at the end of installation.
+    (
+        export SHELL_COMPLETIONS="true"
+        # shellcheck source=/dev/null
+        source /usr/local/share/devcontainer-features/claude-code/install.sh 2>/dev/null || true
+        setup_completions
+    ) || true
+    if [[ -f /usr/share/fish/vendor_completions.d/claude.fish ]]; then
+        check_completion_file_contents /usr/share/fish/vendor_completions.d/claude.fish "complete"
+    else
+        pass "Fish completion not written — install skipped (no valid output from completions command)"
+    fi
+else
+    pass "fish not available — skipping fish completion check"
 fi
 
 echo "--- MCP config should be absent ---"
diff --git a/test/claude-code/test.sh b/test/claude-code/test.sh
@@ -142,6 +142,26 @@ check_file_valid_json() {
     fi
 }
 
+check_completion_file_contents() {
+    local file="$1"
+    shift
+    local prefixes=("$@")
+    if [[ ! -f "${file}" ]]; then
+        fail "Completion file missing: ${file}"
+        return
+    fi
+    local first_line
+    first_line=$(head -n1 "${file}")
+    local prefix
+    for prefix in "${prefixes[@]}"; do
+        if [[ "${first_line}" == "${prefix}"* ]]; then
+            pass "Completion file content valid (prefix '${prefix}'): ${file}"
+            return
+        fi
+    done
+    fail "Completion file has unexpected first line ('${first_line}'): ${file}"
+}
+
 check_path_clean() {
     local cache_dir="$1"
     if [[ ! -d "${cache_dir}" ]]; then
