Instead of storing OAuth tokens inside the VM template, credentials now
stay on the host. A lightweight Python proxy (claude-vm-proxy.py) reads
the host's ~/.claude/.credentials.json, injects the real auth headers
(Bearer + oauth beta for OAuth, x-api-key for API keys), and forwards
requests to api.anthropic.com. The VM gets only ANTHROPIC_BASE_URL
pointing at the proxy and dummy credentials so Claude Code detects
the correct subscription tier.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Snapshot security-sensitive files before each VM session and check for
unauthorized modifications afterward. Mount .git/hooks and .git/config
as read-only at the Lima level to prevent the VM from tampering with
host-side git hooks or config.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>