chore: rename claudetainer to codetainer (#75)

All references updated across all case variants:
- claudetainer → codetainer (lowercase)
- Claudetainer → Codetainer (title case)
- CLAUDETAINER → CODETAINER (env vars, iptables prefix)

Author: perezd

CLAUDE.md

@@ -1,4 +1,4 @@
-# Claudetainer
+# Codetainer
 
 ## Security Framework
 

README.md

@@ -1,4 +1,4 @@
-# Claudetainer
+# Codetainer
 
 A hardened Docker container that runs [Claude Code](https://claude.ai/code) on [Fly.io](https://fly.io), accessible via SSH. Designed for long-running, autonomous coding sessions with container hardening and strict network isolation.
 
@@ -93,7 +93,7 @@ Pick the [Fly.io region](https://fly.io/docs/reference/regions/) closest to you
 **Option A: Prebuilt image (fastest)**
 
 ```bash
-fly machine run ghcr.io/perezd/claudetainer:latest \
+fly machine run ghcr.io/perezd/codetainer:latest \
   --app <your-app-name> \
   --region <your-region> \
   --restart no \
@@ -108,7 +108,7 @@ fly machine run ghcr.io/perezd/claudetainer:latest \
 To give Claude an immediate task, add an initialization prompt:
 
 ```bash
-fly machine run ghcr.io/perezd/claudetainer:latest \
+fly machine run ghcr.io/perezd/codetainer:latest \
   --app <your-app-name> \
   --region <your-region> \
   --restart no \
@@ -128,8 +128,8 @@ Claude will begin working on the prompt as soon as the container is ready, befor
 If you want to customize the image (e.g. change installed tools or network allowlists), clone the repo and build directly:
 
 ```bash
-git clone https://github.com/perezd/claudetainer.git
-cd claudetainer
+git clone https://github.com/perezd/codetainer.git
+cd codetainer
 
 fly machine run . --dockerfile Dockerfile \
   --app <your-app-name> \
@@ -168,7 +168,7 @@ Fine-grained tokens are recommended when the target repo belongs to a GitHub **o
 **How to create a fine-grained token (recommended):**
 
 1. Log into the robot GitHub account and go to [github.com/settings/tokens](https://github.com/settings/tokens?type=beta). Click **Generate new token** (fine-grained)
-2. Give it a descriptive name (e.g. `claudetainer - my-repo`)
+2. Give it a descriptive name (e.g. `codetainer - my-repo`)
 3. Under **Resource owner**, select the org or user that owns the repo
 4. Under **Repository access**, select **Only select repositories** and pick the single repo you want Claude to work in
 5. Under **Repository permissions**, grant exactly these:
@@ -230,15 +230,15 @@ See [Telemetry](#telemetry-optional) below for what gets exported and privacy co
 
 These are set via `--env` flags on `fly machine run`. They are not sensitive and don't need to be secrets.
 
-| Variable                   | Required | Default                           | Description                                                                                                                                                                                                                                         |
-| -------------------------- | -------- | --------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| `GIT_USER_NAME`            | No       | `claudetainer`                    | Git commit author name                                                                                                                                                                                                                              |
-| `GIT_USER_EMAIL`           | No       | `claudetainer@noreply.github.com` | Git commit author email                                                                                                                                                                                                                             |
-| `REPO_URL`                 | No       | _(none)_                          | HTTPS URL of a GitHub repo to clone on startup. Cloned to `/workspace/repo`. Must be accessible with the `GH_PAT`.                                                                                                                                  |
-| `CLAUDE_PROMPT`            | No       | _(none)_                          | Initialization prompt for Claude Code. When set, Claude immediately begins working on this prompt at boot. Typically a GitHub issue URL (e.g., `https://github.com/org/repo/issues/42`). Visible via `fly machine status` — do not include secrets. |
-| `OTEL_LOG_USER_PROMPTS`    | No       | `1`                               | Set to `0` to exclude user prompt content from telemetry events (only prompt length is recorded). Requires Grafana Cloud telemetry to be enabled.                                                                                                   |
-| `OTEL_LOG_TOOL_DETAILS`    | No       | `1`                               | Set to `0` to exclude tool parameters from telemetry events (only tool name is recorded). Requires Grafana Cloud telemetry to be enabled.                                                                                                           |
-| `OTEL_RESOURCE_ATTRIBUTES` | No       | _(auto: Fly identity)_            | Comma-separated `key=value` pairs added to all metrics and events. `fly.app_name` and `fly.machine_id` are auto-injected; operator values are appended. Requires Grafana Cloud telemetry to be enabled.                                             |
+| Variable                   | Required | Default                         | Description                                                                                                                                                                                                                                         |
+| -------------------------- | -------- | ------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `GIT_USER_NAME`            | No       | `codetainer`                    | Git commit author name                                                                                                                                                                                                                              |
+| `GIT_USER_EMAIL`           | No       | `codetainer@noreply.github.com` | Git commit author email                                                                                                                                                                                                                             |
+| `REPO_URL`                 | No       | _(none)_                        | HTTPS URL of a GitHub repo to clone on startup. Cloned to `/workspace/repo`. Must be accessible with the `GH_PAT`.                                                                                                                                  |
+| `CLAUDE_PROMPT`            | No       | _(none)_                        | Initialization prompt for Claude Code. When set, Claude immediately begins working on this prompt at boot. Typically a GitHub issue URL (e.g., `https://github.com/org/repo/issues/42`). Visible via `fly machine status` — do not include secrets. |
+| `OTEL_LOG_USER_PROMPTS`    | No       | `1`                             | Set to `0` to exclude user prompt content from telemetry events (only prompt length is recorded). Requires Grafana Cloud telemetry to be enabled.                                                                                                   |
+| `OTEL_LOG_TOOL_DETAILS`    | No       | `1`                             | Set to `0` to exclude tool parameters from telemetry events (only tool name is recorded). Requires Grafana Cloud telemetry to be enabled.                                                                                                           |
+| `OTEL_RESOURCE_ATTRIBUTES` | No       | _(auto: Fly identity)_          | Comma-separated `key=value` pairs added to all metrics and events. `fly.app_name` and `fly.machine_id` are auto-injected; operator values are appended. Requires Grafana Cloud telemetry to be enabled.                                             |
 
 ## Usage
 
@@ -281,7 +281,7 @@ The machine is configured with `--restart no` and `--autostart=false`, so it sta
 
 ## Telemetry (Optional)
 
-Claudetainer can export Claude Code's native OpenTelemetry metrics and events to [Grafana Cloud](https://grafana.com/products/cloud/) via direct OTLP push. This gives you dashboards for token usage, costs, session activity, and full prompt-level event traces — all in Grafana.
+Codetainer can export Claude Code's native OpenTelemetry metrics and events to [Grafana Cloud](https://grafana.com/products/cloud/) via direct OTLP push. This gives you dashboards for token usage, costs, session activity, and full prompt-level event traces — all in Grafana.
 
 The feature is **opt-in** and **disabled by default**. It activates only when all three Grafana Cloud secrets are set (`GRAFANA_INSTANCE_ID`, `GRAFANA_API_TOKEN`, `GRAFANA_OTLP_ENDPOINT`). When off, there is zero telemetry, zero outbound traffic, and no behavior change.
 
@@ -397,7 +397,7 @@ Edit `claude-settings.json` to add entries under `mcpServers`. The default confi
 | `shared-cpu-2x` / 4GB | Heavy       | Large repos, parallel builds |
 
 ```bash
-fly machine run ghcr.io/perezd/claudetainer:latest \
+fly machine run ghcr.io/perezd/codetainer:latest \
   --vm-memory 2048 \
   --vm-size shared-cpu-2x \
   ...
@@ -432,7 +432,7 @@ fly machine run ghcr.io/perezd/claudetainer:latest \
 ### Source Repository Layout
 
 ```
-claudetainer/
+codetainer/
 ├── network/                     # Network isolation layer
 │   ├── domains.conf             # Domain allowlist (one per line)
 │   └── Corefile.template        # CoreDNS base config (catch-all NXDOMAIN)
@@ -516,10 +516,10 @@ All scripts live in `scripts/` and are copied to `/usr/local/bin/` during the Do
 The GitHub Actions workflow (`.github/workflows/build.yml`) builds and pushes the container image to GHCR on every push to `main`:
 
 ```
-ghcr.io/perezd/claudetainer:latest
+ghcr.io/perezd/codetainer:latest
 ```
 
-The GHCR package must be set to **public** visibility so Fly.io can pull it without registry credentials. To set this, go to the GitHub repo → Packages → `claudetainer` → Package settings → Change visibility → Public.
+The GHCR package must be set to **public** visibility so Fly.io can pull it without registry credentials. To set this, go to the GitHub repo → Packages → `codetainer` → Package settings → Change visibility → Public.
 
 ## Troubleshooting
 

docs/accepted-risks.md

@@ -51,9 +51,9 @@ Each entry includes: risk title, affected layer(s), why it can't be resolved, co
 ### Single PAT for GitHub API and npm registry auth
 
 - **Affected layer:** Container Hardening
-- **Description:** Both `GH_TOKEN` (GitHub API / git credential helper) and `CLAUDETAINER_NPM_TOKEN` (GitHub Packages npm registry) are derived from the same `GH_PAT` at runtime. Compromise of either access path exposes the full PAT, which may have scopes beyond what each consumer needs individually.
+- **Description:** Both `GH_TOKEN` (GitHub API / git credential helper) and `CODETAINER_NPM_TOKEN` (GitHub Packages npm registry) are derived from the same `GH_PAT` at runtime. Compromise of either access path exposes the full PAT, which may have scopes beyond what each consumer needs individually.
 - **Why it can't be resolved:** GitHub fine-grained PATs do not yet support the scope separation needed to create two tokens with disjoint permissions for `gh` CLI operations vs. npm registry access. The operational complexity of managing two classic PATs with minimal-overlap scopes exceeds the security benefit in a single-purpose container.
-- **Compensating controls:** The `CLAUDETAINER_NPM_TOKEN` abstraction allows a future split to separate tokens without changing consumer code. Network isolation limits where either token can be used. Operators should follow least-privilege guidance: prefer fine-grained PATs with minimal scopes.
+- **Compensating controls:** The `CODETAINER_NPM_TOKEN` abstraction allows a future split to separate tokens without changing consumer code. Network isolation limits where either token can be used. Operators should follow least-privilege guidance: prefer fine-grained PATs with minimal scopes.
 - **Severity:** Low
 - **Date identified:** 2026-04-02 (identified during panel review of #32)
 - **Last updated:** 2026-04-06 (removed command approval references — layer pending replacement)

fly/config.sh

@@ -1,8 +1,8 @@
 #!/usr/bin/env bash
 # Shared configuration for fly machine run commands.
 
-APP="claudetainer"
-IMAGE="ghcr.io/perezd/claudetainer:latest"
+APP="codetainer"
+IMAGE="ghcr.io/perezd/codetainer:latest"
 
 COMMON_FLAGS=(
   --app "$APP"

scripts/attach-claude.sh

@@ -37,7 +37,7 @@ for i in $(seq 1 60); do
 done
 
 # Wait for entrypoint readiness (boot may still be cloning repo, setting up network, etc.)
-READY_FILE="/tmp/claudetainer-ready"
+READY_FILE="/tmp/codetainer-ready"
 if [[ ! -f "$READY_FILE" ]]; then
   for i in $(seq 1 300); do
     [[ -f "$READY_FILE" ]] && break

scripts/entrypoint.sh

@@ -1,7 +1,7 @@
 #!/usr/bin/env bash
 set -euo pipefail
 
-echo "[ENTRYPOINT] Starting claudetainer..."
+echo "[ENTRYPOINT] Starting codetainer..."
 
 # === 0. Validate required secrets ===
 missing=()
@@ -131,8 +131,8 @@ echo "nameserver 127.0.0.53" > /etc/resolv.conf
 
 # === 3. Git + GitHub configuration ===
 
-git config --system user.name "${GIT_USER_NAME:-claudetainer}"
-git config --system user.email "${GIT_USER_EMAIL:-claudetainer@noreply.github.com}"
+git config --system user.name "${GIT_USER_NAME:-codetainer}"
+git config --system user.email "${GIT_USER_EMAIL:-codetainer@noreply.github.com}"
 
 # Force HTTPS for all GitHub URLs (container has no SSH client)
 git config --system url."https://github.com/".insteadOf "git@github.com:"
@@ -167,7 +167,7 @@ fi
 # Uses env var substitution — npm/bun expand ${VAR} at runtime from the process environment.
 # The file contains only the variable reference, not the plaintext token.
 cat > /home/claude/.npmrc <<'NPMRC'
-//npm.pkg.github.com/:_authToken=${CLAUDETAINER_NPM_TOKEN}
+//npm.pkg.github.com/:_authToken=${CODETAINER_NPM_TOKEN}
 NPMRC
 chown root:root /home/claude/.npmrc
 chmod 644 /home/claude/.npmrc
@@ -332,11 +332,11 @@ if [[ -n "${REPO_URL:-}" ]] && [[ ! -d /workspace/repo/.git ]]; then
 fi
 
 if [[ "$READY" == "true" ]]; then
-  touch /tmp/claudetainer-ready
+  touch /tmp/codetainer-ready
   echo "[ENTRYPOINT] Ready. All checks passed."
 else
   echo "[ENTRYPOINT] WARN: Some checks failed, starting anyway."
-  touch /tmp/claudetainer-ready
+  touch /tmp/codetainer-ready
 fi
 
 # Start Claude Code initialization in background (synchronized via flock)

scripts/refresh-iptables.sh

@@ -49,7 +49,7 @@ if [[ -f "$EXTRA_DOMAINS_FILE" ]] && [[ ! -L "$EXTRA_DOMAINS_FILE" ]]; then
 fi
 
 echo "-A OUTPUT -p udp -j DROP" >> "$RULES_FILE"
-echo '-A OUTPUT -j NFLOG --nflog-prefix "CLAUDETAINER_DROP" --nflog-group 100' >> "$RULES_FILE"
+echo '-A OUTPUT -j NFLOG --nflog-prefix "CODETAINER_DROP" --nflog-group 100' >> "$RULES_FILE"
 echo "COMMIT" >> "$RULES_FILE"
 
 iptables-restore < "$RULES_FILE"

scripts/start-claude.sh

@@ -21,7 +21,7 @@ run_as_claude() {
     HOME="$CLAUDE_HOME" \
     PATH="$CLAUDE_HOME/.local/bin:$CLAUDE_HOME/.bun/bin:$PATH" \
     GH_TOKEN="$GH_PAT" \
-    CLAUDETAINER_NPM_TOKEN="$GH_PAT" \
+    CODETAINER_NPM_TOKEN="$GH_PAT" \
     CLAUDE_CODE_OAUTH_TOKEN="$CLAUDE_CODE_OAUTH_TOKEN" \
     LANG="$LANG" \
     LC_ALL="$LC_ALL" \
@@ -46,13 +46,13 @@ fi
 exec > >(tee -a "$START_LOG") 2>&1
 
 # --- Wait for readiness ---
-echo "Waiting for claudetainer to be ready..."
+echo "Waiting for codetainer to be ready..."
 for i in $(seq 1 60); do
-  [[ -f /tmp/claudetainer-ready ]] && break
+  [[ -f /tmp/codetainer-ready ]] && break
   sleep 1
 done
 
-if [[ ! -f /tmp/claudetainer-ready ]]; then
+if [[ ! -f /tmp/codetainer-ready ]]; then
   echo "WARNING: Timed out waiting for readiness (60s). Starting anyway."
 fi
 
@@ -143,7 +143,7 @@ sudo -u claude \
   HOME="$CLAUDE_HOME" \
   PATH="$CLAUDE_HOME/.local/bin:$CLAUDE_HOME/.bun/bin:$PATH" \
   GH_TOKEN="$GH_PAT" \
-  CLAUDETAINER_NPM_TOKEN="$GH_PAT" \
+  CODETAINER_NPM_TOKEN="$GH_PAT" \
   CLAUDE_CODE_OAUTH_TOKEN="$CLAUDE_CODE_OAUTH_TOKEN" \
   COLORTERM="truecolor" \
   LANG="$LANG" \
@@ -158,7 +158,7 @@ sudo -u claude \
   HOME="$CLAUDE_HOME" \
   PATH="$CLAUDE_HOME/.local/bin:$CLAUDE_HOME/.bun/bin:$PATH" \
   GH_TOKEN="$GH_PAT" \
-  CLAUDETAINER_NPM_TOKEN="$GH_PAT" \
+  CODETAINER_NPM_TOKEN="$GH_PAT" \
   COLORTERM="truecolor" \
   LANG="$LANG" \
   LC_ALL="$LC_ALL" \

scripts/status.sh

@@ -1,11 +1,11 @@
 #!/usr/bin/env bash
 set -euo pipefail
 
-echo "=== Claudetainer Status ==="
+echo "=== Codetainer Status ==="
 echo ""
 
 echo "--- Recent iptables Drops ---"
-dmesg 2>/dev/null | grep "CLAUDETAINER_DROP" | tail -5 || echo "  (none)"
+dmesg 2>/dev/null | grep "CODETAINER_DROP" | tail -5 || echo "  (none)"
 echo ""
 
 echo "--- CoreDNS ---"