feat(config): improve config validation and clarify volume mounts

- Centralize config error handling
- Stricter validation and error reporting
- Clarify /home/claude/ mounts and security in README
- Suppress Node.js proxy warnings

Author: lroolle

README.md

@@ -39,6 +39,8 @@ Claude Code YOLO solves the permission friction of Claude CLI by running it insi
 4. **Non-root Execution**: Runs as a non-root user inside container with UID/GID mapping
 5. **Safety Checks**: Warns before running in dangerous directories like `$HOME`
 
+**Container Info**: Claude runs as `claude` user in `/home/claude/` (not root). Mount configs to `/home/claude/` paths.
+
 This gives you full Claude Code power without compromising your system security.
 
 ## Usage
@@ -143,12 +145,12 @@ Claude YOLO supports configuration files to persist your volume mounts, environm
 
 Example `.claude-yolo` file:
 ```bash
-# Git integration
+# Git integration - mount to claude user's home
 VOLUME=~/.ssh:/home/claude/.ssh:ro
 VOLUME=~/.gitconfig:/home/claude/.gitconfig:ro
 
-# Environment settings
-ENV=NODE_ENV=development
+# Environment settings with expansion support
+ENV=NODE_ENV=${NODE_ENV:-development}
 ENV=DEBUG=myapp:*
 
 # Pass through host env (either form works)
@@ -162,36 +164,46 @@ USE_TRACE=true
 
 See `.claude-yolo.example` and `.claude-yolo.full` for more examples.
 
+### Security Features
+
+Configuration files include security protections:
+- **Path Traversal Prevention**: Blocks dangerous paths like `../../`
+- **Command Injection Protection**: Only allows safe variable expansion
+- **Sensitive Value Masking**: API keys, tokens, and secrets are masked in output (e.g., `API_KEY=sk-a***key`)
+- **Input Validation**: Environment variable names and values are validated
+
 ## Custom Volume Mounting
 
 You can mount additional configuration files or directories using the `-v` flag:
 
 ```bash
-# Mount Git configuration
-claude-yolo -v ~/.gitconfig:/root/.gitconfig
+# Mount Git configuration to claude user's home
+claude-yolo -v ~/.gitconfig:/home/claude/.gitconfig:ro
 
 # Mount SSH keys (read-only)
-claude-yolo -v ~/.ssh:/root/.ssh:ro
+claude-yolo -v ~/.ssh:/home/claude/.ssh:ro
 
 # Resume with SSH keys and tracing enabled
-claude-yolo -v ~/.ssh:/root/.ssh:ro --trace  --continue
+claude-yolo -v ~/.ssh:/home/claude/.ssh:ro --trace --continue
 
 # Multiple mounts
 claude-yolo -v ~/tools:/tools -v ~/data:/data
 
-# Mount custom tool configs
-claude-yolo -v ~/.config/gh:/root/.config/gh
-claude-yolo -v ~/.terraform.d:/root/.terraform.d
+# Mount custom tool configs to claude user paths
+claude-yolo -v ~/.config/gh:/home/claude/.config/gh:ro
+claude-yolo -v ~/.terraform.d:/home/claude/.terraform.d:ro
 ```
 
-**Note**: Volumes mounted to `/root/*` are automatically symlinked to `/home/claude/*` for non-root user access.
+**Note**: Mount personal configs to `/home/claude/` paths since Claude Code runs as the `claude` user, not root.
 
 ## Key Features
 
 - **Full Dev Environment**: Python, Node.js, Go, Rust, and common tools pre-installed
 - **Proxy Support**: Automatic `localhost` → `host.docker.internal` translation
 - **Model Selection**: Use any Claude model via `ANTHROPIC_MODEL` env var
 - **Request Tracing**: Debug with `--trace` flag using claude-trace
+- **Security-First**: Sensitive environment variable masking and path validation
+- **Environment Expansion**: Support for `${VAR:-default}` syntax in config files
 - **Docker Socket**: Optional mounting with `CCYOLO_DOCKER_SOCKET=true`
 
 
@@ -231,7 +243,7 @@ make build
 ### Custom Claude Version
 
 ```bash
-make CLAUDE_CODE_VERSION=1.0.45 build  # Specific version
+make CLAUDE_CODE_VERSION=1.0.93 build  # Specific version
 make CLAUDE_CODE_VERSION=latest build  # Latest version
 ```
 

claude.sh

@@ -217,6 +217,7 @@ CONFIG_DIR=""
 SKIP_CONFIG=false
 QUIET=false
 DOCKER_ONLY_WARNINGS=()
+CONFIG_ERRORS=()
 
 green() { echo -e "\033[32m$1\033[0m"; }
 yellow() { echo -e "\033[33m$1\033[0m"; }
@@ -355,13 +356,11 @@ validate_config_value() {
 
 process_volume_config() {
     local value="$1"
-    local errors_var="$2"
-    declare -n errors_ref="$errors_var"
-
+    
     value="${value//\"/}"
 
     if ! validate_config_value "VOLUME" "$value"; then
-        errors_ref+=("Invalid volume: $value")
+        CONFIG_ERRORS+=("Invalid volume: $value")
         return 1
     fi
 
@@ -373,19 +372,17 @@ process_volume_config() {
         EXTRA_VOLUMES+=("-v" "$value")
         DOCKER_ONLY_WARNINGS+=("Config volume mount: $value (ignored in local mode)")
     else
-        errors_ref+=("Volume validation failed: $value")
+        CONFIG_ERRORS+=("Volume validation failed: $value")
     fi
 }
 
 process_env_config() {
     local value="$1"
-    local errors_var="$2"
-    declare -n errors_ref="$errors_var"
-
+    
     value="${value//\"/}"
 
     if ! validate_config_value "ENV" "$value"; then
-        errors_ref+=("Invalid env: $value")
+        CONFIG_ERRORS+=("Invalid env: $value")
         return 1
     fi
 
@@ -396,7 +393,8 @@ process_env_config() {
             EXTRA_ENV_VARS+=("-e" "$name=$val")
             DOCKER_ONLY_WARNINGS+=("Config environment variable: $name=$val (ignored in local mode)")
         else
-            errors_ref+=("Invalid env name: $name")
+            CONFIG_ERRORS+=("Invalid env name: $name")
+        fi
     else
         # Shorthand pass-through: ENV=${VAR} or ENV=$VAR
         if [[ "$value" =~ ^\$\{([A-Za-z_][A-Za-z0-9_]*)\}$ ]] || [[ "$value" =~ ^\$([A-Za-z_][A-Za-z0-9_]*)$ ]]; then
@@ -417,18 +415,15 @@ process_env_config() {
 process_var_config() {
     local name="$1"
     local value="$2"
-    local errors_var="$3"
-    declare -n errors_ref="$errors_var"
-
     if ! [[ "$name" =~ ^[A-Z][A-Z0-9_]*$ ]]; then
-        errors_ref+=("Invalid variable name: $name")
+        CONFIG_ERRORS+=("Invalid variable name: $name")
         return 1
     fi
 
     value="${value//\"/}"
 
     if ! validate_config_value "$name" "$value"; then
-        errors_ref+=("Validation failed for $name=$value")
+        CONFIG_ERRORS+=("Validation failed for $name=$value")
         return 1
     fi
 
@@ -441,14 +436,14 @@ process_var_config() {
         CONFIG_DIR="$value"
         if [ ! -d "$CONFIG_DIR" ]; then
             mkdir -p "$CONFIG_DIR" 2>/dev/null || {
-                errors_ref+=("Cannot create CONFIG_DIR: $CONFIG_DIR")
+                CONFIG_ERRORS+=("Cannot create CONFIG_DIR: $CONFIG_DIR")
                 CONFIG_DIR=""
                 return 1
             }
         fi
         if [ -n "$CONFIG_DIR" ] && [ ! -f "$CONFIG_DIR/.claude.json" ]; then
             echo '{}' >"$CONFIG_DIR/.claude.json" 2>/dev/null || {
-                errors_ref+=("Cannot create $CONFIG_DIR/.claude.json")
+                CONFIG_ERRORS+=("Cannot create $CONFIG_DIR/.claude.json")
             }
         fi
         ;;
@@ -481,7 +476,7 @@ process_var_config() {
         if [[ "$name" =~ ^(DISABLE_|MAX_|ANTHROPIC_|CLAUDE_|AWS_|GOOGLE_) ]]; then
             export "$name"="$value"
         else
-            errors_ref+=("Unknown config variable: $name")
+            CONFIG_ERRORS+=("Unknown config variable: $name")
         fi
         ;;
     esac
@@ -496,25 +491,28 @@ load_config_file() {
     # we would need to read the file once into memory and process from there.
     # However, given the nature of config files (user-controlled, local),
     # the security impact is minimal and the current approach is pragmatic.
-    local errors=()
+    local initial_error_count=${#CONFIG_ERRORS[@]}
 
     while IFS= read -r line || [ -n "$line" ]; do
         [[ "$line" =~ ^[[:space:]]*#|^[[:space:]]*$ ]] && continue
 
         if [[ "$line" =~ ^[[:space:]]*VOLUME[[:space:]]*=[[:space:]]*(.+)$ ]]; then
-            process_volume_config "${BASH_REMATCH[1]}" errors
+            process_volume_config "${BASH_REMATCH[1]}"
         elif [[ "$line" =~ ^[[:space:]]*ENV[[:space:]]*=[[:space:]]*(.+)$ ]]; then
-            process_env_config "${BASH_REMATCH[1]}" errors
+            process_env_config "${BASH_REMATCH[1]}"
         elif [[ "$line" =~ ^[[:space:]]*([A-Z_]+)[[:space:]]*=[[:space:]]*(.+)$ ]]; then
-            process_var_config "${BASH_REMATCH[1]}" "${BASH_REMATCH[2]}" errors
+            process_var_config "${BASH_REMATCH[1]}" "${BASH_REMATCH[2]}"
         else
-            errors+=("Invalid line format: $line")
+            CONFIG_ERRORS+=("Invalid line format: $line")
         fi
     done <"$config_file"
 
-    if [ ${#errors[@]} -gt 0 ]; then
-        echo "ERROR: Config file $config_file has ${#errors[@]} error(s):" >&2
-        printf '%s\n' "${errors[@]}" >&2
+    # Check if new errors were added during this file's processing
+    if [ ${#CONFIG_ERRORS[@]} -gt "$initial_error_count" ]; then
+        echo "ERROR: Config file $config_file has $((${#CONFIG_ERRORS[@]} - initial_error_count)) error(s):" >&2
+        for ((i=initial_error_count; i<${#CONFIG_ERRORS[@]}; i++)); do
+            echo "  ${CONFIG_ERRORS[$i]}" >&2
+        done
         exit 1
     fi
 }
@@ -839,6 +837,9 @@ run_claude_local() {
     blue '────────────────────────────────────'
     echo ""
 
+    # Suppress Node.js experimental proxy warnings from Claude Code CLI
+    export NODE_NO_WARNINGS=1
+
     if [ "$USE_TRACE" = true ]; then
         if command -v "$CLAUDE_TRACE_PATH" >/dev/null 2>&1; then
             CLAUDE_CMD="$CLAUDE_TRACE_PATH"
@@ -968,6 +969,9 @@ if [ ${#EXTRA_VOLUMES[@]} -gt 0 ]; then
     DOCKER_ARGS+=("-e" "CCYOLO_EXTRA_VOLUMES=$CCYOLO_EXTRA_VOLUMES")
 fi
 
+# Suppress Node.js experimental proxy warnings from Claude Code CLI
+DOCKER_ARGS+=("-e" "NODE_NO_WARNINGS=1")
+
 # Pass extra environment variables specified with -e
 if [ ${#EXTRA_ENV_VARS[@]} -gt 0 ]; then
     for env_var in "${EXTRA_ENV_VARS[@]}"; do