From 793772a34d8dc44b5929348d4e3cb76ad6bdfb7e Mon Sep 17 00:00:00 2001
From: Danijel Martinek <danijel@fraqtal.xyz>
Date: Wed, 13 May 2026 09:27:22 +0200
Subject: [PATCH] feat(sandcastle): Dockerfile installs Claude Code CLI for
 subscription auth

---
 .sandcastle/Dockerfile | 24 ++++++++++++++++++------
 1 file changed, 18 insertions(+), 6 deletions(-)

diff --git a/.sandcastle/Dockerfile b/.sandcastle/Dockerfile
index 2de73d6..3b28ee4 100644
--- a/.sandcastle/Dockerfile
+++ b/.sandcastle/Dockerfile
@@ -1,14 +1,26 @@
-# Minimal sandbox for sandcastle dispatch.
-# Will be extended once the CI image is identified (see ADR-future).
+# Sandcastle sandbox image — runs the implementer + reviewer agents.
+#
+# Includes Claude Code CLI so the sandbox can authenticate via the host's
+# mounted ~/.claude/ session (sandcastle issue #191 workaround — subscription
+# auth, not API-key auth, is our primary flow). Falls back to ANTHROPIC_API_KEY
+# when no host credentials are available.
+
 FROM node:22-bookworm-slim
 
 # pnpm via corepack (matches the repo's pnpm version)
 RUN corepack enable && corepack prepare pnpm@9 --activate
 
+# Claude Code CLI — used by sandcastle's claudeCode() agent provider.
+# The CLI reads credentials from ~/.claude/ inside the container; the host
+# mounts its ~/.claude/ over that path at sandbox start.
+RUN npm install -g @anthropic-ai/claude-code
+
+# Minimal system deps for git operations + healthchecks.
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    git \
+    ca-certificates \
+    && rm -rf /var/lib/apt/lists/*
+
 WORKDIR /workspace
 
-# Repo files are mounted by sandcastle at /workspace at runtime.
-# The agent runs `pnpm install --frozen-lockfile` as its first step
-# per the implementer prompt template.
-
 CMD ["bash"]