Reintroduce GitHub PAT setup and devcontainer auth

.claude/commands/trailofbits/config.md

@@ -1,6 +1,6 @@
 You are installing or updating Trail of Bits' Claude Code configuration into the user's `~/.claude/` directory.
 
-@arguments $PERSONA: Persona (developer, l1-auditor, web3-auditor, pentesting)
+@arguments $PERSONA: Persona (developer, web3-auditor, pentesting)
 
 ## Source files
 
@@ -19,9 +19,8 @@ Files to fetch when needed:
 
 ## Steps
 
-1. **Validate persona.** If `$PERSONA` is not provided or not one of `developer`, `l1-auditor`, `web3-auditor`, or `pentesting`, use AskUserQuestion to ask the user to pick one:
+1. **Validate persona.** If `$PERSONA` is not provided or not one of `developer`, `web3-auditor`, or `pentesting`, use AskUserQuestion to ask the user to pick one:
    - **developer** — General software development, code review, feature work (complete)
-   - **l1-auditor** — L1 blockchain security auditing: Cosmos SDK, Geth, consensus-execution coupling (complete)
    - **web3-auditor** — Smart contract auditing, blockchain security (placeholder)
    - **pentesting** — Penetration testing, offensive security (placeholder)
 

.devcontainer/devcontainer.json

@@ -3,7 +3,7 @@
   "name": "Claude Code Sandbox",
   "build": {
     "context": "..",
-    "dockerfile": ".devcontainer/Dockerfile",
+    "dockerfile": "Dockerfile",
     "args": {
       "TZ": "${localEnv:TZ:UTC}",
       "GIT_DELTA_VERSION": "0.18.2",
@@ -65,6 +65,7 @@
     "PIP_DISABLE_PIP_VERSION_CHECK": "1",
     "GOPATH": "/home/vscode/go",
     "GOBIN": "/home/vscode/go/bin",
+    "GH_TOKEN": "${localEnv:GH_TOKEN}",
     "PERSONA": "developer"
   },
   "initializeCommand": "test -f \"$HOME/.gitconfig\" || touch \"$HOME/.gitconfig\"",

.devcontainer/post_install.py

@@ -386,6 +386,99 @@ def setup_global_gitignore():
     )
 
 
+def _warn_broad_token(token: str, source: str):
+    """Warn if token is not a fine-grained PAT (github_pat_*)."""
+    if token.startswith("github_pat_"):
+        return
+    if token.startswith("ghp_"):
+        kind = "classic PAT (ghp_*)"
+    elif token.startswith("gho_"):
+        kind = "OAuth token (gh auth login)"
+    else:
+        kind = "non-fine-grained token"
+    print(
+        f"[post_install] Warning: {source} is a {kind}. "
+        f"Fine-grained PATs (github_pat_*) are recommended — "
+        f"they scope access to specific repos with limited "
+        f"permissions. Run 'bash scripts/setup-gh-token.sh' "
+        f"on the host to set one up.",
+        file=sys.stderr,
+    )
+
+
+def setup_gh_auth():
+    """Configure GitHub auth for gh CLI and git HTTPS credential helper.
+
+    Uses GH_TOKEN env var if set, otherwise checks gh auth status
+    from the persistent volume. Runs gh auth setup-git to configure
+    the git credential helper so both gh API calls and git push/pull
+    work with one token. Never blocks container creation.
+    """
+    gh_token = os.environ.get("GH_TOKEN", "")
+
+    if gh_token:
+        result = subprocess.run(
+            ["gh", "api", "user", "--jq", ".login"],
+            capture_output=True,
+            text=True,
+            env={**os.environ, "GH_TOKEN": gh_token},
+        )
+        if result.returncode == 0 and result.stdout.strip():
+            login = result.stdout.strip()
+            print(
+                f"[post_install] GitHub auth via GH_TOKEN: {login}",
+                file=sys.stderr,
+            )
+            _warn_broad_token(gh_token, "GH_TOKEN")
+        else:
+            print(
+                "[post_install] Warning: GH_TOKEN is set but "
+                "invalid or expired",
+                file=sys.stderr,
+            )
+            return
+    else:
+        result = subprocess.run(
+            ["gh", "auth", "status"],
+            capture_output=True,
+            text=True,
+        )
+        if result.returncode != 0:
+            print(
+                "[post_install] Warning: No GitHub auth found. "
+                "Set GH_TOKEN on the host before building, or "
+                "run 'gh auth login' inside the container.",
+                file=sys.stderr,
+            )
+            if result.stderr.strip():
+                print(
+                    f"[post_install]   gh auth status: "
+                    f"{result.stderr.strip()}",
+                    file=sys.stderr,
+                )
+            return
+        # Check token type from gh auth
+        token_result = subprocess.run(
+            ["gh", "auth", "token"],
+            capture_output=True,
+            text=True,
+        )
+        if token_result.returncode == 0 and token_result.stdout.strip():
+            _warn_broad_token(
+                token_result.stdout.strip(), "gh auth token"
+            )
+
+    subprocess.run(
+        ["gh", "auth", "setup-git"],
+        capture_output=True,
+    )
+    print(
+        "[post_install] Git credential helper configured "
+        "(gh auth setup-git)",
+        file=sys.stderr,
+    )
+
+
 def main():
     """Run all post-install configuration."""
     print(
@@ -398,6 +491,7 @@ def main():
     apply_local_overlay()
     setup_tmux_config()
     setup_global_gitignore()
+    setup_gh_auth()
 
     print("[post_install] Configuration complete!", file=sys.stderr)
 

.serena/.gitignore

@@ -0,0 +1,2 @@
+/cache
+/project.local.yml

.serena/project.yml

@@ -0,0 +1,119 @@
+# the name by which the project can be referenced within Serena
+project_name: "claude-code-config"
+
+
+# list of languages for which language servers are started; choose from:
+#   al                  ansible             bash                clojure             cpp
+#   cpp_ccls            crystal             csharp              csharp_omnisharp    dart
+#   elixir              elm                 erlang              fortran             fsharp
+#   go                  groovy              haskell             haxe                hlsl
+#   java                json                julia               kotlin              lean4
+#   lua                 luau                markdown            matlab              msl
+#   nix                 ocaml               pascal              perl                php
+#   php_phpactor        powershell          python              python_jedi         python_ty
+#   r                   rego                ruby                ruby_solargraph     rust
+#   scala               solidity            swift               systemverilog       terraform
+#   toml                typescript          typescript_vts      vue                 yaml
+#   zig
+#   (This list may be outdated. For the current list, see values of Language enum here:
+#   https://github.com/oraios/serena/blob/main/src/solidlsp/ls_config.py
+#   For some languages, there are alternative language servers, e.g. csharp_omnisharp, ruby_solargraph.)
+# Note:
+#   - For C, use cpp
+#   - For JavaScript, use typescript
+#   - For Free Pascal/Lazarus, use pascal
+# Special requirements:
+#   Some languages require additional setup/installations.
+#   See here for details: https://oraios.github.io/serena/01-about/020_programming-languages.html#language-servers
+# When using multiple languages, the first language server that supports a given file will be used for that file.
+# The first language is the default language and the respective language server will be used as a fallback.
+# Note that when using the JetBrains backend, language servers are not used and this list is correspondingly ignored.
+languages:
+- bash
+
+# the encoding used by text files in the project
+# For a list of possible encodings, see https://docs.python.org/3.11/library/codecs.html#standard-encodings
+encoding: "utf-8"
+
+# line ending convention to use when writing source files.
+# Possible values: unset (use global setting), "lf", "crlf", or "native" (platform default)
+# This does not affect Serena's own files (e.g. memories and configuration files), which always use native line endings.
+line_ending:
+
+# The language backend to use for this project.
+# If not set, the global setting from serena_config.yml is used.
+# Valid values: LSP, JetBrains
+# Note: the backend is fixed at startup. If a project with a different backend
+# is activated post-init, an error will be returned.
+language_backend:
+
+# whether to use project's .gitignore files to ignore files
+ignore_all_files_in_gitignore: true
+
+# advanced configuration option allowing to configure language server-specific options.
+# Maps the language key to the options.
+# Have a look at the docstring of the constructors of the LS implementations within solidlsp (e.g., for C# or PHP) to see which options are available.
+# No documentation on options means no options are available.
+ls_specific_settings: {}
+
+# list of additional paths to ignore in this project.
+# Same syntax as gitignore, so you can use * and **.
+# Note: global ignored_paths from serena_config.yml are also applied additively.
+ignored_paths: []
+
+# whether the project is in read-only mode
+# If set to true, all editing tools will be disabled and attempts to use them will result in an error
+# Added on 2025-04-18
+read_only: false
+
+# list of tool names to exclude.
+# This extends the existing exclusions (e.g. from the global configuration)
+# Find the list of tools here: https://oraios.github.io/serena/01-about/035_tools.html
+excluded_tools: []
+
+# list of tools to include that would otherwise be disabled (particularly optional tools that are disabled by default).
+# This extends the existing inclusions (e.g. from the global configuration).
+# Find the list of tools here: https://oraios.github.io/serena/01-about/035_tools.html
+included_optional_tools: []
+
+# fixed set of tools to use as the base tool set (if non-empty), replacing Serena's default set of tools.
+# This cannot be combined with non-empty excluded_tools or included_optional_tools.
+# Find the list of tools here: https://oraios.github.io/serena/01-about/035_tools.html
+fixed_tools: []
+
+# list of mode names that are to be activated by default, overriding the setting in the global configuration.
+# The full set of modes to be activated is base_modes (from global config) + default_modes + added_modes.
+# If the setting is undefined/empty, the default_modes from the global configuration (serena_config.yml) apply.
+# Otherwise, this overrides the setting from the global configuration (serena_config.yml).
+# Therefore, you can set this to [] if you do not want the default modes defined in the global config to apply
+# for this project.
+# This setting can, in turn, be overridden by CLI parameters (--mode).
+# See https://oraios.github.io/serena/02-usage/050_configuration.html#modes
+default_modes:
+
+# list of mode names to be activated additionally for this project, e.g. ["query-projects"]
+# The full set of modes to be activated is base_modes (from global config) + default_modes + added_modes.
+# See https://oraios.github.io/serena/02-usage/050_configuration.html#modes
+added_modes:
+
+# initial prompt for the project. It will always be given to the LLM upon activating the project
+# (contrary to the memories, which are loaded on demand).
+initial_prompt: ""
+
+# time budget (seconds) per tool call for the retrieval of additional symbol information
+# such as docstrings or parameter information.
+# This overrides the corresponding setting in the global configuration; see the documentation there.
+# If null or missing, use the setting from the global configuration.
+symbol_info_budget:
+
+# list of regex patterns which, when matched, mark a memory entry as read‑only.
+# Extends the list from the global configuration, merging the two lists.
+read_only_memory_patterns: []
+
+# list of regex patterns for memories to completely ignore.
+# Matching memories will not appear in list_memories or activate_project output
+# and cannot be accessed via read_memory or write_memory.
+# To access ignored memory files, use the read_file tool on the raw file path.
+# Extends the list from the global configuration, merging the two lists.
+# Example: ["_archive/.*", "_episodes/.*"]
+ignored_memory_patterns: []