Merge pull request 'fix: Set CLAUDE_CODE_DISABLE_NONESSENTIAL_TRAFFIC in factory sessions and disinto init (#725)' (#753) from fix/issue-725 into main

.env.example

@@ -55,3 +55,9 @@ BASE_RPC_URL=                              # [SECRET] on-chain RPC endpoint
 # ── Tuning ────────────────────────────────────────────────────────────────
 CLAUDE_TIMEOUT=7200                        # [CONFIG] max seconds per Claude invocation
 
+# ── Factory safety ────────────────────────────────────────────────────────
+# Disables Claude Code auto-updater, telemetry, error reporting, and bug
+# command. Factory sessions are production processes — they must never phone
+# home or auto-update mid-session. Added after #725 (crash during red-team run).
+CLAUDE_CODE_DISABLE_NONESSENTIAL_TRAFFIC=1 # [CONFIG] suppress all non-essential traffic
+

bin/disinto

@@ -1416,6 +1416,12 @@ p.write_text(text)
     echo "Config:  WOODPECKER_AGENT_SECRET generated and saved to .env"
   fi
 
+  # Ensure Claude Code never auto-updates, phones home, or sends telemetry (#725)
+  if ! grep -q '^CLAUDE_CODE_DISABLE_NONESSENTIAL_TRAFFIC=' "$env_file" 2>/dev/null; then
+    printf 'CLAUDE_CODE_DISABLE_NONESSENTIAL_TRAFFIC=1\n' >> "$env_file"
+    echo "Config:  CLAUDE_CODE_DISABLE_NONESSENTIAL_TRAFFIC=1 saved to .env"
+  fi
+
   # Create labels on remote
   create_labels "$forge_repo" "$forge_url"
 

lib/env.sh

@@ -81,6 +81,10 @@ export WOODPECKER_REPO_ID="${WOODPECKER_REPO_ID:-}"
 export WOODPECKER_SERVER="${WOODPECKER_SERVER:-http://localhost:8000}"
 export CLAUDE_TIMEOUT="${CLAUDE_TIMEOUT:-7200}"
 
+# Disable Claude Code auto-updater, telemetry, error reporting in factory sessions.
+# Factory processes must never phone home or auto-update mid-session (#725).
+export CLAUDE_CODE_DISABLE_NONESSENTIAL_TRAFFIC=1
+
 # Matrix homeserver: inside compose Dendrite is at http://dendrite:8008,
 # on bare metal it defaults to http://localhost:8008.
 if [ -z "${MATRIX_HOMESERVER:-}" ]; then