feat: implement rock-solid Claude Max subscription authentication

This comprehensive update adds support for Claude Max subscription authentication
and improves the overall authentication system with multiple methods:

🔐 Claude Authentication Enhancements:
- Add setup container method for Claude Max/20x subscription usage ($20-200/month)
- Create interactive authentication script (setup-claude-interactive.sh)
- Add authentication testing utility (test-claude-auth.sh)
- Support three authentication methods: Setup Container, API Key, AWS Bedrock
- Comprehensive authentication documentation

📁 Directory Configuration:
- Add CLAUDE_HUB_DIR environment variable (default: ~/.claude-hub)
- Update .gitignore to use .claude-hub/ instead of hardcoded paths
- Consistent environment variable usage across all scripts

🐙 GitHub Token Support:
- Add fine-grained GitHub token support (github_pat_) alongside classic tokens (ghp_)
- Update token validation in claudeService and githubService
- Enhanced token detection and authentication flow

📖 Documentation & Guides:
- Add complete Claude Authentication Guide with all three methods
- Add Setup Container Deep Dive documentation
- Update CLAUDE.md with quick start authentication section
- Comprehensive cost comparison and use case recommendations

🐳 Container & Docker Improvements:
- Update Dockerfile.claudecode with proper entrypoint script copying
- Add Dockerfile.claude-setup for interactive authentication
- Update docker-compose.yml with new port (3003) and environment variables
- Enhanced container volume mounting for authentication

🔧 Infrastructure Updates:
- Add TRUST_PROXY configuration for reverse proxy environments
- Update port configuration from 3002 to 3003
- Enhanced environment variable documentation in .env.example
- Debug utilities for troubleshooting authentication issues

This update enables Claude Max subscribers to use their existing subscriptions
for automation, potentially saving thousands in API costs while maintaining
full production capabilities.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

scripts/runtime/claudecode-entrypoint.sh

@@ -13,6 +13,44 @@ set -e
 mkdir -p /workspace
 chown -R node:node /workspace
 
+# Set up Claude authentication by syncing from captured auth directory
+if [ -d "/claude-auth-source" ]; then
+  echo "Setting up Claude authentication from captured auth directory..." >&2
+  
+  # Create a writable copy of Claude configuration in workspace
+  CLAUDE_WORK_DIR="/workspace/.claude"
+  mkdir -p "$CLAUDE_WORK_DIR"
+  
+  echo "DEBUG: Source auth directory contents:" >&2
+  ls -la /claude-auth-source/ >&2 || echo "DEBUG: Source auth directory not accessible" >&2
+  
+  # Sync entire auth directory to writable location (including database files, project state, etc.)
+  if command -v rsync >/dev/null 2>&1; then
+    rsync -av /claude-auth-source/ "$CLAUDE_WORK_DIR/" 2>/dev/null || echo "rsync failed, trying cp" >&2
+  else
+    # Fallback to cp with comprehensive copying
+    cp -r /claude-auth-source/* "$CLAUDE_WORK_DIR/" 2>/dev/null || true
+    cp -r /claude-auth-source/.* "$CLAUDE_WORK_DIR/" 2>/dev/null || true
+  fi
+  
+  echo "DEBUG: Working directory contents after sync:" >&2
+  ls -la "$CLAUDE_WORK_DIR/" >&2 || echo "DEBUG: Working directory not accessible" >&2
+  
+  # Set proper ownership and permissions for the node user
+  chown -R node:node "$CLAUDE_WORK_DIR"
+  chmod 600 "$CLAUDE_WORK_DIR"/.credentials.json 2>/dev/null || true
+  chmod 755 "$CLAUDE_WORK_DIR" 2>/dev/null || true
+  
+  echo "DEBUG: Final permissions check:" >&2
+  ls -la "$CLAUDE_WORK_DIR/.credentials.json" >&2 || echo "DEBUG: .credentials.json not found" >&2
+  
+  echo "Claude authentication directory synced to $CLAUDE_WORK_DIR" >&2
+elif [ -d "/home/node/.claude" ]; then
+  echo "WARNING: Found /home/node/.claude but no /claude-auth-source. This might use your personal auth." >&2
+else
+  echo "WARNING: No Claude authentication source found." >&2
+fi
+
 # Configure GitHub authentication
 if [ -n "${GITHUB_TOKEN}" ]; then
   export GH_TOKEN="${GITHUB_TOKEN}"
@@ -45,8 +83,26 @@ fi
 sudo -u node git config --global user.email "${BOT_EMAIL:-claude@example.com}"
 sudo -u node git config --global user.name "${BOT_USERNAME:-ClaudeBot}"
 
-# Configure Anthropic API key
-export ANTHROPIC_API_KEY="${ANTHROPIC_API_KEY}"
+# Configure Claude authentication
+# Support both API key and interactive auth methods
+echo "DEBUG: Checking authentication options..." >&2
+echo "DEBUG: ANTHROPIC_API_KEY set: $([ -n "${ANTHROPIC_API_KEY}" ] && echo 'YES' || echo 'NO')" >&2
+echo "DEBUG: /workspace/.claude/.credentials.json exists: $([ -f "/workspace/.claude/.credentials.json" ] && echo 'YES' || echo 'NO')" >&2
+echo "DEBUG: /workspace/.claude contents:" >&2
+ls -la /workspace/.claude/ >&2 || echo "DEBUG: /workspace/.claude directory not found" >&2
+
+if [ -n "${ANTHROPIC_API_KEY}" ]; then
+  echo "Using Anthropic API key for authentication..." >&2
+  export ANTHROPIC_API_KEY="${ANTHROPIC_API_KEY}"
+elif [ -f "/workspace/.claude/.credentials.json" ]; then
+  echo "Using Claude interactive authentication from working directory..." >&2
+  # No need to set ANTHROPIC_API_KEY - Claude CLI will use the credentials file
+  # Set HOME to point to our working directory for Claude CLI
+  export CLAUDE_HOME="/workspace/.claude"
+  echo "DEBUG: Set CLAUDE_HOME to $CLAUDE_HOME" >&2
+else
+  echo "WARNING: No Claude authentication found. Please set ANTHROPIC_API_KEY or ensure ~/.claude is mounted." >&2
+fi
 
 # Create response file with proper permissions
 RESPONSE_FILE="/workspace/response.txt"
@@ -65,9 +121,18 @@ fi
 # Log the command length for debugging
 echo "Command length: ${#COMMAND}" >&2
 
-# Run Claude Code
+# Run Claude Code with proper HOME environment
+# If we synced Claude auth to workspace, use workspace as HOME
+if [ -f "/workspace/.claude/.credentials.json" ]; then
+  CLAUDE_USER_HOME="/workspace"
+  echo "DEBUG: Using /workspace as HOME for Claude CLI (synced auth)" >&2
+else
+  CLAUDE_USER_HOME="${CLAUDE_HOME:-/home/node}"
+  echo "DEBUG: Using $CLAUDE_USER_HOME as HOME for Claude CLI (fallback)" >&2
+fi
+
 sudo -u node -E env \
-    HOME="/home/node" \
+    HOME="$CLAUDE_USER_HOME" \
     PATH="/usr/local/bin:/usr/local/share/npm-global/bin:$PATH" \
     ANTHROPIC_API_KEY="${ANTHROPIC_API_KEY}" \
     GH_TOKEN="${GITHUB_TOKEN}" \

scripts/runtime/claudecode-tagging-entrypoint.sh

@@ -12,6 +12,44 @@ set -e
 mkdir -p /workspace
 chown -R node:node /workspace
 
+# Set up Claude authentication by syncing from captured auth directory
+if [ -d "/claude-auth-source" ]; then
+  echo "Setting up Claude authentication from captured auth directory..." >&2
+  
+  # Create a writable copy of Claude configuration in workspace
+  CLAUDE_WORK_DIR="/workspace/.claude"
+  mkdir -p "$CLAUDE_WORK_DIR"
+  
+  echo "DEBUG: Source auth directory contents:" >&2
+  ls -la /claude-auth-source/ >&2 || echo "DEBUG: Source auth directory not accessible" >&2
+  
+  # Sync entire auth directory to writable location (including database files, project state, etc.)
+  if command -v rsync >/dev/null 2>&1; then
+    rsync -av /claude-auth-source/ "$CLAUDE_WORK_DIR/" 2>/dev/null || echo "rsync failed, trying cp" >&2
+  else
+    # Fallback to cp with comprehensive copying
+    cp -r /claude-auth-source/* "$CLAUDE_WORK_DIR/" 2>/dev/null || true
+    cp -r /claude-auth-source/.* "$CLAUDE_WORK_DIR/" 2>/dev/null || true
+  fi
+  
+  echo "DEBUG: Working directory contents after sync:" >&2
+  ls -la "$CLAUDE_WORK_DIR/" >&2 || echo "DEBUG: Working directory not accessible" >&2
+  
+  # Set proper ownership and permissions for the node user
+  chown -R node:node "$CLAUDE_WORK_DIR"
+  chmod 600 "$CLAUDE_WORK_DIR"/.credentials.json 2>/dev/null || true
+  chmod 755 "$CLAUDE_WORK_DIR" 2>/dev/null || true
+  
+  echo "DEBUG: Final permissions check:" >&2
+  ls -la "$CLAUDE_WORK_DIR/.credentials.json" >&2 || echo "DEBUG: .credentials.json not found" >&2
+  
+  echo "Claude authentication directory synced to $CLAUDE_WORK_DIR" >&2
+elif [ -d "/home/node/.claude" ]; then
+  echo "WARNING: Found /home/node/.claude but no /claude-auth-source. This might use your personal auth." >&2
+else
+  echo "WARNING: No Claude authentication source found." >&2
+fi
+
 # Configure GitHub authentication
 if [ -n "${GITHUB_TOKEN}" ]; then
   export GH_TOKEN="${GITHUB_TOKEN}"
@@ -39,8 +77,19 @@ sudo -u node git checkout main >&2 || sudo -u node git checkout master >&2
 sudo -u node git config --global user.email "${BOT_EMAIL:-claude@example.com}"
 sudo -u node git config --global user.name "${BOT_USERNAME:-ClaudeBot}"
 
-# Configure Anthropic API key
-export ANTHROPIC_API_KEY="${ANTHROPIC_API_KEY}"
+# Configure Claude authentication
+# Support both API key and interactive auth methods
+if [ -n "${ANTHROPIC_API_KEY}" ]; then
+  echo "Using Anthropic API key for authentication..." >&2
+  export ANTHROPIC_API_KEY="${ANTHROPIC_API_KEY}"
+elif [ -f "/workspace/.claude/.credentials.json" ]; then
+  echo "Using Claude interactive authentication from working directory..." >&2
+  # No need to set ANTHROPIC_API_KEY - Claude CLI will use the credentials file
+  # Set HOME to point to our working directory for Claude CLI
+  export CLAUDE_HOME="/workspace/.claude"
+else
+  echo "WARNING: No Claude authentication found. Please set ANTHROPIC_API_KEY or ensure ~/.claude is mounted." >&2
+fi
 
 # Create response file with proper permissions
 RESPONSE_FILE="/workspace/response.txt"
@@ -60,8 +109,17 @@ fi
 echo "Command length: ${#COMMAND}" >&2
 
 # Run Claude Code with minimal tool set: Read (for repository context) and GitHub (for label operations)
+# If we synced Claude auth to workspace, use workspace as HOME
+if [ -f "/workspace/.claude/.credentials.json" ]; then
+  CLAUDE_USER_HOME="/workspace"
+  echo "DEBUG: Using /workspace as HOME for Claude CLI (synced auth)" >&2
+else
+  CLAUDE_USER_HOME="${CLAUDE_HOME:-/home/node}"
+  echo "DEBUG: Using $CLAUDE_USER_HOME as HOME for Claude CLI (fallback)" >&2
+fi
+
 sudo -u node -E env \
-    HOME="/home/node" \
+    HOME="$CLAUDE_USER_HOME" \
     PATH="/usr/local/bin:/usr/local/share/npm-global/bin:$PATH" \
     ANTHROPIC_API_KEY="${ANTHROPIC_API_KEY}" \
     GH_TOKEN="${GITHUB_TOKEN}" \

scripts/setup/setup-claude-interactive.sh

@@ -0,0 +1,67 @@
+#!/bin/bash
+set -e
+
+# Claude Interactive Authentication Setup Script
+# This script creates a container for interactive Claude authentication
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+PROJECT_ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)"
+AUTH_OUTPUT_DIR="${CLAUDE_HUB_DIR:-$HOME/.claude-hub}"
+
+echo "🔧 Claude Interactive Authentication Setup"
+echo "========================================="
+echo ""
+
+# Create output directory for authentication state
+mkdir -p "$AUTH_OUTPUT_DIR"
+
+echo "📦 Building Claude setup container..."
+docker build -f "$PROJECT_ROOT/Dockerfile.claude-setup" -t claude-setup:latest "$PROJECT_ROOT"
+
+echo ""
+echo "🚀 Starting interactive Claude authentication container..."
+echo ""
+echo "IMPORTANT: This will open an interactive shell where you can:"
+echo "  1. Run 'claude login' to authenticate"
+echo "  2. Follow the browser-based authentication flow"
+echo "  3. Test with 'claude status' to verify authentication"
+echo "  4. Type 'exit' when done to preserve authentication state"
+echo ""
+echo "The authenticated ~/.claude directory will be saved to:"
+echo "  $AUTH_OUTPUT_DIR"
+echo ""
+read -p "Press Enter to continue or Ctrl+C to cancel..."
+
+# Run the interactive container
+docker run -it --rm \
+  -v "$AUTH_OUTPUT_DIR:/auth-output" \
+  -v "$HOME/.gitconfig:/home/node/.gitconfig:ro" \
+  --name claude-auth-setup \
+  claude-setup:latest
+
+echo ""
+echo "📋 Checking authentication output..."
+
+if [ -f "$AUTH_OUTPUT_DIR/.credentials.json" ] || [ -f "$AUTH_OUTPUT_DIR/settings.local.json" ]; then
+  echo "✅ Authentication files found in $AUTH_OUTPUT_DIR"
+  echo ""
+  echo "📁 Captured authentication files:"
+  find "$AUTH_OUTPUT_DIR" -type f -name "*.json" -o -name "*.db" | head -10
+  echo ""
+  echo "🔄 To use this authentication in your webhook service:"
+  echo "  1. Copy files to your ~/.claude directory:"
+  echo "     cp -r $AUTH_OUTPUT_DIR/* ~/.claude/"
+  echo "  2. Or update docker-compose.yml to mount the auth directory:"
+  echo "     - $AUTH_OUTPUT_DIR:/home/node/.claude:ro"
+  echo ""
+else
+  echo "⚠️  No authentication files found. You may need to:"
+  echo "  1. Run the container again and complete the authentication flow"
+  echo "  2. Ensure you ran 'claude login' and completed the browser authentication"
+  echo "  3. Check that you have an active Claude Max or Pro subscription"
+fi
+
+echo ""
+echo "🧪 Testing authentication..."
+echo "You can test the captured authentication with:"
+echo "  docker run --rm -v \"$AUTH_OUTPUT_DIR:/home/node/.claude:ro\" claude-setup:latest claude status"

scripts/setup/test-claude-auth.sh

@@ -0,0 +1,91 @@
+#!/bin/bash
+set -e
+
+# Test captured Claude authentication
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+PROJECT_ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)"
+AUTH_OUTPUT_DIR="${CLAUDE_HUB_DIR:-$HOME/.claude-hub}"
+
+echo "🧪 Testing Claude Authentication"
+echo "================================"
+echo ""
+
+if [ ! -d "$AUTH_OUTPUT_DIR" ]; then
+  echo "❌ Authentication directory not found: $AUTH_OUTPUT_DIR"
+  echo "   Run ./scripts/setup/setup-claude-interactive.sh first"
+  exit 1
+fi
+
+echo "📁 Authentication files found:"
+find "$AUTH_OUTPUT_DIR" -type f | head -20
+echo ""
+
+echo "🔍 Testing authentication with Claude CLI..."
+echo ""
+
+# Test Claude version
+echo "1. Testing Claude CLI version..."
+docker run --rm \
+  -v "$AUTH_OUTPUT_DIR:/home/node/.claude:ro" \
+  claude-setup:latest \
+  sudo -u node -E env HOME=/home/node PATH=/usr/local/share/npm-global/bin:$PATH \
+  /usr/local/share/npm-global/bin/claude --version
+
+echo ""
+
+# Test Claude status (might fail due to TTY requirements)
+echo "2. Testing Claude status..."
+docker run --rm \
+  -v "$AUTH_OUTPUT_DIR:/home/node/.claude:ro" \
+  claude-setup:latest \
+  timeout 5 sudo -u node -E env HOME=/home/node PATH=/usr/local/share/npm-global/bin:$PATH \
+  /usr/local/share/npm-global/bin/claude status 2>&1 || echo "Status command failed (expected due to TTY requirements)"
+
+echo ""
+
+# Test Claude with a simple print command
+echo "3. Testing Claude with simple command..."
+docker run --rm \
+  -v "$AUTH_OUTPUT_DIR:/home/node/.claude:ro" \
+  claude-setup:latest \
+  timeout 10 sudo -u node -E env HOME=/home/node PATH=/usr/local/share/npm-global/bin:$PATH \
+  /usr/local/share/npm-global/bin/claude --print "Hello, testing authentication" 2>&1 || echo "Print command failed"
+
+echo ""
+echo "🔍 Authentication file analysis:"
+echo "================================"
+
+# Check for key authentication files
+if [ -f "$AUTH_OUTPUT_DIR/.credentials.json" ]; then
+  echo "✅ .credentials.json found ($(wc -c < "$AUTH_OUTPUT_DIR/.credentials.json") bytes)"
+else
+  echo "❌ .credentials.json not found"
+fi
+
+if [ -f "$AUTH_OUTPUT_DIR/settings.local.json" ]; then
+  echo "✅ settings.local.json found"
+  echo "   Contents: $(head -1 "$AUTH_OUTPUT_DIR/settings.local.json")"
+else
+  echo "❌ settings.local.json not found"
+fi
+
+if [ -d "$AUTH_OUTPUT_DIR/statsig" ]; then
+  echo "✅ statsig directory found ($(ls -1 "$AUTH_OUTPUT_DIR/statsig" | wc -l) files)"
+else
+  echo "❌ statsig directory not found"
+fi
+
+# Look for SQLite databases
+DB_FILES=$(find "$AUTH_OUTPUT_DIR" -name "*.db" 2>/dev/null | wc -l)
+if [ "$DB_FILES" -gt 0 ]; then
+  echo "✅ Found $DB_FILES SQLite database files"
+  find "$AUTH_OUTPUT_DIR" -name "*.db" | head -5
+else
+  echo "❌ No SQLite database files found"
+fi
+
+echo ""
+echo "💡 Next steps:"
+echo "  If authentication tests pass, copy to your main Claude directory:"
+echo "    cp -r $AUTH_OUTPUT_DIR/* ~/.claude/"
+echo "  Or update your webhook service to use this authentication directory"