Merge branch 'master' of https://github.com/The-OpenROAD-Project-private/OpenROAD-flow-scripts into secure-yosys_fix

Author: eder-matheus

claude.sh

@@ -0,0 +1,158 @@
+#!/usr/bin/env bash
+# Wrapper to run Claude Code inside a Docker container with
+# --dangerously-skip-permissions.  The repo is volume-mounted so all
+# edits are reflected on the host.
+#
+# Usage:
+#   ./claude.sh --build          # build the Docker image (one-time)
+#   ./claude.sh                  # start Claude Code interactively
+#   ./claude.sh --shell          # get a bash shell instead
+#   ./claude.sh -- -p "prompt"   # pass extra args to claude
+
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+
+# --- Defaults (overridable via environment) ---
+CLAUDE_IMAGE="${CLAUDE_IMAGE:-openroad/flow-claude:latest}"
+CONTAINER_NAME="${CONTAINER_NAME:-claude-orfs}"
+
+# --- Argument parsing ---
+SHELL_MODE=0
+BUILD_IMAGE=0
+CLAUDE_ARGS=()
+
+usage() {
+    cat <<EOF
+Usage: $0 [OPTIONS] [-- CLAUDE_ARGS...]
+
+Options:
+    --build             Build the Docker image
+    --shell             Start a bash shell instead of Claude Code
+    --image NAME        Override Docker image (default: ${CLAUDE_IMAGE})
+    --name NAME         Override container name (default: ${CONTAINER_NAME})
+    -h, --help          Show this help
+
+Environment:
+    CLAUDE_IMAGE        Docker image override (same as --image).
+    CONTAINER_NAME      Container name override (same as --name).
+    ANTHROPIC_API_KEY   Optional. Passed through if set.
+
+Examples:
+    $0 --build                      # build the image
+    $0                              # interactive Claude Code
+    $0 -- -p "fix the floorplan"    # Claude with a prompt
+    $0 --shell                      # bash inside the container
+EOF
+    exit 0
+}
+
+while [[ $# -gt 0 ]]; do
+    case "$1" in
+        --build)     BUILD_IMAGE=1; shift ;;
+        --shell)     SHELL_MODE=1; shift ;;
+        --image)     CLAUDE_IMAGE="$2"; shift 2 ;;
+        --name)      CONTAINER_NAME="$2"; shift 2 ;;
+        -h|--help)   usage ;;
+        --)          shift; CLAUDE_ARGS=("$@"); break ;;
+        *)           CLAUDE_ARGS+=("$1"); shift ;;
+    esac
+done
+
+# --- Build image (explicitly or automatically if missing) ---
+_build_image() {
+    echo "Building Claude Code Docker image: ${CLAUDE_IMAGE}"
+    docker build \
+        -f "${SCRIPT_DIR}/docker/Dockerfile.claude" \
+        -t "${CLAUDE_IMAGE}" \
+        "${SCRIPT_DIR}/docker"
+    echo "Done.  Image: ${CLAUDE_IMAGE}"
+}
+
+if [[ "${BUILD_IMAGE}" -eq 1 ]]; then
+    _build_image
+    # If only --build was given, exit.
+    if [[ "${SHELL_MODE}" -eq 0 ]] && [[ ${#CLAUDE_ARGS[@]} -eq 0 ]]; then
+        exit 0
+    fi
+elif ! docker image inspect "${CLAUDE_IMAGE}" > /dev/null 2>&1; then
+    echo "Image ${CLAUDE_IMAGE} not found. Building automatically..."
+    _build_image
+fi
+
+# --- Determine the user's home inside the container ---
+# The entrypoint creates /home/claude-user for the mapped user.
+CONTAINER_HOME="/home/claude-user"
+
+# --- Assemble docker run arguments ---
+DOCKER_RUN_ARGS=(
+    --rm
+    --name "${CONTAINER_NAME}"
+    -v "${SCRIPT_DIR}:/workspace"
+    -e "HOST_UID=$(id -u)"
+    -e "HOST_GID=$(id -g)"
+    -w /workspace
+)
+
+# TTY/stdin handling for interactive, CI, and piped-input cases:
+#   * terminal in + terminal out → -it   (normal interactive use)
+#   * anything else              → -i    (pass stdin through; no TTY)
+# Forcing -it unconditionally breaks non-interactive use
+# ("cannot attach stdin to a TTY-enabled container"), and dropping -i
+# would silently discard piped input like `cat prompt.txt | claude.sh ...`.
+if [[ -t 0 && -t 1 ]]; then
+    DOCKER_RUN_ARGS+=(-it)
+else
+    DOCKER_RUN_ARGS+=(-i)
+fi
+
+# Pass through optional environment variables
+for var in ANTHROPIC_API_KEY ANTHROPIC_MODEL CLAUDE_CODE_MAX_TURNS \
+           CLAUDE_CODE_USE_BEDROCK \
+           AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_REGION \
+           GOOGLE_APPLICATION_CREDENTIALS; do
+    if [[ -v "$var" ]] && [[ -n "${!var}" ]]; then
+        DOCKER_RUN_ARGS+=(-e "${var}=${!var}")
+    fi
+done
+
+# SSH agent forwarding (for git push/pull over SSH)
+if [[ -n "${SSH_AUTH_SOCK:-}" ]]; then
+    DOCKER_RUN_ARGS+=(
+        -v "${SSH_AUTH_SOCK}:/tmp/ssh-agent.sock"
+        -e "SSH_AUTH_SOCK=/tmp/ssh-agent.sock"
+    )
+fi
+
+# Host gitconfig (read-only, for user.name / user.email)
+if [[ -f "${HOME}/.gitconfig" ]]; then
+    DOCKER_RUN_ARGS+=(-v "${HOME}/.gitconfig:${CONTAINER_HOME}/.gitconfig:ro")
+fi
+
+# Persist Claude Code settings / history / memory across runs
+CLAUDE_CONFIG_DIR="${HOME}/.claude"
+mkdir -p "${CLAUDE_CONFIG_DIR}"
+DOCKER_RUN_ARGS+=(-v "${CLAUDE_CONFIG_DIR}:${CONTAINER_HOME}/.claude")
+
+# Claude Code config file (lives next to ~/.claude/, not inside it)
+if [[ -f "${HOME}/.claude.json" ]]; then
+    DOCKER_RUN_ARGS+=(-v "${HOME}/.claude.json:${CONTAINER_HOME}/.claude.json")
+fi
+
+# Persist Bazel cache (avoids re-downloading hundreds of MB each run)
+BAZEL_CACHE_DIR="${BAZEL_CACHE_DIR:-${HOME}/.cache/bazel-claude}"
+mkdir -p "${BAZEL_CACHE_DIR}"
+DOCKER_RUN_ARGS+=(-v "${BAZEL_CACHE_DIR}:${CONTAINER_HOME}/.cache/bazel")
+
+# --- Run ---
+if [[ "${SHELL_MODE}" -eq 1 ]]; then
+    exec docker run \
+        "${DOCKER_RUN_ARGS[@]}" \
+        "${CLAUDE_IMAGE}" \
+        bash
+else
+    exec docker run \
+        "${DOCKER_RUN_ARGS[@]}" \
+        "${CLAUDE_IMAGE}" \
+        claude --dangerously-skip-permissions "${CLAUDE_ARGS[@]}"
+fi

docker/Dockerfile.claude

@@ -0,0 +1,61 @@
+# Docker image for running Claude Code with --dangerously-skip-permissions
+# inside a container that can build/test OpenROAD (CMake + Bazel) and run ORFS.
+#
+# Usage: see claude.sh at the repo root.
+
+ARG fromImage=openroad/flow-ubuntu22.04-dev:latest
+
+FROM ${fromImage}
+
+# --- Bazel support ---
+
+# Java 21 (required by Bazel 8.x)
+RUN apt-get update \
+    && apt-get install -y --no-install-recommends openjdk-21-jre-headless \
+    && rm -rf /var/lib/apt/lists/*
+
+# Bazelisk (respects .bazelversion to download the correct Bazel release)
+RUN curl -Lo /usr/local/bin/bazelisk \
+        https://github.com/bazelbuild/bazelisk/releases/latest/download/bazelisk-linux-amd64 \
+    && chmod +x /usr/local/bin/bazelisk \
+    && ln -sf /usr/local/bin/bazelisk /usr/local/bin/bazel
+
+# --- Claude Code support ---
+
+# Node.js 22 LTS (Claude Code requires Node 18+)
+RUN curl -fsSL https://deb.nodesource.com/setup_22.x | bash - \
+    && apt-get install -y --no-install-recommends nodejs \
+    && rm -rf /var/lib/apt/lists/*
+
+# Claude Code CLI
+RUN npm install -g @anthropic-ai/claude-code
+
+# --- Convenience ---
+
+RUN apt-get update \
+    && apt-get install -y --no-install-recommends \
+        sudo \
+        less \
+        jq \
+        ripgrep \
+    && rm -rf /var/lib/apt/lists/*
+
+# VS Code CLI (code-tunnel for remote editing).
+# Use the glibc build to match the Ubuntu base image. (The cli-alpine-x64
+# variant on code.visualstudio.com is statically linked and also works,
+# but the linux-x64 build from update.code.visualstudio.com is the
+# canonical match for glibc distros.)
+RUN curl -fsSL "https://update.code.visualstudio.com/latest/cli-linux-x64/stable" \
+        -o /tmp/vscode-cli.tar.gz \
+    && tar -xzf /tmp/vscode-cli.tar.gz -C /usr/local/bin \
+    && rm /tmp/vscode-cli.tar.gz
+
+# Trust all directories (safe inside container; the container IS the boundary)
+RUN git config --system safe.directory '*'
+
+# Entrypoint that maps host UID/GID then drops privileges
+COPY claude-entrypoint.sh /usr/local/bin/claude-entrypoint.sh
+RUN chmod +x /usr/local/bin/claude-entrypoint.sh
+
+WORKDIR /workspace
+ENTRYPOINT ["claude-entrypoint.sh"]

docker/claude-entrypoint.sh

@@ -0,0 +1,62 @@
+#!/usr/bin/env bash
+# Entrypoint for the Claude Code container.
+# Creates a user matching the host UID/GID so that files created
+# inside the container have the correct ownership on the host volume.
+set -e
+
+if [ -n "${HOST_UID}" ] && [ -n "${HOST_GID}" ]; then
+    USER_NAME="claude-user"
+    USER_HOME="/home/${USER_NAME}"
+
+    # Create group (reuse existing if GID is taken)
+    if ! getent group "${HOST_GID}" > /dev/null 2>&1; then
+        groupadd --gid "${HOST_GID}" "${USER_NAME}"
+    fi
+    GROUP_NAME=$(getent group "${HOST_GID}" | cut -d: -f1)
+
+    # Create user (reuse existing if UID is taken)
+    if ! getent passwd "${HOST_UID}" > /dev/null 2>&1; then
+        mkdir -p "${USER_HOME}"
+        useradd \
+            --uid "${HOST_UID}" \
+            --gid "${HOST_GID}" \
+            --groups sudo \
+            --no-create-home \
+            --home-dir "${USER_HOME}" \
+            --shell /bin/bash \
+            "${USER_NAME}"
+    else
+        USER_NAME=$(getent passwd "${HOST_UID}" | cut -d: -f1)
+        USER_HOME=$(getent passwd "${HOST_UID}" | cut -d: -f6)
+    fi
+
+    # Passwordless sudo
+    echo "${USER_NAME} ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/claude-user
+    chmod 0440 /etc/sudoers.d/claude-user
+
+    export HOME="${USER_HOME}"
+    chown "${HOST_UID}:${HOST_GID}" "${USER_HOME}"
+    touch "${USER_HOME}/.hushlogin"
+
+    # Set up ORFS environment (PATH to tools, FLOW_HOME, etc.)
+    # Sourced here; inherited through setpriv into all child processes.
+    if [ -f /workspace/env.sh ]; then
+        set +e
+        . /workspace/env.sh > /dev/null
+        set -e
+    fi
+
+    exec setpriv \
+        --reuid "${HOST_UID}" \
+        --regid "${HOST_GID}" \
+        --init-groups \
+        -- "$@"
+else
+    # No UID/GID mapping requested; run as root
+    if [ -f /workspace/env.sh ]; then
+        set +e
+        . /workspace/env.sh > /dev/null
+        set -e
+    fi
+    exec "$@"
+fi

docs/toc.yml

@@ -11,6 +11,8 @@ entries:
     entries:
     - file: user/DockerShell.md
       title: Docker Shell utility
+    - file: user/ClaudeCode.md
+      title: Claude Code in Docker
   - file: user/BuildLocally.md
     title: Build Locally
   - file: user/BuildWithWSL.md