claude code expects to be running on the host machine, its insecure by design.

you can containerize it, which I do, but then you are going to need to spend some time updating claude.md and constantly fighting the agent because it fails to understand that it is running in a container / vm.

its a stupid design, and the people running these things directly on their hosts are nuts.