Paperclip agents lose MCP tools + auth simultaneously after container restart or token expiry
Diagnosis
Three independent root causes: (1) MCP path mismatch — .claude.json registers servers under host paths (/root/aj-workspace) but agents run at container paths (/workspaces/aj-workspace), Claude Code matches cwd against project keys. (2) Bind mount permissions — entrypoint copies root:600 files but container runs as node user, cp fails silently. (3) OAuth token expiry — .credentials.json access tokens expire in ~8-12h, refresh tokens broken in headless mode (Anthropic bugs #21765, #28827).
Fix
Three fixes applied: (1) Add container-path project entries (/workspaces/aj-workspace, /workspaces/aj-ea) to ~/.claude.json mirroring host entries — cascade rule now covers 4 project entries. (2) chmod 644 on ~/.claude.json and ~/.claude/.credentials.json for bind mount readability. (3) Use claude setup-token for 1-year CLAUDE_CODE_OAUTH_TOKEN env var in docker-compose.yml + .env — overrides .credentials.json entirely. Removed stale .credentials.json (auth is env-var only now).