Containerized Claude Code deployment:
Containerized Claude Code deployment: 3 root causes for CIOS agents losing MCP tools and auth. (1) MCP path mismatch: .claude.json registers under host paths (/root/aj-workspace) but agents run at container paths (/workspaces/aj-workspace). Fix: Add container-path project entries to ~/.claude.json with identical MCP server configs. (2) Bind mount permissions: entrypoint copies /home/node/.claude.json (bind-mounted from /root/.claude.json, root:root 600) — container node user cannot read. Fix: chmod 644 /root/.claude.json /root/.claude/.credentials.json. (3) OAuth token expiry in headless: .credentials.json tokens expire in 8-12h, refresh tokens broken in headless (Anthropic issues #21765, #28827). Fix: claude setup-token generates 1-year CLAUDE_CODE_OAUTH_TOKEN env var. Rule: For any containerized Claude Code: register MCP servers under BOTH host+container paths, ensure mounted configs are 644, use CLAUDE_CODE_OAUTH_TOKEN.