cloudrun-claude-code

The server demonstrates a strong focus on security, especially regarding sensitive data. Credentials (Anthropic API keys, OAuth tokens, SSH private keys, environment variables) are passed in the request payload and handled securely. They are encrypted using Google Cloud KMS before being temporarily stored in Google Cloud Storage, then decrypted in isolated Cloud Run Job workers. A local proxy prevents the Claude CLI from directly accessing real credentials. Webhook callbacks are HMAC-SHA256-signed for authenticity, using a secret retrieved from Secret Manager. Ephemeral workspaces, user isolation within Docker, and explicit environment variable control further enhance security boundaries. The use of `StrictHostKeyChecking=no` in the GitService is noted, but within the context of ephemeral, single-use workspaces, it mitigates typical man-in-the-middle concerns by preventing interactive prompts.