ci(common): sandbox Claude Code behind Squid proxy + iptables (#2083)

* ci(common): sandbox Claude Code behind Squid proxy + iptables

Run the claude-code-action inside a network sandbox to prevent
data exfiltration to unauthorized hosts. Two layers of defense:
- Squid proxy: L7 domain allowlist (.anthropic.com, .github.com, etc.)
- iptables: blocks direct outbound TCP from the runner UID

All dependencies (Bun, action node_modules, Claude Code CLI, OIDC
token exchange) are pre-installed before lockdown because the action's
internal installers use fetch() which ignores HTTP_PROXY.

Also switches from --allowedTools to --dangerously-skip-permissions
since the network sandbox handles security at the infrastructure level.

update claude file with proper container setup

fix: shellchecks

fix zizmor warning

ci(claude): rewrite workflow from template, address PR #1995 security review

- Drop action wrapper, run claude CLI directly (avoids MCP stdin blocking)
- Remove dead pull_request trigger
- Separate GH_TOKEN from system prompt construction step
- Tighten iptables: resolve Squid IP dynamically, block UDP/ICMP
- Restrict squid allowlist to 3 domains (api.anthropic.com, platform.claude.com, github.com)
- Cache Squid Docker image, add iptables save/restore cleanup
- Add tracking comment for run visibility
- Fix token revocation to use HTTPS_PROXY

fix: replace A && B || C with proper if-then-else (SC2015)

fix: capture error details instead of silent suppression

OIDC exchange and token revocation now log the server response
on failure instead of swallowing it with -sf/--silent/2>/dev/null.

fix: shellcheck SC2001 and SC2015 in claude workflow

Replace sed prompt extraction with parameter expansion (SC2001).

chore: harden security practices

chore: update claude action from secutiry

* chore: rename claude.yml to claude-review.yml

* chore: enforces changes in sandboxed claude-* workflow

* ci(common): fix zizmor issues

---------

Co-authored-by: enitrat <msaug@protonmail.com>
Co-authored-by: Roger Carhuatocto <chilcano@intix.info>

Author: 3 people

.github/CODEOWNERS

@@ -18,3 +18,7 @@ test-suite/gateway-stress/Dockerfile @zama-ai/fhevm-devs
 
 # Coprocessor Team ownership
 /coprocessor/ @zama-ai/fhevm-coprocessor
+
+# Enforces changes in Sandboxed AI CI/CD
+.github/squid/sandbox-*.conf @zama-ai/infosec 
+.github/workflows/claude-*.yml @zama-ai/infosec 

.github/squid/sandbox-proxy-rules.conf

@@ -0,0 +1,18 @@
+# Strict domain allowlist for CI sandbox
+# Only these domains are reachable through the Squid proxy.
+# Based on: https://github.com/zama-ai/security-hub/tree/main/docs/how-tos/sandboxed-claude-code
+#
+# To add a new domain: append ".example.com" to the acl below.
+# Leading dot means "this domain and all subdomains".
+
+acl allowed_domains dstdomain \
+  .api.anthropic.com \
+  .platform.claude.com \
+  .github.com
+
+# Allow only explicitly allowed domains
+http_access deny !allowed_domains
+http_access allow allowed_domains
+
+# Deny everything else
+http_access deny all