v0.1 — clawdforge service scaffold

LAN-only HTTP service that runs claude -p subprocess on behalf of Sulkta apps.
Bearer token + IP allowlist gated. SQLite-backed token registry + run audit log.

- POST /run               run a prompt, return parsed result
- POST /files             upload a file, get a file_token to attach to /run
- POST /admin/tokens      mint per-app tokens (admin-bootstrap-token gated)
- GET  /admin/tokens      list, DELETE /admin/tokens/<name>  revoke
- GET  /healthz           liveness + claude --version smoke

Container = node:22 + npm-installed @anthropic-ai/claude-code + uvicorn/FastAPI
wrapper. Persistent volumes for /data (sqlite + run staging) and /root/.claude
(subscription auth — survives container rebuilds; auth via 'docker exec -it
clawdforge claude /login' once). Compose binds 192.168.0.5:8800 only — no
public proxy.

First consumer = cauldron (about to land).

compose.yml

@@ -0,0 +1,24 @@
+services:
+  clawdforge:
+    build:
+      context: .
+      dockerfile: Dockerfile
+    image: clawdforge:local
+    container_name: clawdforge
+    restart: unless-stopped
+    env_file:
+      - /mnt/cache/appdata/secrets/clawdforge.env
+    volumes:
+      - /mnt/user/appdata/clawdforge/data:/data
+      - /mnt/user/appdata/clawdforge/claude-config:/root/.claude
+      - /mnt/user/appdata/clawdforge/claude-alt-config:/root/.config/claude
+    ports:
+      # LAN-only bind. 8800 picked to live near other forge-y services; bump if collides.
+      - "192.168.0.5:8800:8800"
+      - "127.0.0.1:8800:8800"
+    networks:
+      - sulkta
+
+networks:
+  sulkta:
+    external: true