I've been running Claude Code in a Docker compose environment with two containers - one without Claude that has all the credentials setup and a Claude container which transparently executes commands via ssh. The auth container then has wrappers which explicitly allow certain subcommands (eg. `gh api` isn't allowed). The `gh` command in the Claude container is just a wrapper script which bassically `ssh auth-container gh-wrapper`.

Lots of manual, opinionated stuff in here, but it prevents Claude from even accessing the credentials and limits what it can do with them.