From 43c2e16fc0fd5e219675c60589140d8445765331 Mon Sep 17 00:00:00 2001
From: Omar Ramadan <omar@blockcast.net>
Date: Wed, 29 Apr 2026 20:22:17 +0000
Subject: [PATCH] fix(job-manifest): mount shared PVC into write-prompt init
 container
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The write-prompt init container runs
`mkdir -p /paperclip/instances/default/run-logs/<companyId>/<agentId>` to
seed the run-logs directory before the main `claude` container starts.
The init container's volumeMounts only included `prompt` (and
`prompt-secret` on the large-prompt path) — the shared `data` PVC
mounted at /paperclip in the main container was missing. So the mkdir tries
to create /paperclip in the busybox overlay rootfs, where uid 1000 cannot
write at /, and the Job fails with:

  mkdir: can't create directory '/paperclip/': Permission denied

before the main container ever runs.

Add { name: 'data', mountPath: '/paperclip' } to both branches' volumeMounts
so the init container writes to the same shared PVC the main container
mounts.

Reproduced + verified against a kubeadm 1.35 cluster on cephfs RWX.
---
 src/server/job-manifest.ts | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/server/job-manifest.ts b/src/server/job-manifest.ts
index 1970edf..7732b7b 100644
--- a/src/server/job-manifest.ts
+++ b/src/server/job-manifest.ts
@@ -508,6 +508,7 @@ export function buildJobManifest(input: JobBuildInput): JobBuildResult {
         volumeMounts: [
           { name: "prompt", mountPath: "/tmp/prompt" },
           { name: "prompt-secret", mountPath: "/tmp/prompt-secret", readOnly: true },
+          { name: "data", mountPath: "/paperclip" },
         ],
         securityContext,
         resources: {
@@ -521,7 +522,10 @@ export function buildJobManifest(input: JobBuildInput): JobBuildResult {
         imagePullPolicy: "IfNotPresent",
         command: ["sh", "-c", `mkdir -p /paperclip/instances/default/run-logs/${agent.companyId}/${agent.id} && printf '%s' "$PROMPT_CONTENT" > /tmp/prompt/prompt.txt`],
         env: [{ name: "PROMPT_CONTENT", value: prompt }],
-        volumeMounts: [{ name: "prompt", mountPath: "/tmp/prompt" }],
+        volumeMounts: [
+          { name: "prompt", mountPath: "/tmp/prompt" },
+          { name: "data", mountPath: "/paperclip" },
+        ],
         securityContext,
         resources: {
           requests: { cpu: "10m", memory: "16Mi" },
-- 
2.52.0