fix(job-builder): run worker pod as pentest user (UID 1001) to satisfy Claude Code

Claude Code refuses --allow-dangerously-skip-permissions when running as root,
causing immediate exit with code 1. The worker image defines a "pentest" user
(UID/GID 1001), but K8s job specs override the entrypoint.sh that normally
switches to it. Adding a pod-level securityContext with runAsUser=1001 and
fsGroup=1001 fixes both the root-privilege rejection and PVC write access.

Co-Authored-By: Paperclip <noreply@paperclip.ing>

apps/api/src/services/job-builder.ts

@@ -119,6 +119,14 @@ export function buildJobSpec(params: JobParams): k8s.V1Job {
           serviceAccountName: 'default',
           securityContext: {
             seccompProfile: { type: 'Unconfined' },
+            // Claude Code refuses --allow-dangerously-skip-permissions as root.
+            // The worker image creates a "pentest" user (UID/GID 1001) but K8s job specs
+            // bypass the entrypoint.sh that normally switches to it. Run as 1001 explicitly.
+            // fsGroup gives the pentest group write access to PVC volume mounts.
+            runAsUser: 1001,
+            runAsGroup: 1001,
+            runAsNonRoot: true,
+            fsGroup: 1001,
           },
           ...(initContainers.length > 0 && { initContainers }),
           containers: [