From 0f75d75eeb4018aaeb2c20a3bba6d10e06750ff9 Mon Sep 17 00:00:00 2001
From: Test User <test@example.com>
Date: Tue, 21 Apr 2026 21:15:17 +0000
Subject: [PATCH] fix(job-builder): run worker pod as pentest user (UID 1001)
 to satisfy Claude Code

Claude Code refuses --allow-dangerously-skip-permissions when running as root,
causing immediate exit with code 1. The worker image defines a "pentest" user
(UID/GID 1001), but K8s job specs override the entrypoint.sh that normally
switches to it. Adding a pod-level securityContext with runAsUser=1001 and
fsGroup=1001 fixes both the root-privilege rejection and PVC write access.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
---
 apps/api/src/services/job-builder.ts | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/apps/api/src/services/job-builder.ts b/apps/api/src/services/job-builder.ts
index 53b2bdc..58e165c 100644
--- a/apps/api/src/services/job-builder.ts
+++ b/apps/api/src/services/job-builder.ts
@@ -119,6 +119,14 @@ export function buildJobSpec(params: JobParams): k8s.V1Job {
           serviceAccountName: 'default',
           securityContext: {
             seccompProfile: { type: 'Unconfined' },
+            // Claude Code refuses --allow-dangerously-skip-permissions as root.
+            // The worker image creates a "pentest" user (UID/GID 1001) but K8s job specs
+            // bypass the entrypoint.sh that normally switches to it. Run as 1001 explicitly.
+            // fsGroup gives the pentest group write access to PVC volume mounts.
+            runAsUser: 1001,
+            runAsGroup: 1001,
+            runAsNonRoot: true,
+            fsGroup: 1001,
           },
           ...(initContainers.length > 0 && { initContainers }),
           containers: [