diff --git a/bin/entrypoint.sh b/bin/entrypoint.sh
index fda867b..0c6ff08 100644
--- a/bin/entrypoint.sh
+++ b/bin/entrypoint.sh
@@ -18,6 +18,22 @@ set -euo pipefail
 : "${GIT_USER_NAME:=${AGENT^} CoWork}"
 : "${GIT_USER_EMAIL:=${AGENT}@prodromou.com}"
 
+# Workspace defense — if the PVC's contents have stale ownership
+# (e.g. pre-fsGroup pod created files as root), the agent user can't
+# clone or write here. We can't chown across uids without root, but we
+# can ensure ~/workspace exists, is owned by us, and is writable. Any
+# stale subdirs will still error if the agent tries to write under them
+# — the manifest carries fsGroupChangePolicy=Always to recursively
+# repair on next mount; this block is defense-in-depth.
+mkdir -p "${HOME}/workspace" 2>/dev/null || true
+if [ -w "${HOME}/workspace" ]; then
+    chmod u+rwX "${HOME}/workspace" || true
+else
+    echo "WARNING: ${HOME}/workspace is not writable. Falling back to /tmp/workspace." >&2
+    mkdir -p /tmp/workspace
+    cd /tmp/workspace
+fi
+
 # git identity + gh credential helper — set up early so the
 # agent-config clone below can use it for private-repo HTTPS auth.
 git config --global user.name  "${GIT_USER_NAME}"
diff --git a/profile/.bashrc b/profile/.bashrc
index 40228a2..9706dc8 100644
--- a/profile/.bashrc
+++ b/profile/.bashrc
@@ -1,4 +1,5 @@
-# codex-cli pod bash profile.
+# Multi-agent shell pod bash profile. Branding driven by $AGENT
+# (set in the Dockerfile: codex|claude).
 
 # Standard bashrc bits.
 [ -z "$PS1" ] && return
@@ -21,19 +22,24 @@ alias gd='git diff'
 alias gco='git checkout'
 alias k='kubectl'
 
-# Prompt: green hostname (codex-cli pod), cwd, git branch.
+# Default $AGENT to "agent" if not set (e.g. local docker run without
+# the build-time ENV propagating).
+: "${AGENT:=agent}"
+
+# Prompt: green agent@host, cwd, git branch.
 parse_git_branch() {
     git branch 2>/dev/null | sed -e '/^[^*]/d' -e 's/* \(.*\)/ (\1)/'
 }
-PS1='\[\033[0;32m\]codex@\h\[\033[0m\]:\[\033[0;34m\]\w\[\033[0;35m\]$(parse_git_branch)\[\033[0m\]\$ '
+PS1='\[\033[0;32m\]'"${AGENT}"'@\h\[\033[0m\]:\[\033[0;34m\]\w\[\033[0;35m\]$(parse_git_branch)\[\033[0m\]\$ '
 
-# Show identity banner on login.
-if [ -f "${HOME}/.codex-identity" ]; then
-    echo "──── codex-cli ────"
-    cat "${HOME}/.codex-identity"
+# Show identity banner on login. The entrypoint writes ~/.${AGENT}-identity.
+IDENTITY_FILE="${HOME}/.${AGENT}-identity"
+if [ -f "${IDENTITY_FILE}" ]; then
+    echo "──── ${AGENT}-cli ────"
+    cat "${IDENTITY_FILE}"
     echo "───────────────────"
-    echo "  tmux            → start a persistent session (survives tab close)"
-    echo "  codex --help    → codex-cli help"
-    echo "  gh auth status  → confirm github identity"
+    echo "  tmux              → start a persistent session (survives tab close)"
+    echo "  ${AGENT} --help   → ${AGENT}-cli help"
+    echo "  gh auth status    → confirm github identity"
     echo
 fi