From 7b2c21f1535d26a5121be0c149453fec7cb0dea3 Mon Sep 17 00:00:00 2001 From: nprodromou <73134621+nprodromou@users.noreply.github.com> Date: Wed, 6 May 2026 23:55:10 -0700 Subject: [PATCH] profile + entrypoint: agent-aware branding + workspace writability MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit profile/.bashrc: - Drove the prompt, banner header, and help hint off ${AGENT} instead of hardcoding "codex@". Claude pod no longer shows codex branding. - Identity banner reads ~/.${AGENT}-identity (matches what entrypoint writes). bin/entrypoint.sh: - Defensive workspace bootstrap: mkdir -p ~/workspace, chmod u+rwX if we own it. If not writable (stale PVC ownership from a prior root- owned pod), warn and fall back to /tmp/workspace so the agent can still operate. Real fix is fsGroupChangePolicy=Always on the HelmRelease securityContext (separate apk8s PR) — this block is defense-in-depth. Picks up claude's review of WOVED-41 (P3): the pod was running the new image but inheriting codex branding from the static profile. --- bin/entrypoint.sh | 16 ++++++++++++++++ profile/.bashrc | 26 ++++++++++++++++---------- 2 files changed, 32 insertions(+), 10 deletions(-) diff --git a/bin/entrypoint.sh b/bin/entrypoint.sh index fda867b..0c6ff08 100644 --- a/bin/entrypoint.sh +++ b/bin/entrypoint.sh @@ -18,6 +18,22 @@ set -euo pipefail : "${GIT_USER_NAME:=${AGENT^} CoWork}" : "${GIT_USER_EMAIL:=${AGENT}@prodromou.com}" +# Workspace defense — if the PVC's contents have stale ownership +# (e.g. pre-fsGroup pod created files as root), the agent user can't +# clone or write here. We can't chown across uids without root, but we +# can ensure ~/workspace exists, is owned by us, and is writable. Any +# stale subdirs will still error if the agent tries to write under them +# — the manifest carries fsGroupChangePolicy=Always to recursively +# repair on next mount; this block is defense-in-depth. +mkdir -p "${HOME}/workspace" 2>/dev/null || true +if [ -w "${HOME}/workspace" ]; then + chmod u+rwX "${HOME}/workspace" || true +else + echo "WARNING: ${HOME}/workspace is not writable. Falling back to /tmp/workspace." >&2 + mkdir -p /tmp/workspace + cd /tmp/workspace +fi + # git identity + gh credential helper — set up early so the # agent-config clone below can use it for private-repo HTTPS auth. git config --global user.name "${GIT_USER_NAME}" diff --git a/profile/.bashrc b/profile/.bashrc index 40228a2..9706dc8 100644 --- a/profile/.bashrc +++ b/profile/.bashrc @@ -1,4 +1,5 @@ -# codex-cli pod bash profile. +# Multi-agent shell pod bash profile. Branding driven by $AGENT +# (set in the Dockerfile: codex|claude). # Standard bashrc bits. [ -z "$PS1" ] && return @@ -21,19 +22,24 @@ alias gd='git diff' alias gco='git checkout' alias k='kubectl' -# Prompt: green hostname (codex-cli pod), cwd, git branch. +# Default $AGENT to "agent" if not set (e.g. local docker run without +# the build-time ENV propagating). +: "${AGENT:=agent}" + +# Prompt: green agent@host, cwd, git branch. parse_git_branch() { git branch 2>/dev/null | sed -e '/^[^*]/d' -e 's/* \(.*\)/ (\1)/' } -PS1='\[\033[0;32m\]codex@\h\[\033[0m\]:\[\033[0;34m\]\w\[\033[0;35m\]$(parse_git_branch)\[\033[0m\]\$ ' +PS1='\[\033[0;32m\]'"${AGENT}"'@\h\[\033[0m\]:\[\033[0;34m\]\w\[\033[0;35m\]$(parse_git_branch)\[\033[0m\]\$ ' -# Show identity banner on login. -if [ -f "${HOME}/.codex-identity" ]; then - echo "──── codex-cli ────" - cat "${HOME}/.codex-identity" +# Show identity banner on login. The entrypoint writes ~/.${AGENT}-identity. +IDENTITY_FILE="${HOME}/.${AGENT}-identity" +if [ -f "${IDENTITY_FILE}" ]; then + echo "──── ${AGENT}-cli ────" + cat "${IDENTITY_FILE}" echo "───────────────────" - echo " tmux → start a persistent session (survives tab close)" - echo " codex --help → codex-cli help" - echo " gh auth status → confirm github identity" + echo " tmux → start a persistent session (survives tab close)" + echo " ${AGENT} --help → ${AGENT}-cli help" + echo " gh auth status → confirm github identity" echo fi