summaryrefslogtreecommitdiff
path: root/internal/executor/container_test.go
diff options
context:
space:
mode:
authorClaude <noreply@anthropic.com>2026-05-26 09:28:57 +0000
committerClaude <noreply@anthropic.com>2026-05-26 09:28:57 +0000
commit561915c5182c3fb39cd6a8b6613c489b35b7c1bf (patch)
tree10e7ba6e33784332ef15d5d359897e56ba51fde2 /internal/executor/container_test.go
parentfb7f8a4c07a8bf6539566aacbc8a92310c555992 (diff)
fix(executor): set IS_SANDBOX=1 so claude honors bypassPermissions under root
The spike found that `claude --permission-mode bypassPermissions` (emitted by buildInnerCmd) is rejected when the process runs as root, and buildDockerArgs maps the container --user to the host uid — which is 0 when claudomator runs as root, breaking all claude tool execution in production. The container is an isolated sandbox, exactly the case the claude CLI gates behind IS_SANDBOX=1; setting it in the container env makes bypassPermissions work regardless of the host uid. Verified empirically against claude 2.1.150 (rejected as root without it; succeeds with it). Harmless for gemini containers. https://claude.ai/code/session_01SESwn7kQ7oP62trWw6pc39
Diffstat (limited to 'internal/executor/container_test.go')
-rw-r--r--internal/executor/container_test.go1
1 files changed, 1 insertions, 0 deletions
diff --git a/internal/executor/container_test.go b/internal/executor/container_test.go
index 521e1cb..5c3fd2e 100644
--- a/internal/executor/container_test.go
+++ b/internal/executor/container_test.go
@@ -37,6 +37,7 @@ func TestContainerRunner_BuildDockerArgs(t *testing.T) {
"-w", "/workspace",
"--env-file", "/tmp/ws/.claudomator-env",
"-e", "HOME=/home/agent",
+ "-e", "IS_SANDBOX=1",
"-e", "CLAUDOMATOR_API_URL=http://host.docker.internal:8484",
"-e", "CLAUDOMATOR_TASK_ID=task-123",
"-e", "CLAUDOMATOR_DROP_DIR=/data/drops",