Ben Barclay bdceedf784 fix(docker): chown hermes-owned top-level state files on boot (#35098) (#36236) ... The targeted data-volume chown in stage2-hook.sh only covers hermes-owned *subdirectories*; loose state files living directly under $HERMES_HOME (auth.json, state.db, gateway.lock, gateway_state.json, …) are missed. When created or rewritten by `docker exec <container> hermes …` (root unless `-u` is passed) they land root-owned, and the unprivileged hermes runtime then hits PermissionError on next startup, producing a gateway restart loop. Fix: reset ownership of an explicit allowlist of hermes-owned top-level files on every boot. The list mirrors the top-level file entries of hermes_cli.profile_distribution.USER_OWNED_EXCLUDE plus the runtime lock files. This uses a targeted allowlist rather than the originally-proposed blanket `find $HERMES_HOME -maxdepth 1 -user root` sweep, preserving the targeted-ownership contract from #19788 / PR #19795: a bind-mounted $HERMES_HOME may contain host-owned files Hermes does not manage, and those must never be chowned. Verified end-to-end: allowlisted root-owned files are reset to hermes on restart while a non-allowlisted host file keeps its root ownership. Co-authored-by: x1am1 <2663402852@qq.com>		2026-06-01 14:38:08 +10:00
..
cont-init.d	Remove prviliges drop when you never ran as root (#34837)	2026-06-01 13:54:18 +10:00
s6-rc.d	Remove prviliges drop when you never ran as root (#34837)	2026-06-01 13:54:18 +10:00
entrypoint.sh	docs(docker): deprecation warning in entrypoint.sh shim	2026-05-24 18:05:33 -07:00
hermes-exec-shim.sh	fix(docker): drop docker exec to hermes uid before invoking the CLI	2026-05-28 13:30:36 +10:00
main-wrapper.sh	Remove prviliges drop when you never ran as root (#34837)	2026-06-01 13:54:18 +10:00
SOUL.md	feat(docker): add Docker container for the agent (salvage #1841) (#3668)	2026-03-28 22:21:48 -07:00
stage2-hook.sh	fix(docker): chown hermes-owned top-level state files on boot (#35098) (#36236)	2026-06-01 14:38:08 +10:00