teknium1 172a38c344 fix: Docker persistent bind mounts fail with Permission denied ... cap-drop ALL removes DAC_OVERRIDE, which root needs to write to bind-mounted directories owned by the host user (uid 1000). This broke persistent Docker sandboxes — the container couldn't write to /workspace or /root. Add back the minimum capabilities needed: - DAC_OVERRIDE: root can write to bind-mounted dirs owned by host user - CHOWN: package managers (pip, npm, apt) need to set file ownership - FOWNER: needed for operations on files owned by other users Still drops all other capabilities (NET_RAW, SYS_ADMIN, etc.) and keeps no-new-privileges. Security boundary is the container itself. Verified end-to-end: create files → destroy container → new container with same task_id → files persist on host and are accessible in the new container.		2026-03-09 17:52:33 -07:00
..
__init__.py	feat(environments): add Daytona cloud sandbox backend	2026-03-05 10:02:21 -08:00
base.py	feat: enhance README and improve environment configuration	2026-02-23 21:15:35 -08:00
daytona.py	fix(daytona): use shell timeout wrapper instead of broken SDK exec timeout	2026-03-05 13:12:41 -08:00
docker.py	fix: Docker persistent bind mounts fail with Permission denied	2026-03-09 17:52:33 -07:00
local.py	refactor: rename and enhance shell detection in local environment	2026-03-08 03:00:05 -07:00
modal.py	feat: enhance README and improve environment configuration	2026-02-23 21:15:35 -08:00
singularity.py	feat: enhance README and improve environment configuration	2026-02-23 21:15:35 -08:00
ssh.py	feat: enhance README and improve environment configuration	2026-02-23 21:15:35 -08:00