Ben 9914bfc594 docker: drop sh -c wrappers from stage2-hook.sh ... PR #30136 review caught: three `s6-setuidgid hermes sh -c "..."` invocations in stage2-hook.sh interpolated $HERMES_HOME into a nested shell context. Practically low-risk (a malicious HERMES_HOME already requires container-launch privileges) but the cleaner pattern is to invoke commands directly so the shell isn't a second interpreter. * `mkdir -p` of the data subdirs now runs directly via s6-setuidgid, one path per arg. * The .install_method stamp is written via `printf | tee` — also no shell wrapper. * The skills_sync invocation uses the venv's python by absolute path instead of sourcing activate inside a shell. skills_sync.py doesn't need anything from activate beyond sys.path, which the bin-stub python already provides. No behavior change. Just a smaller attack surface and a script that's easier to read.		2026-05-24 18:05:33 -07:00
..
cont-init.d	fix(docker): dashboard slot stays 'down' when HERMES_DASHBOARD unset	2026-05-24 18:05:33 -07:00
s6-rc.d	feat(docker)!: replace tini with s6-overlay as PID 1	2026-05-24 18:05:33 -07:00
entrypoint.sh	feat(docker)!: replace tini with s6-overlay as PID 1	2026-05-24 18:05:33 -07:00
main-wrapper.sh	feat(docker): remove gosu from bundled image; s6-setuidgid handles privilege drop	2026-05-24 18:05:33 -07:00
SOUL.md	feat(docker): add Docker container for the agent (salvage #1841) (#3668)	2026-03-28 22:21:48 -07:00
stage2-hook.sh	docker: drop sh -c wrappers from stage2-hook.sh	2026-05-24 18:05:33 -07:00