From dbe553b6aa4c6ec736ccb036c2332b81a55e2758 Mon Sep 17 00:00:00 2001
From: Brian McMahon <cipher813@gmail.com>
Date: Sat, 11 Apr 2026 14:21:55 -0700
Subject: [PATCH] Run SF git pull as ec2-user to avoid dubious ownership error
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

PR #20 added `git pull --ff-only origin main` to every SSM command in
the Saturday Step Function. When executed, every command failed with:

    fatal: detected dubious ownership in repository at
    '/home/ec2-user/alpha-engine-data'
    failed to run commands: exit status 128

Cause: SSM RunShellScript runs as root on Amazon Linux, but the four
repo checkouts are owned by ec2-user. Git's >=2.35.2 safe.directory
check refuses to operate on repos owned by a different user unless
explicitly allowed.

Fix: run the git pull as ec2-user via
`sudo -u ec2-user git -C /path pull --ff-only origin main`.
`git -C <path>` avoids the pwd-across-sudo subshell issue. The rest
of each command (cd, source, Python/bash) continues to run as root
as before — no behavior change for non-git steps.

All six SSM commands updated consistently:
- DataPhase1, RAGIngestion, HealthCheck (alpha-engine-data)
- PredictorTraining (alpha-engine-predictor)
- DriftDetection (alpha-engine-data + alpha-engine-predictor)
- Backtester (alpha-engine-backtester)

Verified working via a standalone SSM probe before pushing this PR —
`sudo -u ec2-user git -C /home/ec2-user/alpha-engine-data pull` ran
cleanly and advanced the EC2 checkout from 292e51e to 0a3a90b.

## Live deployment
Applied directly to the live state machine. This PR is the
repo-side record.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 infrastructure/step_function.json | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/infrastructure/step_function.json b/infrastructure/step_function.json
index 67c561f..2f02191 100644
--- a/infrastructure/step_function.json
+++ b/infrastructure/step_function.json
@@ -13,8 +13,8 @@
         "Parameters": {
           "commands": [
             "set -eo pipefail",
+            "sudo -u ec2-user git -C /home/ec2-user/alpha-engine-data pull --ff-only origin main",
             "cd /home/ec2-user/alpha-engine-data",
-            "git pull --ff-only origin main",
             "set -a && source /home/ec2-user/.alpha-engine.env && set +a",
             "source .venv/bin/activate",
             "python weekly_collector.py --phase 1 2>&1 | tee /var/log/data-phase1.log"
@@ -108,8 +108,8 @@
         "Parameters": {
           "commands": [
             "set -eo pipefail",
+            "sudo -u ec2-user git -C /home/ec2-user/alpha-engine-data pull --ff-only origin main",
             "cd /home/ec2-user/alpha-engine-data",
-            "git pull --ff-only origin main",
             "set -a && source /home/ec2-user/.alpha-engine.env && set +a",
             "source .venv/bin/activate",
             "bash rag/pipelines/run_weekly_ingestion.sh 2>&1 | tee /var/log/rag-ingestion.log"
@@ -282,8 +282,8 @@
         "Parameters": {
           "commands": [
             "set -eo pipefail",
+            "sudo -u ec2-user git -C /home/ec2-user/alpha-engine-predictor pull --ff-only origin main",
             "cd /home/ec2-user/alpha-engine-predictor",
-            "git pull --ff-only origin main",
             "export HOME=/home/ec2-user",
             "set -a && source /home/ec2-user/.alpha-engine.env && set +a",
             "bash infrastructure/spot_train.sh --full-only 2>&1 | tee /var/log/predictor-training.log"
@@ -379,8 +379,8 @@
           "commands": [
             "set -eo pipefail",
             "export HOME=/home/ec2-user",
-            "cd /home/ec2-user/alpha-engine-data && git pull --ff-only origin main",
-            "cd /home/ec2-user/alpha-engine-predictor && git pull --ff-only origin main",
+            "sudo -u ec2-user git -C /home/ec2-user/alpha-engine-data pull --ff-only origin main",
+            "sudo -u ec2-user git -C /home/ec2-user/alpha-engine-predictor pull --ff-only origin main",
             "set -a && source /home/ec2-user/.alpha-engine.env && set +a",
             "export PYTHONPATH=/home/ec2-user/alpha-engine-predictor",
             "/home/ec2-user/alpha-engine-data/.venv/bin/python -m monitoring.drift_detector --alert 2>&1 | tee /var/log/drift-detection.log"
@@ -412,8 +412,8 @@
         "Parameters": {
           "commands": [
             "set -eo pipefail",
+            "sudo -u ec2-user git -C /home/ec2-user/alpha-engine-backtester pull --ff-only origin main",
             "cd /home/ec2-user/alpha-engine-backtester",
-            "git pull --ff-only origin main",
             "export HOME=/home/ec2-user",
             "set -a && source /home/ec2-user/.alpha-engine.env && set +a",
             "bash infrastructure/spot_backtest.sh 2>&1 | tee /var/log/backtester.log"
@@ -508,8 +508,8 @@
         "Parameters": {
           "commands": [
             "set -eo pipefail",
+            "sudo -u ec2-user git -C /home/ec2-user/alpha-engine-data pull --ff-only origin main",
             "cd /home/ec2-user/alpha-engine-data",
-            "git pull --ff-only origin main",
             "source .venv/bin/activate",
             "python health_checker.py --alert 2>&1 | tee /var/log/health-check.log"
           ],