Drop container privileges after workspace setup #34
Description
Summary
The runner executes the entire container entrypoint as root (--user 0:0) because the workspace setup script needs to create /agentd/workspace. The agent process (runa, codex) then inherits root, which is more privilege than it needs for its task.
Constraints
- Workspace setup (
mkdir,git clone,runa init, config writes) must complete before the privilege drop. - The agent process must run as an unprivileged user with write access to the cloned repo and runa working directory.
- The unprivileged user must exist inside the container at runtime — either created by the entrypoint or guaranteed by a base image contract.
- No change to
SessionSpec,SessionInvocation, orSessionOutcome. - The runner's external behavior (outcomes, cleanup, error reporting) is unchanged; only the in-container privilege level of the agent changes.
Acceptance Criteria
- The agent command (
exec runa run ...) runs as a non-root user. - Workspace setup still succeeds for base images with any default USER.
- The non-root user has write access to the repo working directory and
.runa/state. - Lifecycle and timeout tests pass with the privilege drop in place.