From 18991b9923e3a72afff4569d357fb757d506c8be Mon Sep 17 00:00:00 2001 From: xrendan Date: Fri, 27 Mar 2026 13:26:56 -0600 Subject: [PATCH 1/3] Fix admin auth enforcement and agent PATH env - Move admin check from routes into Avo initializer for proper enforcement - Pass PATH env var to agent subprocess so Claude CLI is found Co-Authored-By: Claude Sonnet 4.6 --- app/jobs/agent_evaluate_commitment_job.rb | 1 + config/initializers/avo.rb | 3 +++ config/routes.rb | 2 +- 3 files changed, 5 insertions(+), 1 deletion(-) diff --git a/app/jobs/agent_evaluate_commitment_job.rb b/app/jobs/agent_evaluate_commitment_job.rb index e569b26..afe265d 100644 --- a/app/jobs/agent_evaluate_commitment_job.rb +++ b/app/jobs/agent_evaluate_commitment_job.rb @@ -87,6 +87,7 @@ def api_context def agent_env(commitment_id: nil, entry_id: nil) { + "PATH" => ENV["PATH"], "CLAUDE_CODE_OAUTH_TOKEN" => ENV["CLAUDE_CODE_OAUTH_TOKEN"], "RAILS_API_URL" => ENV.fetch("RAILS_API_URL", "http://localhost:3000"), "RAILS_API_KEY" => Rails.application.credentials.dig(:agent, :api_key) || ENV["AGENT_API_KEY"], diff --git a/config/initializers/avo.rb b/config/initializers/avo.rb index 186625d..8c4c425 100644 --- a/config/initializers/avo.rb +++ b/config/initializers/avo.rb @@ -21,6 +21,9 @@ config.current_user_method = :current_user config.authenticate_with do warden.authenticate! scope: :user + unless current_user&.admin? + redirect_to main_app.root_path, alert: "Not authorized." + end end ## == Authorization == diff --git a/config/routes.rb b/config/routes.rb index a339029..347553b 100644 --- a/config/routes.rb +++ b/config/routes.rb @@ -1,5 +1,5 @@ Rails.application.routes.draw do - authenticate :user, lambda { |u| u.admin? } do + authenticate :user do mount GoodJob::Engine => "/admin/good_job" mount Avo::Engine => "/admin" end From 5a845592a563dbafc6ac37a907972458aac5aa40 Mon Sep 17 00:00:00 2001 From: xrendan Date: Fri, 27 Mar 2026 13:28:09 -0600 Subject: [PATCH 2/3] Restore admin-only gate for GoodJob engine Co-Authored-By: Claude Sonnet 4.6 --- config/routes.rb | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/config/routes.rb b/config/routes.rb index 347553b..1f92986 100644 --- a/config/routes.rb +++ b/config/routes.rb @@ -1,6 +1,9 @@ Rails.application.routes.draw do - authenticate :user do + authenticate :user, lambda { |u| u.admin? } do mount GoodJob::Engine => "/admin/good_job" + end + + authenticate :user do mount Avo::Engine => "/admin" end From f0acf94928c4374f6435d44e86102f379e5784f9 Mon Sep 17 00:00:00 2001 From: xrendan Date: Fri, 27 Mar 2026 13:28:34 -0600 Subject: [PATCH 3/3] Make Claude binary executable by rails user chmod 755 ensures the rails user can execute /usr/local/bin/claude after it's moved from root's home directory. Co-Authored-By: Claude Sonnet 4.6 --- Dockerfile | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index f238f9e..6ffdb5c 100644 --- a/Dockerfile +++ b/Dockerfile @@ -79,7 +79,8 @@ COPY --from=build /rails /rails # Install Claude Code (native binary) RUN curl -fsSL https://claude.ai/install.sh | bash && \ - mv /root/.local/bin/claude /usr/local/bin/claude + mv /root/.local/bin/claude /usr/local/bin/claude && \ + chmod 755 /usr/local/bin/claude # Run and own only the runtime files as a non-root user for security RUN groupadd --system --gid 1000 rails && \