Fix admin auth enforcement and agent PATH env

Dockerfile

@@ -79,7 +79,8 @@ COPY --from=build /rails /rails
 
 # Install Claude Code (native binary)
 RUN curl -fsSL https://claude.ai/install.sh | bash && \
-    mv /root/.local/bin/claude /usr/local/bin/claude
+    mv /root/.local/bin/claude /usr/local/bin/claude && \
+    chmod 755 /usr/local/bin/claude
 
 # Run and own only the runtime files as a non-root user for security
 RUN groupadd --system --gid 1000 rails && \

app/jobs/agent_evaluate_commitment_job.rb

@@ -87,6 +87,7 @@ def api_context
 
   def agent_env(commitment_id: nil, entry_id: nil)
     {
+      "PATH"                  => ENV["PATH"],
       "CLAUDE_CODE_OAUTH_TOKEN" => ENV["CLAUDE_CODE_OAUTH_TOKEN"],
       "RAILS_API_URL"         => ENV.fetch("RAILS_API_URL", "http://localhost:3000"),
       "RAILS_API_KEY"         => Rails.application.credentials.dig(:agent, :api_key) || ENV["AGENT_API_KEY"],

config/initializers/avo.rb

@@ -21,6 +21,9 @@
   config.current_user_method = :current_user
   config.authenticate_with do
     warden.authenticate! scope: :user
+    unless current_user&.admin?
+      redirect_to main_app.root_path, alert: "Not authorized."
+    end
   end
 
   ## == Authorization ==

config/routes.rb

@@ -1,6 +1,9 @@
 Rails.application.routes.draw do
   authenticate :user, lambda { |u| u.admin? } do
     mount GoodJob::Engine => "/admin/good_job"
+  end
+
+  authenticate :user do
     mount Avo::Engine => "/admin"
   end