sandbox connected and streaming

2026-03-30 23:29:03 -04:00
parent c3a8fae132
commit 998f69fa1a
130 changed files with 7416 additions and 2123 deletions
--- a/sandbox/entrypoint.sh
+++ b/sandbox/entrypoint.sh
@@ -0,0 +1,27 @@
+#!/bin/bash
+set -e
+
+# Ensure /app/data is the only writable location for dexorder user
+# All other directories should be read-only (enforced by k8s readOnlyRootFilesystem)
+
+# Fix permissions on mounted volume (k8s may mount with different ownership)
+if [ -d /app/data ]; then
+    # Check if we can write to /app/data - if not, something is wrong
+    if [ ! -w /app/data ]; then
+        echo "ERROR: /app/data is not writable by dexorder user"
+        exit 1
+    fi
+else
+    echo "ERROR: /app/data does not exist"
+    exit 1
+fi
+
+# Ensure /app/config and /app/secrets are read-only (should already be via k8s mount)
+for dir in /app/config /app/secrets; do
+    if [ -d "$dir" ] && [ -w "$dir" ]; then
+        echo "WARNING: $dir is writable but should be read-only"
+    fi
+done
+
+# Execute the main application
+exec /opt/conda/envs/dexorder/bin/python /app/main.py "$@"