merge v1.10.1-booterm-user

apps/booterm/Dockerfile

@@ -30,7 +30,13 @@ RUN test -f node_modules/node-pty/build/Release/pty.node && echo "pty.node OK" |
 
 # ---- Runtime ----
 FROM node:20-alpine AS runtime
-RUN apk add --no-cache tmux libstdc++
+RUN apk add --no-cache tmux libstdc++ bash su-exec shadow
+# v1.10.1: terminal shells inside tmux drop privs to samkintop via su-exec.
+# Mirror uid/gid 1000:1000 from the host so the bind-mounted /home/samkintop
+# (added in docker-compose) is owned by the user from the container's view.
+RUN deluser --remove-home node 2>/dev/null; delgroup node 2>/dev/null; \
+    addgroup -g 1000 samkintop && \
+    adduser -D -u 1000 -G samkintop -s /bin/bash samkintop
 WORKDIR /app
 COPY --from=builder /build/apps/booterm/dist ./dist
 COPY --from=proddeps /prod/package.json ./package.json

apps/booterm/tmux.conf

@@ -4,3 +4,10 @@ set -g mouse on
 setw -g mode-keys vi
 set -g status off
 set -g destroy-unattached off
+
+# v1.10.1: shells drop privs to samkintop (uid 1000) so the terminal runs in
+# the user's environment, not root. `env HOME=… USER=…` is required because
+# su-exec only changes uid/gid — it leaves env intact, and tmux server runs
+# as root so HOME would otherwise be /root. bash -l then sources samkintop's
+# ~/.profile / ~/.bashrc to pick up PATH (nvm, ~/.local/bin, ~/.opencode/bin).
+set -g default-command "su-exec samkintop:samkintop env HOME=/home/samkintop USER=samkintop SHELL=/bin/bash bash -l"

docker-compose.yml

@@ -34,6 +34,7 @@ services:
       DATABASE_URL: postgres://boocode:${POSTGRES_PASSWORD}@boocode_db:5432/boocode
     volumes:
       - /opt:/opt:rw
+      - /home/samkintop:/home/samkintop:rw
     depends_on:
       - boocode_db
     networks: