Hot-fix for #2275 Phase 2 — the boot smoke step in v1@3c8f8fe failed
on every template publish with `PermissionError: [Errno 13] Permission
denied: '/configs/config.yaml'` because `mktemp -d` creates the dir
with mode 700 and `chmod -R go+r` adds 'r' to files but doesn't add
'x' to directories. Inside the image the entrypoint drops priv to
uid 1000 (agent), which then cannot traverse /configs to even reach
config.yaml — main.py exits before any executor code runs.
Two changes:
1. `chmod -R a+rX` (capital X) adds 'x' to directories AND already-
executable files, so the temp dir becomes traversable for agent
while config.yaml stays a regular world-readable file.
2. Drop `:ro` on the mount so the entrypoint's `chown -R agent
/configs` succeeds. The container is ephemeral; modifications to
the host mktemp dir don't matter and the dir gets nuked right
after the smoke run.
Reproduced + diagnosed against claude-code publish run 25202651546
which failed within a few seconds on Path('/configs/config.yaml').exists()
in molecule_runtime/config.py:298.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
a5212a349b