From 619dafbdcc943222cd1aa6b60d508a5d00658199 Mon Sep 17 00:00:00 2001
From: autocommit <autocommit@ftw.codes>
Date: Tue, 26 May 2026 16:33:24 -0700
Subject: [PATCH] =?UTF-8?q?security(scripts):=20=F0=9F=94=92=EF=B8=8F=20Fi?=
 =?UTF-8?q?x=20root-owned=20directory=20permissions=20in=20Docker=20bind?=
 =?UTF-8?q?=20mounts=20to=20prevent=20security=20vulnerabilities?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-Authored-By: Lilith Autocommit <noreply@atlilith.com>
---
 scripts/apricot-run.sh | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/scripts/apricot-run.sh b/scripts/apricot-run.sh
index 3c887c9c..c8d61891 100755
--- a/scripts/apricot-run.sh
+++ b/scripts/apricot-run.sh
@@ -200,6 +200,12 @@ DOCKER_BUILDKIT=1 docker build \\
     --file "\${SCRATCH}/tools/docker/Dockerfile.mc-ai" \\
     "\${SCRATCH}"
 
+# Pre-create the bind-mount target as the host user. Without this, dockerd
+# (running as root) auto-creates /work/.local + /work/.local/out as root
+# when it materialises the bind mount, leaving lilith-unwritable directories
+# behind that break `git worktree remove` at cleanup time.
+mkdir -p "\${SCRATCH}/.local/out"
+
 # Trap → docker kill any container we started, so an OOM-killed or
 # externally-stopped launcher doesn't leave the daemon-owned container
 # running past the systemd unit's lifetime.