From dd05765d75fad8b811ed01b5603368ae919f2ee3 Mon Sep 17 00:00:00 2001
From: Tejas Kashinath <tkashina@amazon.com>
Date: Fri, 20 Feb 2026 10:42:16 -0500
Subject: [PATCH] fix: add --chown to Dockerfile COPY so app files are owned by
 bedrock_agentcore

COPY after USER still defaults to root:root ownership. Without --chown,
application files in the container are owned by root even though the
process runs as bedrock_agentcore, which customers may cargo-cult.
---
 src/assets/container/python/Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/assets/container/python/Dockerfile b/src/assets/container/python/Dockerfile
index 9eef5543..63089990 100644
--- a/src/assets/container/python/Dockerfile
+++ b/src/assets/container/python/Dockerfile
@@ -14,7 +14,7 @@ RUN uv pip install -r pyproject.toml
 RUN useradd -m -u 1000 bedrock_agentcore
 USER bedrock_agentcore
 
-COPY . .
+COPY --chown=bedrock_agentcore:bedrock_agentcore . .
 
 # 8080: AgentCore runtime endpoint
 # 8000: Local dev server (uvicorn)