From 303db412ff6a2233bda329b9229577301ca5717d Mon Sep 17 00:00:00 2001
From: Solimander <solimander-dev@protonmail.com>
Date: Tue, 2 Dec 2025 10:33:06 -0700
Subject: [PATCH 1/3] feat: defer privilege dropping to entrypoint for TEE
 initialization

---
 internal/templates/docker/Dockerfile.layered.tmpl     | 4 ++--
 internal/templates/scripts/compute-source-env.sh.tmpl | 7 +++++++
 pkg/hooks/hooks.go                                    | 3 ++-
 3 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/internal/templates/docker/Dockerfile.layered.tmpl b/internal/templates/docker/Dockerfile.layered.tmpl
index 60d50c6..3086f26 100644
--- a/internal/templates/docker/Dockerfile.layered.tmpl
+++ b/internal/templates/docker/Dockerfile.layered.tmpl
@@ -32,8 +32,8 @@ RUN chmod 755 /usr/local/bin/compute-source-env.sh \
     && chmod 755 /usr/local/bin/caddy{{- end}} \
     && chmod 644 /usr/local/bin/kms-signing-public-key.pem
 
-# Switch back to the original user from base image
-USER {{.OriginalUser}}
+# Store original user - entrypoint will drop privileges to this user after TEE setup
+ENV ORIGINAL_USER={{.OriginalUser}}
 {{- else}}
 # Make binaries executable (preserve existing permissions, just add execute)
 RUN chmod +x /usr/local/bin/compute-source-env.sh \
diff --git a/internal/templates/scripts/compute-source-env.sh.tmpl b/internal/templates/scripts/compute-source-env.sh.tmpl
index 4005287..60c521b 100644
--- a/internal/templates/scripts/compute-source-env.sh.tmpl
+++ b/internal/templates/scripts/compute-source-env.sh.tmpl
@@ -107,4 +107,11 @@ setup_tls() {
 setup_tls
 
 echo "compute-source-env.sh: Environment sourced."
+
+# Drop privileges to original user for the application command
+if [ -n "$ORIGINAL_USER" ] && [ "$(id -u)" = "0" ]; then
+    echo "compute-source-env.sh: Dropping privileges to user: $ORIGINAL_USER"
+    exec su -s /bin/sh "$ORIGINAL_USER" -c 'exec "$@"' -- sh "$@"
+fi
+
 exec "$@"
diff --git a/pkg/hooks/hooks.go b/pkg/hooks/hooks.go
index 9438573..742c2fd 100644
--- a/pkg/hooks/hooks.go
+++ b/pkg/hooks/hooks.go
@@ -244,7 +244,8 @@ var versionCheckChannel = make(chan *common.UpdateInfo, 1)
 // InitVersionCheck starts an async version check for prod builds
 func InitVersionCheck(cCtx *cli.Context) {
 	// Skip for non-prod builds or specific commands
-	if common.Build != "prod" || cCtx.Command.Name == "upgrade" || cCtx.Command.Name == "version" || cCtx.Command.Name == "help" {
+	subcommand := cCtx.Args().First()
+	if common.Build != "prod" || subcommand == "upgrade" || subcommand == "version" || subcommand == "help" {
 		return
 	}
 

From 909c1758f8693db1cb2d27846faa2f32e40f5b24 Mon Sep 17 00:00:00 2001
From: Solimander <solimander-dev@protonmail.com>
Date: Tue, 2 Dec 2025 10:53:24 -0700
Subject: [PATCH 2/3] feat: standardize ORIGINAL_USER environment variable with
 __EIGENX_ prefix

---
 internal/templates/docker/Dockerfile.layered.tmpl     | 2 +-
 internal/templates/scripts/compute-source-env.sh.tmpl | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/internal/templates/docker/Dockerfile.layered.tmpl b/internal/templates/docker/Dockerfile.layered.tmpl
index 3086f26..e7b921a 100644
--- a/internal/templates/docker/Dockerfile.layered.tmpl
+++ b/internal/templates/docker/Dockerfile.layered.tmpl
@@ -33,7 +33,7 @@ RUN chmod 755 /usr/local/bin/compute-source-env.sh \
     && chmod 644 /usr/local/bin/kms-signing-public-key.pem
 
 # Store original user - entrypoint will drop privileges to this user after TEE setup
-ENV ORIGINAL_USER={{.OriginalUser}}
+ENV __EIGENX_ORIGINAL_USER={{.OriginalUser}}
 {{- else}}
 # Make binaries executable (preserve existing permissions, just add execute)
 RUN chmod +x /usr/local/bin/compute-source-env.sh \
diff --git a/internal/templates/scripts/compute-source-env.sh.tmpl b/internal/templates/scripts/compute-source-env.sh.tmpl
index 60c521b..8fa1992 100644
--- a/internal/templates/scripts/compute-source-env.sh.tmpl
+++ b/internal/templates/scripts/compute-source-env.sh.tmpl
@@ -109,9 +109,9 @@ setup_tls
 echo "compute-source-env.sh: Environment sourced."
 
 # Drop privileges to original user for the application command
-if [ -n "$ORIGINAL_USER" ] && [ "$(id -u)" = "0" ]; then
-    echo "compute-source-env.sh: Dropping privileges to user: $ORIGINAL_USER"
-    exec su -s /bin/sh "$ORIGINAL_USER" -c 'exec "$@"' -- sh "$@"
+if [ -n "$__EIGENX_ORIGINAL_USER" ] && [ "$(id -u)" = "0" ]; then
+    echo "compute-source-env.sh: Dropping privileges to user: $__EIGENX_ORIGINAL_USER"
+    exec su -s /bin/sh "$__EIGENX_ORIGINAL_USER" -- "$@"
 fi
 
 exec "$@"

From 98f797f846f655f616bdd860f22a070f1859d811 Mon Sep 17 00:00:00 2001
From: Solimander <solimander-dev@protonmail.com>
Date: Tue, 2 Dec 2025 10:56:13 -0700
Subject: [PATCH 3/3] fix privilege dropping to preserve command arguments
 correctly

---
 internal/templates/scripts/compute-source-env.sh.tmpl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/internal/templates/scripts/compute-source-env.sh.tmpl b/internal/templates/scripts/compute-source-env.sh.tmpl
index 8fa1992..a01eaef 100644
--- a/internal/templates/scripts/compute-source-env.sh.tmpl
+++ b/internal/templates/scripts/compute-source-env.sh.tmpl
@@ -111,7 +111,7 @@ echo "compute-source-env.sh: Environment sourced."
 # Drop privileges to original user for the application command
 if [ -n "$__EIGENX_ORIGINAL_USER" ] && [ "$(id -u)" = "0" ]; then
     echo "compute-source-env.sh: Dropping privileges to user: $__EIGENX_ORIGINAL_USER"
-    exec su -s /bin/sh "$__EIGENX_ORIGINAL_USER" -- "$@"
+    exec su -s /bin/sh "$__EIGENX_ORIGINAL_USER" -c 'exec "$@"' -- sh "$@"
 fi
 
 exec "$@"