попытка сделать изоляцию

Dockerfile

@@ -1,17 +1,18 @@
-FROM python:3.14-slim as base
+FROM python:3.14-slim AS base
 
 ENV PYTHONDONTWRITEBYTECODE=1 \
     PYTHONUNBUFFERED=1
 
 WORKDIR /app
-RUN apt update && apt install make -y
+RUN apt update && apt install make  -y
 
 ENV AGENT_USER="agent"
-RUN useradd --shell /bin/bash agent
 ENV WORKSPACE_DIR="/workspace/"
-RUN mkdir -p $WORKSPACE_DIR && chown $AGENT_USER:$AGENT_USER $WORKSPACE_DIR
+RUN useradd --shell /bin/bash $AGENT_USER \
+    && mkdir -p $WORKSPACE_DIR /home/$AGENT_USER \
+    && chown -R agent:agent $WORKSPACE_DIR /home/$AGENT_USER
 
-FROM base as builder
+FROM base AS builder
 
 RUN apt install git -y
 RUN pip install uv
@@ -20,7 +21,7 @@ COPY pyproject.toml uv.lock ./
 RUN uv sync --frozen --no-install-project --no-dev
 RUN uv pip install git+https://git.lambda.coredump.ru/platform/agent_api.git
 
-FROM base as production
+FROM base AS production
 
 COPY --from=builder /app/.venv /app/.venv
 ENV PATH="/app/.venv/bin:$PATH"
@@ -28,12 +29,15 @@ ENV PATH="/app/.venv/bin:$PATH"
 COPY src/ /app/src/
 COPY Makefile ./
 COPY .mk/ ./.mk/
+RUN chown root:root /app && chmod 700 /app
+RUN apt install sudo -y && \
+    echo "agent ALL=(ALL) NOPASSWD: /usr/bin/apt*" >> /etc/sudoers
 
 EXPOSE 8000
 
 CMD ["make", "uvicorn-prod"]
 
-FROM base as development
+FROM base AS development
 
 RUN pip install uv
 
@@ -47,6 +51,9 @@ ENV PATH="/app/.venv/bin:$PATH"
 
 COPY Makefile ./
 COPY .mk/ ./.mk/
+RUN chown root:root /app && chmod 700 /app
+RUN apt install sudo -y && \
+    echo "agent ALL=(ALL) NOPASSWD: /usr/bin/apt*" >> /etc/sudoers
 
 EXPOSE 8000