fix: handle UID 0 (root user) case in docker-entrypoint.sh (#22)

* fix: handle UID 0 (root user) case in docker-entrypoint.sh

- Detect when host user is root (CLAUDE_UID=0) 
- Use fallback UID 1000 to avoid conflict with existing root user
- Also handle CLAUDE_GID=0 case with same fallback
- Display clear warning messages about fallback behavior
- Preserves security by still running as non-root in container
- Fixes "usermod: UID '0' already exists" error

Resolves #21

Co-authored-by: Eric Wang <lroolle@users.noreply.github.com>

* fix: handle UID=0 and GID=0 independently for security

- Separate UID=0 and GID=0 checks to prevent security bypass
- Fix case where host user has UID≠0 but GID=0 (would assign root group)
- Remove inaccurate warning message about file ownership
- Addresses Cursor BugBot security vulnerability report

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

* fix: add explicit github_token to claude-code-review action

- Add github_token parameter to prevent OIDC token exchange errors
- Fixes 401 Unauthorized - Invalid OIDC token error in claude-review CI
- Action was trying to use GitHub App auth instead of direct token auth

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

* docs: add OIDC token fix to dev log

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

* refactor: remove redundant comments in UID/GID handling

- Remove obvious comments that don't add value
- Add missing dev log entry for root user handling fix

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

* feat: dynamic fallback UID/GID selection for root users

- Replace hardcoded 1000 fallback with dynamic search
- Find first available UID/GID starting from 1000
- Prevents collision with existing container users/groups
- More robust handling of edge cases

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

* simplify: revert to hardcoded 1000 fallback for root users

- Use UID/GID 1000 fallback for predictable file ownership
- Existing usermod logic handles UID collision properly
- Most host users are UID 1000, so this provides correct file ownership
- Simpler than dynamic search while achieving the goal

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

* docs: clarify root cause and solution for UID 0 handling

- Explain why UID 0 can't be reassigned (root user exists)
- Clarify security fix prevents root group assignment
- Note that 1000 fallback provides proper file ownership

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

---------

Co-authored-by: claude[bot] <209825114+claude[bot]@users.noreply.github.com>
Co-authored-by: Eric Wang <lroolle@users.noreply.github.com>
Co-authored-by: Claude <noreply@anthropic.com>

Author: 3 people

.github/workflows/claude-code-review.yml

@@ -38,6 +38,7 @@ jobs:
         uses: anthropics/claude-code-action@beta
         with:
           anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
+          github_token: ${{ secrets.GITHUB_TOKEN }}
 
           # Optional: Specify model (defaults to Claude Sonnet 4, uncomment for Claude Opus 4)
           # model: "claude-opus-4-20250514"

DEV-LOGS.md

@@ -5,6 +5,36 @@
 
 ## Issue Analysis: 2025-06-23
 
+### [bug-fixed] Root user (UID 0) handling in docker-entrypoint.sh
+
+**Problem**: `sudo claude-yolo` fails with "usermod: UID '0' already exists" error.
+
+**Root Cause**: Can't reassign existing UID 0 (root) to claude user.
+
+**Security Fix**: Handle UID=0 and GID=0 independently to prevent root group assignment.
+
+**Solution**: Use fallback UID/GID 1000 for proper file ownership with existing collision handling.
+
+**Status**: ✅ **COMPLETED** - PR #22
+
+---
+
+## Issue Analysis: 2025-06-23
+
+### [bug-fixed] Claude Code Review OIDC token authentication error
+
+**Problem**: CI failing with "Invalid OIDC token" after changing permissions to write.
+
+**Solution**: Added explicit `github_token: ${{ secrets.GITHUB_TOKEN }}` to force direct token auth.
+
+**Cause**: Write permissions trigger GitHub App auth by default, but no App configured.
+
+**Status**: ✅ **COMPLETED**
+
+---
+
+## Issue Analysis: 2025-06-23
+
 ### [enhancement-completed] Claude Code Review workflow simplification
 
 **Problem**: Overcomplicated workflow with manual duplicate detection using GitHub CLI.

docker-entrypoint.sh

@@ -59,6 +59,16 @@ setup_nonroot_user() {
     local current_uid=$(id -u "$CLAUDE_USER")
     local current_gid=$(id -g "$CLAUDE_USER")
 
+    if [ "$CLAUDE_UID" = "0" ]; then
+        echo "[entrypoint] WARNING: Host user is root (UID=0). Using fallback UID 1000 for security."
+        CLAUDE_UID=1000
+    fi
+
+    if [ "$CLAUDE_GID" = "0" ]; then
+        echo "[entrypoint] WARNING: Host user is in root group (GID=0). Using fallback GID 1000 for security."
+        CLAUDE_GID=1000
+    fi
+
     if [ "$CLAUDE_GID" != "$current_gid" ]; then
         [ "$VERBOSE" = "true" ] && echo "[entrypoint] updating $CLAUDE_USER GID: $current_gid -> $CLAUDE_GID"
         if getent group "$CLAUDE_GID" >/dev/null 2>&1; then