Apply Ruby json gem fix to phylo and mega Dockerfiles

The Ruby json gem (CVE-2026-33210) enters via mummer4 → yaggo → ruby,
not just sequip. Since phylo and mega build independently from core
(not from assemble), they each need the same fix: remove the old
bundled default json gem and install >=2.19.2.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: dpark01

docker/Dockerfile.assemble

@@ -30,8 +30,8 @@ COPY docker/install-conda-deps.sh /tmp/
 # All files resolved together in single micromamba call; x86-only files skipped on ARM
 # Post-install fixups (inline so vulnerable files never appear in a committed layer):
 #   - mafft's dash_client: Go 1.22.1 binary with Go stdlib CVEs; we never use --dash mode
-#   - Ruby json gem: sequip pulls in Ruby, whose bundled json gem has CVE-2026-33210;
-#     remove the old default gem and install patched version (>=2.19.2)
+#   - Ruby json gem: mummer4/sequip pull in Ruby (via yaggo), whose bundled json gem
+#     has CVE-2026-33210; remove the old default gem and install patched version (>=2.19.2)
 RUN /tmp/install-conda-deps.sh /tmp/requirements/baseimage.txt /tmp/requirements/core.txt /tmp/requirements/assemble.txt \
     --x86-only:/tmp/requirements/assemble-x86.txt && \
     rm -f /opt/conda/libexec/mafft/dash_client && \

docker/Dockerfile.mega

@@ -25,13 +25,18 @@ COPY docker/install-conda-deps.sh /tmp/
 
 # Install ALL conda dependencies in single resolver call for proper dependency resolution
 # All files resolved together; x86-only files skipped on ARM
-# Remove mafft's dash_client (Go 1.22.1 binary with 11 Go stdlib CVEs) — we
-# never use --dash mode; delete inline so it never appears in any layer.
+# Post-install fixups (inline so vulnerable files never appear in a committed layer):
+#   - mafft's dash_client: Go 1.22.1 binary with Go stdlib CVEs; we never use --dash mode
+#   - Ruby json gem: mummer4 → yaggo → Ruby, whose bundled json gem has CVE-2026-33210;
+#     remove the old default gem and install patched version (>=2.19.2)
 RUN /tmp/install-conda-deps.sh /tmp/requirements/baseimage.txt /tmp/requirements/core.txt /tmp/requirements/assemble.txt /tmp/requirements/classify.txt /tmp/requirements/phylo.txt \
     --x86-only:/tmp/requirements/assemble-x86.txt \
     --x86-only:/tmp/requirements/classify-x86.txt \
     --x86-only:/tmp/requirements/phylo-x86.txt && \
-    rm -f /opt/conda/libexec/mafft/dash_client
+    rm -f /opt/conda/libexec/mafft/dash_client && \
+    find /opt/conda/lib/ruby -maxdepth 3 -name 'json*' -not -path '*/psych/*' -exec rm -rf {} + && \
+    rm -f /opt/conda/lib/ruby/gems/*/specifications/default/json-*.gemspec && \
+    gem install json --version '>=2.19.2' --no-document
 
 # Copy source code (includes all modules)
 COPY src/ /opt/viral-ngs/source/src/

docker/Dockerfile.phylo

@@ -25,11 +25,16 @@ COPY docker/install-conda-deps.sh /tmp/
 
 # Install conda dependencies (phylo tools)
 # All files resolved together in single micromamba call; x86-only files skipped on ARM
-# Remove mafft's dash_client (Go 1.22.1 binary with 11 Go stdlib CVEs) — we
-# never use --dash mode; delete inline so it never appears in any layer.
+# Post-install fixups (inline so vulnerable files never appear in a committed layer):
+#   - mafft's dash_client: Go 1.22.1 binary with Go stdlib CVEs; we never use --dash mode
+#   - Ruby json gem: mummer4 pulls in yaggo → Ruby, whose bundled json gem has
+#     CVE-2026-33210; remove the old default gem and install patched version (>=2.19.2)
 RUN /tmp/install-conda-deps.sh /tmp/requirements/baseimage.txt /tmp/requirements/core.txt /tmp/requirements/phylo.txt \
     --x86-only:/tmp/requirements/phylo-x86.txt && \
-    rm -f /opt/conda/libexec/mafft/dash_client
+    rm -f /opt/conda/libexec/mafft/dash_client && \
+    find /opt/conda/lib/ruby -maxdepth 3 -name 'json*' -not -path '*/psych/*' -exec rm -rf {} + && \
+    rm -f /opt/conda/lib/ruby/gems/*/specifications/default/json-*.gemspec && \
+    gem install json --version '>=2.19.2' --no-document
 
 # Copy source code (includes phylo module)
 COPY src/ /opt/viral-ngs/source/src/