07e46dce56
- Added YAML frontmatter to all 8 polish-* skills and sweep skill so Claude can auto-invoke them - New bitcoin-conventions skill with PROUX UX methodology, sats display, address validation, Tor preferences, Lightning patterns - Path-specific rules for containers (security hardening) and frontend (Vue/glassmorphism conventions) - Gitea Actions: nightly security review and weekly dependency audit Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
683 B
683 B
globs
| globs | |||||
|---|---|---|---|---|---|
|
Container Security Rules (Archipelago)
readonly_root: truealways — containers must not write to their root filesystem- Drop ALL capabilities, add only what's required (
--cap-drop=ALL --cap-add=...) - Run as non-root user (UID > 1000):
--user 1001:1001 - Set
--security-opt=no-new-privileges:true - Pin image versions by SHA256 digest, never use
:latesttag - Mount secrets as read-only files, never pass as environment variables when possible
- Set memory and CPU limits on all containers
- Use
--network=noneunless network access is required