archy/.claude/rules/containers.md
Dorian 07e46dce56 feat: add YAML frontmatter, bitcoin-conventions skill, path rules, and Gitea CI
- Added YAML frontmatter to all 8 polish-* skills and sweep skill
  so Claude can auto-invoke them
- New bitcoin-conventions skill with PROUX UX methodology, sats display,
  address validation, Tor preferences, Lightning patterns
- Path-specific rules for containers (security hardening) and frontend
  (Vue/glassmorphism conventions)
- Gitea Actions: nightly security review and weekly dependency audit

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-15 12:35:17 +00:00

683 B

globs
globs
**/container/**
**/manifest*
**/*podman*
**/Containerfile
**/Dockerfile

Container Security Rules (Archipelago)

  • readonly_root: true always — containers must not write to their root filesystem
  • Drop ALL capabilities, add only what's required (--cap-drop=ALL --cap-add=...)
  • Run as non-root user (UID > 1000): --user 1001:1001
  • Set --security-opt=no-new-privileges:true
  • Pin image versions by SHA256 digest, never use :latest tag
  • Mount secrets as read-only files, never pass as environment variables when possible
  • Set memory and CPU limits on all containers
  • Use --network=none unless network access is required