07e46dce56
- Added YAML frontmatter to all 8 polish-* skills and sweep skill so Claude can auto-invoke them - New bitcoin-conventions skill with PROUX UX methodology, sats display, address validation, Tor preferences, Lightning patterns - Path-specific rules for containers (security hardening) and frontend (Vue/glassmorphism conventions) - Gitea Actions: nightly security review and weekly dependency audit Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
20 lines
683 B
Markdown
20 lines
683 B
Markdown
---
|
|
globs:
|
|
- "**/container/**"
|
|
- "**/manifest*"
|
|
- "**/*podman*"
|
|
- "**/Containerfile"
|
|
- "**/Dockerfile"
|
|
---
|
|
|
|
# Container Security Rules (Archipelago)
|
|
|
|
- `readonly_root: true` always — containers must not write to their root filesystem
|
|
- Drop ALL capabilities, add only what's required (`--cap-drop=ALL --cap-add=...`)
|
|
- Run as non-root user (UID > 1000): `--user 1001:1001`
|
|
- Set `--security-opt=no-new-privileges:true`
|
|
- Pin image versions by SHA256 digest, never use `:latest` tag
|
|
- Mount secrets as read-only files, never pass as environment variables when possible
|
|
- Set memory and CPU limits on all containers
|
|
- Use `--network=none` unless network access is required
|