Merge pull request 'fix: vision(#623): disinto-chat sandbox hardening (#706)' (#724) from fix/issue-706 into main
All checks were successful
ci/woodpecker/push/ci Pipeline was successful
All checks were successful
ci/woodpecker/push/ci Pipeline was successful
This commit is contained in:
commit
cf4e9983c2
4 changed files with 140 additions and 4 deletions
|
|
@ -475,14 +475,23 @@ services:
|
|||
|
||||
# Chat container — Claude chat UI backend (#705)
|
||||
# Internal service only; edge proxy routes to chat:8080
|
||||
# Sandbox hardened per #706 — no docker.sock, read-only rootfs, minimal caps
|
||||
chat:
|
||||
build:
|
||||
context: ./docker/chat
|
||||
dockerfile: Dockerfile
|
||||
container_name: disinto-chat
|
||||
restart: unless-stopped
|
||||
read_only: true
|
||||
tmpfs:
|
||||
- /tmp:size=64m
|
||||
security_opt:
|
||||
- apparmor=unconfined
|
||||
- no-new-privileges:true
|
||||
cap_drop:
|
||||
- ALL
|
||||
pids_limit: 128
|
||||
mem_limit: 512m
|
||||
memswap_limit: 512m
|
||||
volumes:
|
||||
# Mount claude binary from host (same as agents)
|
||||
- CLAUDE_BIN_PLACEHOLDER:/usr/local/bin/claude:ro
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue