- Add CLAWDBOT_ENABLE_SSH build arg to optionally install OpenSSH server
- Add SSH_AUTHORIZED_KEYS build arg to configure authorized keys
- Add docker-entrypoint.sh that clears stale session locks on startup
- Install gosu for secure privilege dropping (runs as node user)
- SSH access uses key-based auth only, no root login, only node user allowed
To build with SSH enabled:
docker build --build-arg CLAWDBOT_ENABLE_SSH=true \
--build-arg SSH_AUTHORIZED_KEYS="ssh-ed25519 AAAA... user@host" .
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add USER node directive to Dockerfile for non-root container execution
- Update SECURITY.md with Node.js version requirements (CVE-2025-59466, CVE-2026-21636)
- Add Docker security best practices documentation
- Document detect-secrets usage for local security scanning
Reviewed-by: Agents Council (5/5 approval)
Security-Score: 8.8/10
Watchdog-Verdict: SAFE WITH CONDITIONS
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>