Fixes#4130
When running as the non-root 'node' user in Docker, npm global
installs fail with EACCES errors because /usr/local/lib/node_modules
is owned by root.
This commit configures npm to use a user-writable directory
(/home/node/.npm-global) for global packages, allowing skills like
bird (@steipete/bird) to install successfully.
Changes:
- Set npm prefix to /home/node/.npm-global after USER node directive
- Add the new npm global bin directory to PATH
This follows Docker best practices for npm global installs in
non-root containers and fixes all npm-based skill installations.
- Add USER node directive to Dockerfile for non-root container execution
- Update SECURITY.md with Node.js version requirements (CVE-2025-59466, CVE-2026-21636)
- Add Docker security best practices documentation
- Document detect-secrets usage for local security scanning
Reviewed-by: Agents Council (5/5 approval)
Security-Score: 8.8/10
Watchdog-Verdict: SAFE WITH CONDITIONS
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
