When the gateway runs inside a Docker container and creates sandbox
containers, volume mount paths need to be host paths, not container paths.
Changes:
- Add remapPathForDinD() function to remap container paths to host paths
- Add CLAWDBOT_SANDBOX_HOST_CONFIG_DIR and CLAWDBOT_SANDBOX_HOST_WORKSPACE_DIR
environment variables to docker-compose.yml
- Use path remapping in both sandbox container and browser sandbox creation
- Add Docker CLI to gateway Dockerfile for Docker-in-Docker support
The path remapping is a no-op when the environment variables are not set,
so bare metal installations are unaffected.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add USER node directive to Dockerfile for non-root container execution
- Update SECURITY.md with Node.js version requirements (CVE-2025-59466, CVE-2026-21636)
- Add Docker security best practices documentation
- Document detect-secrets usage for local security scanning
Reviewed-by: Agents Council (5/5 approval)
Security-Score: 8.8/10
Watchdog-Verdict: SAFE WITH CONDITIONS
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
