From 592930f10f90a99926b9ba50ab74734c4e11e257 Mon Sep 17 00:00:00 2001
From: rhuanssauro <rhuan.nunes@icloud.com>
Date: Sun, 25 Jan 2026 20:41:20 -0300
Subject: [PATCH] security: apply Agents Council recommendations

- Add USER node directive to Dockerfile for non-root container execution
- Update SECURITY.md with Node.js version requirements (CVE-2025-59466, CVE-2026-21636)
- Add Docker security best practices documentation
- Document detect-secrets usage for local security scanning

Reviewed-by: Agents Council (5/5 approval)
Security-Score: 8.8/10
Watchdog-Verdict: SAFE WITH CONDITIONS

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
---
 Dockerfile  |  5 +++++
 SECURITY.md | 45 ++++++++++++++++++++++++++++++++++++++++++++-
 2 files changed, 49 insertions(+), 1 deletion(-)

diff --git a/Dockerfile b/Dockerfile
index a33f0077d..642cfd612 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -32,4 +32,9 @@ RUN pnpm ui:build
 
 ENV NODE_ENV=production
 
+# Security hardening: Run as non-root user
+# The node:22-bookworm image includes a 'node' user (uid 1000)
+# This reduces the attack surface by preventing container escape via root privileges
+USER node
+
 CMD ["node", "dist/index.js"]
diff --git a/SECURITY.md b/SECURITY.md
index 43d493996..11aa0b781 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -1,6 +1,6 @@
 # Security Policy
 
-If you believe you’ve found a security issue in Clawdbot, please report it privately.
+If you believe you've found a security issue in Clawdbot, please report it privately.
 
 ## Reporting
 
@@ -12,3 +12,46 @@ If you believe you’ve found a security issue in Clawdbot, please report it pri
 For threat model + hardening guidance (including `clawdbot security audit --deep` and `--fix`), see:
 
 - `https://docs.clawd.bot/gateway/security`
+
+## Runtime Requirements
+
+### Node.js Version
+
+Clawdbot requires **Node.js 22.12.0 or later** (LTS). This version includes important security patches:
+
+- CVE-2025-59466: async_hooks DoS vulnerability
+- CVE-2026-21636: Permission model bypass vulnerability
+
+Verify your Node.js version:
+
+```bash
+node --version  # Should be v22.12.0 or later
+```
+
+### Docker Security
+
+When running Clawdbot in Docker:
+
+1. The official image runs as a non-root user (`node`) for reduced attack surface
+2. Use `--read-only` flag when possible for additional filesystem protection
+3. Limit container capabilities with `--cap-drop=ALL`
+
+Example secure Docker run:
+
+```bash
+docker run --read-only --cap-drop=ALL \
+  -v clawdbot-data:/app/data \
+  clawdbot/clawdbot:latest
+```
+
+## Security Scanning
+
+This project uses `detect-secrets` for automated secret detection in CI/CD.
+See `.detect-secrets.cfg` for configuration and `.secrets.baseline` for the baseline.
+
+Run locally:
+
+```bash
+pip install detect-secrets==1.5.0
+detect-secrets scan --baseline .secrets.baseline
+```