From 3796cfca872c841e6fd6e7091de415c747f44fd1 Mon Sep 17 00:00:00 2001
From: Mathias Bergqvist <mthbqv@gmail.com>
Date: Mon, 20 Apr 2026 20:27:42 +0200
Subject: [PATCH] fix: add .dockerignore and non-root USER to Dockerfile

---
 .dockerignore | 10 ++++++++++
 Dockerfile    |  5 +++++
 2 files changed, 15 insertions(+)
 create mode 100644 .dockerignore

diff --git a/.dockerignore b/.dockerignore
new file mode 100644
index 0000000..6461b26
--- /dev/null
+++ b/.dockerignore
@@ -0,0 +1,10 @@
+.git
+.gitea
+.worktrees
+.DS_Store
+*.log
+.env*
+.vscode
+.idea
+bin/
+brain/
diff --git a/Dockerfile b/Dockerfile
index 59746ce..ebbab6c 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -29,6 +29,9 @@ COPY --from=builder /out/supervisor /usr/local/bin/supervisor
 # Bake in config (models.yaml + skill discipline files)
 COPY config/ /app/config/
 
+# Run as non-root
+RUN groupadd -r supervisor && useradd -r -g supervisor -d /app supervisor
+
 WORKDIR /app
 
 # brain/ is writable state — mount a PersistentVolume here
@@ -40,6 +43,8 @@ ENV SUPERVISOR_BRAIN_DIR=/app/brain
 ENV SUPERVISOR_SESSIONS_DIR=/app/brain/sessions
 ENV SUPERVISOR_PORT=3200
 
+USER supervisor
+
 EXPOSE 3200
 
 ENTRYPOINT ["/usr/local/bin/supervisor"]