fix: run Docker container as non-root user (closes #34)

- Switch to gcr.io/distroless/cc-debian12:nonroot - Add explicit USER 65534:65534 directive - Add Docker security CI job verifying non-root UID, :nonroot base, and USER directive - Document CIS Docker Benchmark compliance in SECURITY.md - Add tests and edge cases for container security
2026-02-14 13:16:33 -05:00 · 2026-02-14 13:16:33 -05:00 · 76074cb789
commit 76074cb789
parent cc08f4bfff
14 changed files with 2270 additions and 168 deletions
--- a/src/gateway/mod.rs
+++ b/src/gateway/mod.rs
@ -240,7 +240,17 @@ async fn handle_request(

        // WhatsApp incoming message webhook
        ("POST", "/whatsapp") => {
-            handle_whatsapp_message(stream, request, provider, model, temperature, mem, auto_save, whatsapp).await;
+            handle_whatsapp_message(
+                stream,
+                request,
+                provider,
+                model,
+                temperature,
+                mem,
+                auto_save,
+                whatsapp,
+            )
+            .await;
        }

        ("POST", "/webhook") => {
@ -770,10 +780,7 @@ mod tests {
    #[test]
    fn urlencoding_decode_challenge_token() {
        // Typical Meta webhook challenge
-        assert_eq!(
-            urlencoding_decode("1234567890"),
-            "1234567890"
-        );
+        assert_eq!(urlencoding_decode("1234567890"), "1234567890");
    }

    #[test]