From c8aee8cd676754b818d0cb65a3200764e74eb5ea Mon Sep 17 00:00:00 2001
From: nightcityblade <nightcityblade@gmail.com>
Date: Mon, 22 Jun 2026 23:13:57 +0800
Subject: [PATCH] fix(docker): make read-only tmpfs writable

---
 deploy/docker/tests/test_security_container_posture.py | 10 ++++++++++
 docker-compose.yml                                     |  9 ++++++---
 2 files changed, 16 insertions(+), 3 deletions(-)

diff --git a/deploy/docker/tests/test_security_container_posture.py b/deploy/docker/tests/test_security_container_posture.py
index 46c032db5..c0317e9a9 100644
--- a/deploy/docker/tests/test_security_container_posture.py
+++ b/deploy/docker/tests/test_security_container_posture.py
@@ -93,6 +93,16 @@ def test_no_host_dev_shm_bind(self, compose):
     def test_pids_limit(self, compose):
         assert "pids_limit" in compose
 
+    def test_read_only_runtime_tmpfs_are_appuser_owned(self, compose):
+        assert "/var/lib/redis:uid=999,gid=999,mode=0700" in compose
+        assert "/var/lib/crawl4ai/outputs:uid=999,gid=999,mode=0700" in compose
+        assert "/home/appuser/.crawl4ai:uid=999,gid=999,mode=0700" in compose
+        assert "/home/appuser/.gunicorn:uid=999,gid=999,mode=0700" in compose
+
+    def test_playwright_cache_is_not_shadowed(self, compose):
+        assert "/home/appuser/.cache\n" not in compose
+        assert "/home/appuser/.cache/url_seeder:uid=999,gid=999,mode=0700" in compose
+
 
 class TestEntrypoint:
     def test_entrypoint_exists_and_resolves_bind(self):
diff --git a/docker-compose.yml b/docker-compose.yml
index 1355439f1..1cd87ad93 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -29,9 +29,12 @@ x-base-config: &base-config
   read_only: true
   tmpfs:
     - /tmp
-    - /var/lib/redis
-    - /var/lib/crawl4ai/outputs:mode=0700
-    - /home/appuser/.cache
+    - /var/lib/redis:uid=999,gid=999,mode=0700
+    - /var/lib/crawl4ai/outputs:uid=999,gid=999,mode=0700
+    - /home/appuser/.crawl4ai:uid=999,gid=999,mode=0700
+    # Keep the baked Playwright browser under ~/.cache/ms-playwright visible.
+    - /home/appuser/.cache/url_seeder:uid=999,gid=999,mode=0700
+    - /home/appuser/.gunicorn:uid=999,gid=999,mode=0700
   deploy:
     resources:
       limits: