unclecode · nightcityblade · Jun 22, 2026
diff --git a/deploy/docker/tests/test_security_container_posture.py b/deploy/docker/tests/test_security_container_posture.py
@@ -93,6 +93,16 @@ def test_no_host_dev_shm_bind(self, compose):
     def test_pids_limit(self, compose):
         assert "pids_limit" in compose
 
+    def test_read_only_runtime_tmpfs_are_appuser_owned(self, compose):
+        assert "/var/lib/redis:uid=999,gid=999,mode=0700" in compose
+        assert "/var/lib/crawl4ai/outputs:uid=999,gid=999,mode=0700" in compose
+        assert "/home/appuser/.crawl4ai:uid=999,gid=999,mode=0700" in compose
+        assert "/home/appuser/.gunicorn:uid=999,gid=999,mode=0700" in compose
+
+    def test_playwright_cache_is_not_shadowed(self, compose):
+        assert "/home/appuser/.cache\n" not in compose
+        assert "/home/appuser/.cache/url_seeder:uid=999,gid=999,mode=0700" in compose
+
 
 class TestEntrypoint:
     def test_entrypoint_exists_and_resolves_bind(self):

diff --git a/docker-compose.yml b/docker-compose.yml
@@ -29,9 +29,12 @@ x-base-config: &base-config
   read_only: true
   tmpfs:
     - /tmp
-    - /var/lib/redis
-    - /var/lib/crawl4ai/outputs:mode=0700
-    - /home/appuser/.cache
+    - /var/lib/redis:uid=999,gid=999,mode=0700
+    - /var/lib/crawl4ai/outputs:uid=999,gid=999,mode=0700
+    - /home/appuser/.crawl4ai:uid=999,gid=999,mode=0700
+    # Keep the baked Playwright browser under ~/.cache/ms-playwright visible.
+    - /home/appuser/.cache/url_seeder:uid=999,gid=999,mode=0700
+    - /home/appuser/.gunicorn:uid=999,gid=999,mode=0700
   deploy:
     resources:
       limits: