Marcel ab24786d2a security(ocr): harden compose — fix cache volume path, add read_only + cap_drop ...

Move ocr_cache mount from /root/.cache to /app/cache (correct path for
non-root user). Add HF_HOME so Hugging Face resolves to the same path.
Add runtime hardening: read_only, tmpfs /tmp (512 MB cap), cap_drop ALL,
no-new-privileges.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

2026-05-17 16:47:18 +02:00

7.2 KiB

Raw Blame History

View Raw