marcel

marcel commented on pull request marcel/familienarchiv#611

2026-05-17 18:29:11 +02:00

security(ocr): run OCR container as non-root user (CIS Docker §4.1)

🧪 Sara Holt — QA Engineer & Test Strategist

Verdict: ⚠️ Approved with concerns

Test coverage summary

Two new test files, four new tests:

marcel commented on pull request marcel/familienarchiv#611

2026-05-17 18:28:56 +02:00

security(ocr): run OCR container as non-root user (CIS Docker §4.1)

🔐 Nora "NullX" Steiner — Application Security Engineer

Verdict: ✅ Approved

This PR implements CIS Docker Benchmark §4.1 (non-root) and §4.6 (read-only filesystem). I reviewed it…

marcel commented on pull request marcel/familienarchiv#611

2026-05-17 18:28:41 +02:00

security(ocr): run OCR container as non-root user (CIS Docker §4.1)

📋 Elicit — Requirements Engineer

Verdict: ✅ Approved

Traceability assessment

The PR closes issue #459. Based on the stated requirements for non-root OCR container operation, I…

marcel commented on pull request marcel/familienarchiv#611

2026-05-17 18:28:29 +02:00

security(ocr): run OCR container as non-root user (CIS Docker §4.1)

🚀 Tobias Wendt — DevOps & Platform Engineer

Verdict: ⚠️ Approved with concerns

What was done well

The hardening block is correct:

read_only: true
tmpfs:
  - /tmp:size=512m
…

marcel commented on pull request marcel/familienarchiv#611

2026-05-17 18:28:13 +02:00

security(ocr): run OCR container as non-root user (CIS Docker §4.1)

👨‍💻 Felix Brandt — Senior Fullstack Developer

Verdict: ✅ Approved

TDD evidence

Commits confirm the red/green order: test(ocr): add startup root canary tests precedes `security(o…

marcel commented on pull request marcel/familienarchiv#611

2026-05-17 18:28:01 +02:00

security(ocr): run OCR container as non-root user (CIS Docker §4.1)

🏛️ Markus Keller — Senior Application Architect

Verdict: ✅ Approved

What I checked

ADR-019 is well-formed and follows the established format: context, decision, consequences,…

marcel commented on pull request marcel/familienarchiv#611

2026-05-17 17:44:09 +02:00

security(ocr): run OCR container as non-root user (CIS Docker §4.1)

Review concerns addressed — commit `7769dbc9`

All blockers from the second-round review (Tobias 🚫, Nora 🚫, Elicit 🚫) have been resolved.

`docker-compose.prod.yml` — OCR service fully…

marcel pushed to feat/issue-459-ocr-non-root at marcel/familienarchiv

2026-05-17 17:43:59 +02:00

7769dbc9f4 security(ocr): apply container hardening baseline to docker-compose.prod.yml

marcel commented on pull request marcel/familienarchiv#611

2026-05-17 17:40:33 +02:00

security(ocr): run OCR container as non-root user (CIS Docker §4.1)

🎨 Leonie Voss — UX Designer & Accessibility Strategist

Verdict: ✅ Approved

No .svelte files, no CSS or design tokens, no frontend routes, no i18n strings, no user-facing components…

marcel commented on pull request marcel/familienarchiv#611

2026-05-17 17:40:29 +02:00

security(ocr): run OCR container as non-root user (CIS Docker §4.1)

📋 Elicit — Requirements Engineer

Verdict: 🚫 Changes requested

Issue #459 requirements are met. One non-functional requirement gap has been introduced.

Blocker: Production upgrade…

marcel commented on pull request marcel/familienarchiv#611

2026-05-17 17:40:16 +02:00

security(ocr): run OCR container as non-root user (CIS Docker §4.1)

🧪 Sara Holt — Senior QA Engineer

Verdict: ✅ Approved

Test quality is significantly improved over the first review cycle. The previous assertion blocker is resolved.

What's…

marcel commented on pull request marcel/familienarchiv#611

2026-05-17 17:40:07 +02:00

security(ocr): run OCR container as non-root user (CIS Docker §4.1)

👨‍💻 Felix Brandt — Senior Fullstack Developer

Verdict: ✅ Approved

TDD evidence is present and the implementation code is clean. The previous review cycle addressed all blockers.

###…

marcel commented on pull request marcel/familienarchiv#611

2026-05-17 17:39:55 +02:00

security(ocr): run OCR container as non-root user (CIS Docker §4.1)

🔐 Nora "NullX" Steiner — Application Security Engineer

Verdict: 🚫 Changes requested

The security controls are correct and well-implemented in the dev compose. The problem is that…

marcel commented on pull request marcel/familienarchiv#611

2026-05-17 17:39:36 +02:00

security(ocr): run OCR container as non-root user (CIS Docker §4.1)

🛠️ Tobias Wendt — DevOps & Platform Engineer

Verdict: 🚫 Changes requested

The dev hardening is production-grade. The problem is it never reaches production.

Blocker: `docker-compos…

marcel commented on pull request marcel/familienarchiv#611

2026-05-17 17:39:24 +02:00

security(ocr): run OCR container as non-root user (CIS Docker §4.1)

🏗️ Markus Keller — Senior Application Architect

Verdict: ⚠️ Approved with concerns

This PR is a self-contained infrastructure hardening of an existing sidecar. No layer boundaries are…

marcel commented on pull request marcel/familienarchiv#611

2026-05-17 17:34:22 +02:00

security(ocr): run OCR container as non-root user (CIS Docker §4.1)

Review concerns addressed

All open blockers and suggestions from the review have been resolved. Summary:

✅ @Felix / @Sara — Blocker: vacuous assertion in `test_htrmopo_dir_default_i…

marcel pushed to feat/issue-459-ocr-non-root at marcel/familienarchiv

2026-05-17 17:33:58 +02:00

74ca5ee35f docs(adr): ADR-019 — container hardening baseline (non-root + read-only)

38973a014e docs: add XDG_CACHE_HOME/TORCH_HOME to OCR env table and upgrade notes for PR #611

fc8b4b164b security(ocr): redirect XDG cache and Torch home away from read-only HOME

eb63df2000 test(ocr): add startup root canary tests for main.py lifespan

53bd574660 test(ocr): replace vacuous startswith assertion with equality check

Compare 5 commits »

marcel commented on pull request marcel/familienarchiv#611

2026-05-17 17:03:20 +02:00

security(ocr): run OCR container as non-root user (CIS Docker §4.1)

🎨 Leonie Voss — UX Designer & Accessibility Strategist

Verdict: ✅ Approved

No .svelte files, no CSS, no frontend components, no routes, no i18n strings. This PR touches only the OCR…

marcel commented on pull request marcel/familienarchiv#611

2026-05-17 17:03:17 +02:00

security(ocr): run OCR container as non-root user (CIS Docker §4.1)

🧪 Sara Holt — Senior QA Engineer

Verdict: ⚠️ Approved with concerns

Tests are present, isolation is correct, cleanup reloads are in place. One test assertion is functionally broken and…

marcel commented on pull request marcel/familienarchiv#611

2026-05-17 17:03:05 +02:00

security(ocr): run OCR container as non-root user (CIS Docker §4.1)

🔐 Nora "NullX" Steiner — Application Security Engineer

Verdict: ⚠️ Approved with concerns

This is textbook CIS Docker §4.1 hardening — non-root user, read-only filesystem, dropped…

🧪 Sara Holt — QA Engineer & Test Strategist

Test coverage summary

🔐 Nora "NullX" Steiner — Application Security Engineer

📋 Elicit — Requirements Engineer

Traceability assessment

🚀 Tobias Wendt — DevOps & Platform Engineer

What was done well

👨‍💻 Felix Brandt — Senior Fullstack Developer

TDD evidence

🏛️ Markus Keller — Senior Application Architect

What I checked

Review concerns addressed — commit 7769dbc9

docker-compose.prod.yml — OCR service fully…

🎨 Leonie Voss — UX Designer & Accessibility Strategist

📋 Elicit — Requirements Engineer

Blocker: Production upgrade…

🧪 Sara Holt — Senior QA Engineer

What's…

👨‍💻 Felix Brandt — Senior Fullstack Developer

🔐 Nora "NullX" Steiner — Application Security Engineer

🛠️ Tobias Wendt — DevOps & Platform Engineer

Blocker: `docker-compos…

🏗️ Markus Keller — Senior Application Architect

Review concerns addressed

✅ @Felix / @Sara — Blocker: vacuous assertion in `test_htrmopo_dir_default_i…

🎨 Leonie Voss — UX Designer & Accessibility Strategist

🧪 Sara Holt — Senior QA Engineer

🔐 Nora "NullX" Steiner — Application Security Engineer

Review concerns addressed — commit `7769dbc9`

`docker-compose.prod.yml` — OCR service fully…