fix: mount project root read-only to prevent container escape (#392)

The main group's project root was mounted read-write, allowing the container agent to modify host application code (e.g. dist/container-runner.js) to inject arbitrary mounts on next restart — a full sandbox escape. Fix: mount the project root read-only. Writable paths the agent needs (group folder, IPC, .claude/) are already mounted separately. The agent-runner source is now copied into a per-group writable location so agents can still customize container-side behavior without affecting host code or other groups. Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-22 20:57:57 +02:00
parent ef00320018
commit 5fb10645cd
3 changed files with 22 additions and 9 deletions
--- a/groups/main/CLAUDE.md
+++ b/groups/main/CLAUDE.md
@@ -61,11 +61,11 @@ This is the **main channel**, which has elevated privileges.

 ## Container Mounts

-Main has access to the entire project:
+Main has read-only access to the project and read-write access to its group folder:

 | Container Path | Host Path | Access |
 |----------------|-----------|--------|
-| `/workspace/project` | Project root | read-write |
+| `/workspace/project` | Project root | read-only |
 | `/workspace/group` | `groups/main/` | read-write |

 Key paths inside the container: