From fef21fd39ae8af2c105f6aa51d1b1534fc3306ae Mon Sep 17 00:00:00 2001
From: Lucas Berger <me@lucasberger.ca>
Date: Tue, 3 Feb 2026 08:48:37 -0500
Subject: [PATCH] fix(07): revise plans based on checker feedback

- Plan 02: Added Task 4 (checkpoint:human-action) to remove docker.sock
  volume mount from n8n container after verifying proxy works
- Plan 02: Added must_have truth for docker.sock removal (SEC-02 complete)
- Plan 03: Removed "Create API returns 403" from must_haves - container
  create is intentionally ALLOWED for update command functionality
- Plan 03: Added rationale explaining why container create is needed
- Clarified that blocked APIs are: exec, build, commit (not create)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 .../phases/07-socket-security/07-02-PLAN.md   | 46 ++++++++++++++++---
 .../phases/07-socket-security/07-03-PLAN.md   | 27 ++++++-----
 2 files changed, 55 insertions(+), 18 deletions(-)

diff --git a/.planning/phases/07-socket-security/07-02-PLAN.md b/.planning/phases/07-socket-security/07-02-PLAN.md
index 4e3cb7f..00136bd 100644
--- a/.planning/phases/07-socket-security/07-02-PLAN.md
+++ b/.planning/phases/07-socket-security/07-02-PLAN.md
@@ -11,6 +11,7 @@ must_haves:
   truths:
     - "All bot commands work through proxy (status, start, stop, restart, update, logs)"
     - "n8n no longer references direct Docker socket in curl commands"
+    - "n8n container no longer has docker.sock volume mount"
     - "Dangerous API calls return blocked error message"
   artifacts:
     - path: "n8n-workflow.json"
@@ -24,10 +25,10 @@ must_haves:
 ---
 
 <objective>
-Migrate all n8n workflow curl commands from direct Docker socket to proxy.
+Migrate all n8n workflow curl commands from direct Docker socket to proxy, then remove direct socket access.
 
-Purpose: Route all Docker API calls through the filtered proxy, removing direct socket access from n8n.
-Output: Updated n8n-workflow.json with all 16 curl commands migrated to use proxy endpoint.
+Purpose: Route all Docker API calls through the filtered proxy, removing direct socket access from n8n entirely (both in curl commands and volume mount).
+Output: Updated n8n-workflow.json with all curl commands migrated to use proxy endpoint, and n8n container no longer mounting docker.sock.
 </objective>
 
 <execution_context>
@@ -57,14 +58,14 @@ Output: Updated n8n-workflow.json with all 16 curl commands migrated to use prox
     FROM: `--unix-socket /var/run/docker.sock 'http://localhost/`
     TO: `--max-time 5 'http://docker-socket-proxy:2375/`
 
-    **Commands to update (16 total):**
+    **Commands to update (all Docker API calls):**
     1. Container list: `curl -s --unix-socket /var/run/docker.sock 'http://localhost/v1.47/containers/json?all=true'`
     2. Container inspect: Uses template `http://localhost/v1.47/containers/${containerId}/json`
     3. Image inspect: Uses template `http://localhost/v1.47/images/${imageName}/json`
     4. Image pull: Uses template with POST to `images/create?fromImage=`
     5. Start/stop/restart: Uses template `containers/${containerId}/${action}`
     6. Container delete: Uses template `containers/${containerId}` with DELETE
-    7. Container create: Uses POST with JSON body to `containers/create`
+    7. Container create: Uses POST with JSON body to `containers/create` (needed for update command)
     8. Container logs: Uses `containers/${containerId}/logs`
 
     **Also update error handling in JavaScript nodes:**
@@ -127,6 +128,37 @@ Output: Updated n8n-workflow.json with all 16 curl commands migrated to use prox
   <resume-signal>Type "all commands working" or describe which commands failed</resume-signal>
 </task>
 
+<task type="checkpoint:human-action" gate="blocking">
+  <name>Task 4: Remove docker.sock Volume Mount from n8n Container</name>
+  <action>
+    Now that all commands work through the proxy, remove the direct Docker socket access from n8n.
+
+    **Steps:**
+    1. Open Unraid web UI > Docker tab
+    2. Click on the n8n container
+    3. Click "Edit"
+    4. Find the volume mapping for `/var/run/docker.sock`
+    5. Remove this volume mapping entirely
+    6. Click "Apply" to recreate the container
+
+    **Why this is safe:**
+    - All curl commands now use the proxy (verified in Task 3)
+    - The socket mount is no longer needed
+    - Removing it prevents any bypass of the proxy
+
+    **What to expect:**
+    - n8n container will restart
+    - All bot commands should still work (they use the proxy now)
+    - If any command breaks, the socket mount can be re-added temporarily
+  </action>
+  <verify>
+    1. n8n container no longer shows docker.sock in its volume mappings
+    2. Test one bot command (e.g., "status") to confirm it still works
+  </verify>
+  <done>n8n no longer has direct Docker socket access</done>
+  <resume-signal>Confirm: "docker.sock mount removed, commands still work" or describe any issues</resume-signal>
+</task>
+
 </tasks>
 
 <verification>
@@ -135,12 +167,14 @@ Output: Updated n8n-workflow.json with all 16 curl commands migrated to use prox
 3. Timeouts added to curl commands (except long-running image pull)
 4. Error handling includes 403 response handling
 5. All 6 bot commands work via Telegram
+6. n8n container no longer has docker.sock volume mount
 </verification>
 
 <success_criteria>
 - Zero unix-socket references in workflow
 - All bot commands functional through proxy
-- User confirms "all commands working"
+- n8n container has no docker.sock volume mapping
+- User confirms "all commands working" and "docker.sock mount removed"
 </success_criteria>
 
 <output>
diff --git a/.planning/phases/07-socket-security/07-03-PLAN.md b/.planning/phases/07-socket-security/07-03-PLAN.md
index 86adb9c..885ec23 100644
--- a/.planning/phases/07-socket-security/07-03-PLAN.md
+++ b/.planning/phases/07-socket-security/07-03-PLAN.md
@@ -11,7 +11,7 @@ must_haves:
   truths:
     - "Exec API endpoint returns 403 Forbidden"
     - "Build API endpoint returns 403 Forbidden"
-    - "Create (new container) API endpoint returns 403 Forbidden"
+    - "Commit API endpoint returns 403 Forbidden"
   artifacts: []
   key_links:
     - from: "n8n/curl"
@@ -23,7 +23,7 @@ must_haves:
 <objective>
 Verify that dangerous Docker APIs are blocked by the proxy.
 
-Purpose: Confirm SEC-03 requirement - socket proxy blocks dangerous APIs (exec, create, build).
+Purpose: Confirm SEC-03 requirement - socket proxy blocks dangerous APIs (exec, build, commit). Note: Container create is intentionally ALLOWED because the update command needs it to recreate containers with new images.
 Output: Documented proof that blocked endpoints return 403 Forbidden.
 </objective>
 
@@ -85,31 +85,34 @@ Output: Documented proof that blocked endpoints return 403 Forbidden.
   <action>
     Document the security posture achieved:
 
-    **Allowed operations:**
+    **Allowed operations (required for bot functionality):**
     - List containers (GET /containers/json)
     - Inspect container (GET /containers/{id}/json)
     - Start container (POST /containers/{id}/start)
     - Stop container (POST /containers/{id}/stop)
     - Restart container (POST /containers/{id}/restart)
     - Remove container (DELETE /containers/{id})
+    - Create container (POST /containers/create) - needed for update command
     - List images (GET /images/json)
     - Inspect image (GET /images/{id}/json)
     - Pull image (POST /images/create)
-    - Create container (POST /containers/create)
     - Get logs (GET /containers/{id}/logs)
 
-    **Blocked operations:**
-    - Execute commands inside containers (POST /containers/{id}/exec)
-    - Build images (POST /build)
-    - Commit containers to images (POST /commit)
-    - Manage secrets (POST /secrets/*)
-    - Authentication operations
+    **Blocked operations (security threat):**
+    - Execute commands inside containers (POST /containers/{id}/exec) - blocks container escape
+    - Build images (POST /build) - blocks malicious image creation
+    - Commit containers to images (POST /commit) - blocks image tampering
+    - Manage secrets (POST /secrets/*) - blocks secret access
+    - Authentication operations - blocks credential theft
 
     **Security benefit:**
     Even if n8n is compromised, an attacker cannot:
     - Execute arbitrary commands inside containers (no container escape)
     - Build malicious images
     - Access Docker secrets
+
+    **Why container create is allowed:**
+    The update command works by: pulling new image -> deleting old container -> creating new container with new image. Container create is necessary for this legitimate workflow operation. The risk of arbitrary container creation is mitigated by the fact that n8n workflow logic controls what containers are created, not external input.
   </action>
   <verify>
     Documentation captured in plan summary
@@ -127,8 +130,8 @@ Output: Documented proof that blocked endpoints return 403 Forbidden.
 </verification>
 
 <success_criteria>
-- All three dangerous endpoints confirmed blocked
-- Security posture documented
+- All three dangerous endpoints confirmed blocked (exec, build, commit)
+- Security posture documented with rationale for allowed operations
 </success_criteria>
 
 <output>