fix(07): revise plans based on checker feedback

- Plan 02: Added Task 4 (checkpoint:human-action) to remove docker.sock
  volume mount from n8n container after verifying proxy works
- Plan 02: Added must_have truth for docker.sock removal (SEC-02 complete)
- Plan 03: Removed "Create API returns 403" from must_haves - container
  create is intentionally ALLOWED for update command functionality
- Plan 03: Added rationale explaining why container create is needed
- Clarified that blocked APIs are: exec, build, commit (not create)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

.planning/phases/07-socket-security/07-03-PLAN.md

@@ -11,7 +11,7 @@ must_haves:
   truths:
     - "Exec API endpoint returns 403 Forbidden"
     - "Build API endpoint returns 403 Forbidden"
-    - "Create (new container) API endpoint returns 403 Forbidden"
+    - "Commit API endpoint returns 403 Forbidden"
   artifacts: []
   key_links:
     - from: "n8n/curl"
@@ -23,7 +23,7 @@ must_haves:
 <objective>
 Verify that dangerous Docker APIs are blocked by the proxy.
 
-Purpose: Confirm SEC-03 requirement - socket proxy blocks dangerous APIs (exec, create, build).
+Purpose: Confirm SEC-03 requirement - socket proxy blocks dangerous APIs (exec, build, commit). Note: Container create is intentionally ALLOWED because the update command needs it to recreate containers with new images.
 Output: Documented proof that blocked endpoints return 403 Forbidden.
 </objective>
 
@@ -85,31 +85,34 @@ Output: Documented proof that blocked endpoints return 403 Forbidden.
   <action>
     Document the security posture achieved:
 
-    **Allowed operations:**
+    **Allowed operations (required for bot functionality):**
     - List containers (GET /containers/json)
     - Inspect container (GET /containers/{id}/json)
     - Start container (POST /containers/{id}/start)
     - Stop container (POST /containers/{id}/stop)
     - Restart container (POST /containers/{id}/restart)
     - Remove container (DELETE /containers/{id})
+    - Create container (POST /containers/create) - needed for update command
     - List images (GET /images/json)
     - Inspect image (GET /images/{id}/json)
     - Pull image (POST /images/create)
-    - Create container (POST /containers/create)
     - Get logs (GET /containers/{id}/logs)
 
-    **Blocked operations:**
-    - Execute commands inside containers (POST /containers/{id}/exec)
-    - Build images (POST /build)
-    - Commit containers to images (POST /commit)
-    - Manage secrets (POST /secrets/*)
-    - Authentication operations
+    **Blocked operations (security threat):**
+    - Execute commands inside containers (POST /containers/{id}/exec) - blocks container escape
+    - Build images (POST /build) - blocks malicious image creation
+    - Commit containers to images (POST /commit) - blocks image tampering
+    - Manage secrets (POST /secrets/*) - blocks secret access
+    - Authentication operations - blocks credential theft
 
     **Security benefit:**
     Even if n8n is compromised, an attacker cannot:
     - Execute arbitrary commands inside containers (no container escape)
     - Build malicious images
     - Access Docker secrets
+
+    **Why container create is allowed:**
+    The update command works by: pulling new image -> deleting old container -> creating new container with new image. Container create is necessary for this legitimate workflow operation. The risk of arbitrary container creation is mitigated by the fact that n8n workflow logic controls what containers are created, not external input.
   </action>
   <verify>
     Documentation captured in plan summary
@@ -127,8 +130,8 @@ Output: Documented proof that blocked endpoints return 403 Forbidden.
 </verification>
 
 <success_criteria>
-- All three dangerous endpoints confirmed blocked
-- Security posture documented
+- All three dangerous endpoints confirmed blocked (exec, build, commit)
+- Security posture documented with rationale for allowed operations
 </success_criteria>
 
 <output>