# Phase 7: Socket Security - Context

**Gathered:** 2026-02-03
**Status:** Ready for planning

<domain>
## Phase Boundary

Docker operations flow through a filtered proxy instead of direct socket access. n8n connects to the proxy via TCP, and dangerous Docker APIs are blocked. All existing bot commands continue working through the proxy.

</domain>

<decisions>
## Implementation Decisions

### Proxy Container Setup
- Use existing Unraid Community Apps template "dockersocket" (tecnativa/docker-socket-proxy:latest)
- Container name: `docker-socket-proxy` (predictable name for n8n curl commands)
- Network: Same Docker network as n8n — proxy joins existing network
- Deployment: Installed via Unraid CA, not managed by this project

### API Filtering Rules
- Allow POST requests to container endpoints (start/stop/restart)
- Allow image pull operations (needed for update command)
- Block dangerous APIs: exec, create, build (proxy defaults)
- No additional blocking beyond defaults — container and image ops only

### Error Responses
- Blocked API calls show: "This action is blocked by security policy" (clear but not technical)
- Distinguish between "blocked by policy" vs "Docker error: [details]" for debugging
- 403/blocked responses fail immediately — no retry
- No special logging for blocked attempts (proxy handles it)

### Failover Behavior
- If proxy unavailable: "Docker proxy unavailable — please check server" sent to Telegram
- No fallback to direct socket access
- Short timeout (5 seconds) when calling proxy
- One retry on timeout, then fail with error message
- Proxy container managed by Unraid — we don't configure health checks or auto-restart

### Claude's Discretion
- Exact curl command format for proxy calls
- Specific env var configuration for tecnativa proxy
- How to update n8n workflow nodes to use proxy endpoint

</decisions>

<specifics>
## Specific Ideas

- Use the existing dockersocket Unraid CA template rather than custom deployment
- Keep proxy configuration minimal — it's Unraid's responsibility to manage the container

</specifics>

<deferred>
## Deferred Ideas

None — discussion stayed within phase scope

</deferred>

---

*Phase: 07-socket-security*
*Context gathered: 2026-02-03*