From 6a033c2db018c14fb30421a502704eca6ba3e62e Mon Sep 17 00:00:00 2001
From: NW <nw@softuniq.eu>
Date: Fri, 20 Mar 2026 20:18:39 -0400
Subject: [PATCH] fix: run gateway as root for docker.sock access (read-only
 Docker API)

---
 docker/Dockerfile.gateway | 11 +++--------
 1 file changed, 3 insertions(+), 8 deletions(-)

diff --git a/docker/Dockerfile.gateway b/docker/Dockerfile.gateway
index 5d87272..fdaaab6 100644
--- a/docker/Dockerfile.gateway
+++ b/docker/Dockerfile.gateway
@@ -32,12 +32,6 @@ RUN apk add --no-cache \
     jq \
     && rm -rf /var/cache/apk/*
 
-# Create non-root user and add to docker group (GID 999 — matches host docker group)
-RUN addgroup -g 999 docker 2>/dev/null || true && \
-    addgroup -g 1001 goclaw && \
-    adduser -u 1001 -G goclaw -s /bin/sh -D goclaw && \
-    adduser goclaw docker
-
 WORKDIR /app
 
 # Copy binary from builder
@@ -49,8 +43,9 @@ COPY --from=builder /usr/share/zoneinfo /usr/share/zoneinfo
 # Ensure binary is executable
 RUN chmod +x /usr/local/bin/gateway
 
-# Use non-root user
-USER goclaw
+# Run as root so we can access /var/run/docker.sock (mounted from host)
+# The gateway only reads Docker API — no write access to host filesystem
+USER root
 
 # Expose port
 EXPOSE 18789