Remove ai-worker from docker group and enforce sudo whitelist.
SECURITY: Being in the docker group gives unrestricted access to the
Docker daemon socket (/var/run/docker.sock), allowing any docker command:
docker exec, docker cp, docker run -v /:/host, docker commit, etc.
Changes:
- Remove extraGroups = ["docker"] from ai-worker user definition
- Add comprehensive sudo NOPASSWD whitelist for safe docker subcommands
ALLOWED: ps, inspect, logs, images, info, version, stats, start, stop,
restart, rm, rmi, wait, pull, build, run, compose, system,
network ls, volume ls
BLOCKED (implicitly): exec, cp, commit, diff, export, import, load,
save, attach, push, tag, create, plugin, network create, volume create
- Update ai-worker-restricted.nix module to reflect new approach
- Update README-ai-worker.md with new security model and examples
All docker commands must now be prefixed with sudo.
The Hermes agent's host_run tool needs to be updated to prepend sudo.
Remove infra repo bind mount and sudo access from ai-worker user.
Now ai-worker can only:
- SSH into host from Hermes container
- Run docker commands via docker group membership
- Execute ollama benchmarks via docker exec
Results saved to /opt/data/ai-optimizer/ in Hermes container.
- New module: modules/nixos/security/ai-worker-restricted.nix
- Bind mount for infra repo access (RW)
- Whitelisted sudo commands: nh, nixos-rebuild, nixpkgs-fmt, nix
- Audit logging for infra changes
- Documentation in README-ai-worker.md
- Updated users/ai-worker.nix:
- Enable services.aiWorkerAccess
- Lock password (SSH key only)
- Security documentation comments
- Updated flake.nix:
- Include new security module
SECURITY: AI must ask for user confirmation before running nh os switch
- Add headless openclaw node systemd service for host execution
- Migrate from nix to lix package manager
- Permit openclaw-2026.3.12 (insecure package warning)
- Use ai-worker user for node service
- Started OpenCode service and verified it's running
- Tested Context7 web search functionality
- Tested DuckDuckGo web search functionality
- Documented web search integration in open_code_server.nix
- Updated ROADMAP and STATE with completion status
- Phase 4 complete, ready for Phase 5: TAK Server Integration
