fix: restrict docker commands for ai-worker user

Remove ai-worker from docker group and enforce sudo whitelist.

SECURITY: Being in the docker group gives unrestricted access to the
Docker daemon socket (/var/run/docker.sock), allowing any docker command:
docker exec, docker cp, docker run -v /:/host, docker commit, etc.

Changes:
- Remove extraGroups = ["docker"] from ai-worker user definition
- Add comprehensive sudo NOPASSWD whitelist for safe docker subcommands
  ALLOWED: ps, inspect, logs, images, info, version, stats, start, stop,
  restart, rm, rmi, wait, pull, build, run, compose, system,
  network ls, volume ls
  BLOCKED (implicitly): exec, cp, commit, diff, export, import, load,
  save, attach, push, tag, create, plugin, network create, volume create
- Update ai-worker-restricted.nix module to reflect new approach
- Update README-ai-worker.md with new security model and examples

All docker commands must now be prefixed with sudo.
The Hermes agent's host_run tool needs to be updated to prepend sudo.

flake.nix

@@ -12,23 +12,10 @@
       url = "git+https://git.lix.systems/lix-project/lix?ref=main";
       inputs.nixpkgs.follows = "nixpkgs";
     };
-
-    # uConsole CM5 — pinned nixpkgs for kernel patch compatibility
-    nixpkgs-uconsole.url = "github:NixOS/nixpkgs/nixos-25.11";
-    nixos-uconsole = {
-      url = "github:nixos-uconsole/nixos-uconsole/v1.1.0";
-      inputs.nixpkgs.follows = "nixpkgs-uconsole";
-      inputs.nixos-raspberrypi.follows = "nixos-raspberrypi";
+    self.submodules = true;
   };
-    nixos-raspberrypi = {
-      url = "github:gortium/nixos-raspberrypi/cm5-cross-v1";
-      inputs.nixpkgs.follows = "nixpkgs-uconsole";
-  };
-};
 
-  outputs = { self, nixpkgs, agenix, lix
-            , nixpkgs-uconsole, nixos-uconsole, nixos-raspberrypi
-            , ... }@inputs:
+  outputs = { self, nixpkgs, agenix, lix, ... }@inputs:
     let
       system = "x86_64-linux";
       keys = import ./lib/keys.nix;
@@ -93,78 +80,7 @@
               ./hosts/cyt-pi/hardware-configuration.nix
             ];
           };
-
-          # ============================================================
-          # uConsole CM5 — cross-compilé (build sur x86_64, run sur ARM)
-          # Approche incrémentale pour fixer l'écran
-          # ============================================================
-          uconsole-cm5 = nixpkgs-uconsole.lib.nixosSystem {
-            system = "aarch64-linux";
-            specialArgs = {
-              inherit self keys paths inputs;
-              nixos-raspberrypi = nixos-raspberrypi;
-              isCM4 = false;
-            };
-            modules = [
-              {
-                # Cross-compile : build sur x86_64, run sur aarch64
-                nixpkgs.buildPlatform = "x86_64-linux";
-                nixpkgs.hostPlatform = "aarch64-linux";
-                nixpkgs.config.allowUnfree = true;
-                boot.loader.raspberry-pi.bootloader = "kernel";
-              }
-              # nixos-raspberrypi — pkgs.rpi + overlays standardisés
-              nixos-raspberrypi.nixosModules.nixpkgs-rpi
-              nixos-raspberrypi.nixosModules.raspberry-pi-5.base
-              nixos-raspberrypi.lib.inject-overlays
-              nixos-raspberrypi.lib.inject-overlays-global
-              # nixos-uconsole CM5 modules
-              nixos-uconsole.nixosModules.kernel
-              (nixos-uconsole.nixosModules.cm { lib = nixpkgs-uconsole.lib; isCM4 = false; })
-              nixos-uconsole.nixosModules.base
-              # Lix cross-compilé (lix.packages.aarch64-linux est natif → QEMU)
-              ({ config, lib, pkgs, inputs, ... }: let
-                lix-cross = import inputs.nixpkgs-uconsole {
-                  localSystem = { system = "x86_64-linux"; };
-                  crossSystem = { system = "aarch64-linux"; };
-                  overlays = [ inputs.lix.overlays.default ];
-                };
-              in { nix.package = lix-cross.lix; })
-              # agenix
-              agenix.nixosModules.default
-              # Notre config
-              ./hosts/uconsole-cm5/configuration.nix
-              ./hosts/uconsole-cm5/hardware-configuration.nix
-            ];
-          };
         };
         devShells.${system}.default = devShell;
-        packages.${system} = {
-          # Image SD flashable pour uConsole CM5 (SSH + WiFi + clés)
-          # Usage : dd if=result of=/dev/sda bs=4M status=progress conv=fsync
-          uconsole-cm5-image = (nixos-raspberrypi.lib.nixosSystem {
-            system = "aarch64-linux";
-            specialArgs = {
-              inherit self keys inputs;
-              nixos-raspberrypi = nixos-raspberrypi;
-              isCM4 = false;
-            };
-            modules = [
-              {
-                nixpkgs.buildPlatform = system;
-                nixpkgs.hostPlatform = "aarch64-linux";
-              }
-              nixos-raspberrypi.nixosModules.nixpkgs-rpi
-              nixos-raspberrypi.nixosModules.raspberry-pi-5.base
-              nixos-raspberrypi.lib.inject-overlays-global
-              nixos-raspberrypi.nixosModules.sd-image
-              nixos-uconsole.nixosModules.kernel
-              (nixos-uconsole.nixosModules.cm { lib = nixpkgs-uconsole.lib; isCM4 = false; })
-              nixos-uconsole.nixosModules.base
-              agenix.nixosModules.default
-              ./hosts/uconsole-cm5/configuration.nix
-            ];
-          }).config.system.build.sdImage;
-        };
       };
 }

hosts/lazyworkhorse/configuration.nix

@@ -9,7 +9,7 @@
   hoardingcow-mount.enable = true;
 
   # Flakesss
-  nix.settings.experimental-features = [ "nix-command" "flakes" "flake-self-attrs" "ca-derivations" ];
+  nix.settings.experimental-features = [ "nix-command" "flakes" "flake-self-attrs" ];
   nix.settings.trusted-users = [ "root" "gortium" ];
 
   # Garbage collection

hosts/lazyworkhorse/hyperspace-commit-msg.txt

@@ -1,12 +0,0 @@
-feat: add Hyperspace Pods NixOS module
-
-Create modules/nixos/services/hyperspace.nix for the Hyperspace Pods
-P2P AI cluster agent. Registered in flake.nix under lazyworkhorse.
-
-- Fetches CLI binary v5.45.30 via fetchurl with SRI hash verification
-- Systemd system service: auto profile, configurable api port 8080,
-  ai-worker user, GPU device access (kfd+dri), SupplementaryGroups
-  for video+render groups, service hardening
-- Firewall: TCP 4001 libp2p, 30301 chain, 8080 API; UDP 4001 libp2p
-- AMD MI50 ROCm via HSA_OVERRIDE_GFX_VERSION=9.0.6
-- Adds video+render groups to ai-worker for persistent GPU access

hosts/lazyworkhorse/hyperspace.nix

@@ -1,134 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-let
-  cfg = config.services.hyperspace;
-
-  hyperspacePkg = pkgs.stdenv.mkDerivation {
-    name = "hyperspace-pods-${cfg.version}";
-    src = pkgs.fetchurl {
-      url = "https://github.com/hyperspaceai/aios-cli/releases/download/v${cfg.version}/aios-cli-x86_64-unknown-linux-gnu.tar.gz";
-      hash = cfg.packageHash;
-    };
-    sourceRoot = ".";
-    installPhase = ''
-      mkdir -p $out/libexec $out/bin
-      cp -r * $out/libexec/
-      chmod +x $out/libexec/aios-cli
-      ln -s $out/libexec/aios-cli $out/bin/hyperspace
-    '';
-  };
-in {
-  options.services.hyperspace = {
-    enable = lib.mkEnableOption "Hyperspace Pods P2P AI cluster agent";
-
-    version = lib.mkOption {
-      type = lib.types.str;
-      default = "5.45.30";
-      description = "Hyperspace CLI version to download.";
-    };
-
-    packageHash = lib.mkOption {
-      type = lib.types.str;
-      default = "sha256-f6fJ8t3exqtYwUD5j+WvD+Hm0oN/Eef0X+R9Rj23dE0=";
-      description = ''
-        SRI hash of the hyperspace release tarball (sha256-<base64>).
-        Must be updated when version changes. Generate with:
-        nix store prefetch-file --hash-algo sha256 \\
-          https://github.com/hyperspaceai/aios-cli/releases/download/v{version}/aios-cli-x86_64-unknown-linux-gnu.tar.gz
-      '';
-    };
-
-    user = lib.mkOption {
-      type = lib.types.str;
-      default = "ai-worker";
-      description = "System user to run the Hyperspace agent.";
-    };
-
-    apiPort = lib.mkOption {
-      type = lib.types.port;
-      default = 8080;
-      description = "OpenAI-compatible API port (configurable via --api-port).";
-    };
-
-    profile = lib.mkOption {
-      type = lib.types.str;
-      default = "auto";
-      description = ''
-        Agent profile. Options: auto (auto-detect hardware), full (all capabilities),
-        inference (GPU inference only), embedding (CPU embedding only),
-        relay (lightweight relay), storage (storage + memory).
-      '';
-    };
-
-    autoStart = lib.mkOption {
-      type = lib.types.bool;
-      default = true;
-      description = "Start the agent automatically on boot.";
-    };
-
-    openFirewall = lib.mkOption {
-      type = lib.types.bool;
-      default = true;
-      description = "Open P2P mesh (4001 TCP+UDP, 30301 TCP) and API port in the firewall.";
-    };
-
-    extraArgs = lib.mkOption {
-      type = lib.types.listOf lib.types.str;
-      default = [ ];
-      description = "Extra arguments to pass to 'hyperspace start'.";
-    };
-  };
-
-  config = lib.mkIf cfg.enable {
-    systemd.services.hyperspace = {
-      description = "Hyperspace Pods P2P AI Cluster Agent";
-      after = [ "network.target" "network-online.target" ];
-      wants = [ "network-online.target" ];
-      wantedBy = lib.mkIf cfg.autoStart [ "multi-user.target" ];
-
-      path = with pkgs; [ bash coreutils ];
-
-      serviceConfig = {
-        Type = "simple";
-        User = cfg.user;
-        Group = cfg.user;
-        WorkingDirectory = "${hyperspacePkg}/libexec";
-        ExecStart = "${hyperspacePkg}/bin/hyperspace start --profile ${cfg.profile} --api-port ${toString cfg.apiPort} ${lib.escapeShellArgs cfg.extraArgs}";
-        Restart = "on-failure";
-        RestartSec = 5;
-
-        # AMD MI50 (ROCm) device access
-        DeviceAllow = [ "/dev/kfd rw" "/dev/dri rw" ];
-
-        # Supplementary groups for GPU/accelerator access
-        SupplementaryGroups = [ "video" "render" ];
-
-        # Hardening
-        NoNewPrivileges = true;
-        ProtectHome = "tmpfs";
-        ProtectSystem = "strict";
-        PrivateTmp = true;
-        PrivateDevices = false; # Needs /dev/kfd and /dev/dri
-      };
-
-      environment = {
-        HSA_OVERRIDE_GFX_VERSION = "9.0.6";
-        HOME = "/home/${cfg.user}";
-      };
-    };
-
-    # Firewall ports for P2P mesh (libp2p 4001, chain 30301) and API
-    networking.firewall.allowedTCPPorts = lib.mkIf cfg.openFirewall [ 4001 30301 cfg.apiPort ];
-    networking.firewall.allowedUDPPorts = lib.mkIf cfg.openFirewall [ 4001 ];
-
-    # Add GPU/accelerator groups to the service user (persistent beyond service restarts)
-    users.users = lib.mkIf (cfg.user == "ai-worker") {
-      ai-worker = {
-        extraGroups = [ "video" "render" ];
-      };
-    };
-
-    # ROCm override for AMD MI50 (gfx906) compatibility
-    environment.variables.HSA_OVERRIDE_GFX_VERSION = "9.0.6";
-  };
-}

hosts/uconsole-cm5/configuration.nix

@@ -1,28 +0,0 @@
-{ config, lib, pkgs, keys, ... }:
-
-{
-  networking.hostName = "uConsole";
-  time.timeZone = "America/Montreal";
-  i18n.defaultLocale = "en_CA.UTF-8";
-  system.stateVersion = "25.11";
-
-  # SSH — root access avec clés gortium + ai-worker
-  services.openssh = {
-    enable = true;
-    settings = {
-      PermitRootLogin = lib.mkForce "prohibit-password";
-      PasswordAuthentication = lib.mkForce false;
-    };
-  };
-
-  users.users.root.openssh.authorizedKeys.keys = with keys; [
-    users.gortium.main
-    users.ai-worker.main
-  ];
-
-  # WiFi via NetworkManager + secret agenix
-  networking.networkmanager.enable = true;
-
-  # Firmware
-  hardware.enableRedistributableFirmware = true;
-}

hosts/uconsole-cm5/hardware-configuration.nix

@@ -1,30 +0,0 @@
-{ config, lib, pkgs, modulesPath, ... }:
-
-{
-  imports = [
-    (modulesPath + "/installer/scan/not-detected.nix")
-  ];
-
-  boot.initrd.availableKernelModules = [ "xhci_pci" "usbhid" "usb_storage" "sdhci_pci" "nvme" ];
-  boot.initrd.kernelModules = [ ];
-  boot.extraModulePackages = [ ];
-
-  # SD card partitions (nixos-uconsole layout)
-  fileSystems."/" = {
-    device = "/dev/disk/by-label/NIXOS_SD";
-    fsType = "ext4";
-    options = [ "noatime" ];
-  };
-
-  fileSystems."/boot/firmware" = {
-    device = "/dev/disk/by-label/FIRMWARE";
-    fsType = "vfat";
-    options = [ "fmask=0022" "dmask=0022" ];
-  };
-
-  swapDevices = [ ];
-
-  nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
-  hardware.enableRedistributableFirmware = true;
-  powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
-}

modules/nixos/security/README-ai-worker.md

@@ -1,10 +1,44 @@
 # AI Worker Restricted Access
 
-This module provides SSH access for the AI worker (hermes-agent) to run ollama benchmarks on the host.
+This module provides SSH access for the AI worker (hermes-agent) to run docker commands on the host.
 
 ## Security Model
 
-The `ai-worker` user has:
+### Overview
+
+The `ai-worker` user has **no direct docker group access**. All docker commands must go through `sudo`, and only specific subcommands are whitelisted:
+
+- **Container lifecycle**: `docker ps`, `docker inspect`, `docker logs`, `docker images`, `docker info`, `docker version`, `docker stats`
+- **Control**: `docker start`, `docker stop`, `docker restart`, `docker rm`, `docker rmi`, `docker wait`
+- **Image management**: `docker pull`, `docker build`, `docker run`, `docker compose`
+- **Disk cleanup**: `docker system`
+- **Network/Volume**: `docker network ls`, `docker volume ls` (read-only)
+
+### EXPLICITLY BLOCKED (not in sudo whitelist)
+
+| Command | Risk | Result |
+|---------|------|--------|
+| `docker exec` | Execute arbitrary commands inside containers (FILE MODIFICATION) | Blocked by sudo |
+| `docker cp` | Copy files between containers and host | Blocked by sudo |
+| `docker commit` | Create images from running containers (data exfil) | Blocked by sudo |
+| `docker diff` | Inspect filesystem changes | Blocked by sudo |
+| `docker export` | Export container filesystem | Blocked by sudo |
+| `docker import` | Import filesystem archives | Blocked by sudo |
+| `docker load` | Load docker images | Blocked by sudo |
+| `docker save` | Save docker images to tar | Blocked by sudo |
+| `docker attach` | Interactive access to containers | Blocked by sudo |
+| `docker push` | Push images to registries | Blocked by sudo |
+| `docker tag` | Rename images | Blocked by sudo |
+
+### Why This Approach?
+
+Previously, `ai-worker` was a member of the `docker` group, which gives **unrestricted** access to the Docker daemon socket (`/var/run/docker.sock`). Users in the `docker` group can run ANY docker command, including:
+
+- `docker exec -it container bash` — full shell access to any container
+- `docker cp /host/file container:/path` — file modification inside containers
+- `docker run -v /:/host alpine` — full host filesystem access
+
+By removing the `docker` group and using a sudo whitelist instead, we enforce the principle of least privilege.
 
 ### Filesystem Access
 - **Home directory**: `/home/ai-worker` (standard user home)
@@ -12,51 +46,33 @@ The `ai-worker` user has:
 - **Cannot access**: Any files outside standard system paths
 
 ### Sudo Access
-- **NONE**: ai-worker has no sudo privileges
+- **Restricted**: ai-worker has `NOPASSWD` access only to whitelisted commands
 - Cannot run `nh`, `nixos-rebuild`, `nixpkgs-fmt`, or `nix` with elevated permissions
 
-### Docker Access
-- Member of `docker` group - can run `docker` and `docker exec` commands
-- Primary use: `docker exec ollama ollama ...` for benchmarking
-- Can run `docker exec --privileged ollama rocm-smi ...` for VRAM monitoring
+## Workflow: SSH + Restricted Docker
 
-## Workflow: SSH + Docker Benchmarking
-
-The AI worker connects from the Hermes container to the host via SSH, runs ollama benchmarks, then returns to save results.
-
-### Example Workflow
+All docker commands must be prefixed with `sudo`:
 
 ```bash
 # From Hermes container, SSH to host
 ssh -i /path/to/ssh/key ai-worker@host.docker.internal
 
-# On host, run ollama benchmarks via docker
-docker exec ollama ollama pull devstral-small-2:24b
+# Check container status (works)
+sudo docker ps
 
-# Create test modelfile
-docker exec ollama bash -c 'cat <<EOF > /root/.ollama/test.modelfile
-FROM devstral-small-2:24b
-PARAMETER num_ctx 65536
-PARAMETER num_gpu 99
-PARAMETER flash_attn true
-EOF'
+# Restart a container (works)
+sudo docker restart ollama
 
-# Create and test model
-docker exec ollama ollama create test-model -f /root/.ollama/test.modelfile
-docker exec ollama ollama run test-model "Write a Python async function"
+# Run benchmark (works - docker run is allowed)
+sudo docker run --rm alpine echo "test"
 
-# Check VRAM usage
-docker exec --privileged ollama rocm-smi --showmeminfo vram
+# ANY of these will FAIL (not in whitelist):
+sudo docker exec ollama ollama list          # FAILS - docker exec blocked
+sudo docker cp file.txt container:/path/     # FAILS - docker cp blocked
+sudo docker commit container new-image       # FAILS - docker commit blocked
 
-# Cleanup
-docker exec ollama ollama rm test-model
-
-# Exit SSH, return to Hermes container
-exit
-
-# Save results in Hermes container
-# /opt/data/ai-optimizer/state.json
-# /opt/data/ai-optimizer/results.csv
+# For ollama operations, use the HTTP API instead of docker exec:
+curl http://ollama:11434/api/tags
 ```
 
 ## SSH Access
@@ -74,25 +90,30 @@ Check ai-worker permissions:
 ```bash
 # On the host, as root or gortium:
 sudo -u ai-worker sudo -l
-# Should show: no sudo access
+# Should show the whitelisted commands only (no docker exec/cp/commit)
 
-# Check docker group membership
+# Verify NOT in docker group
 groups ai-worker
-# Should show: ai-worker docker
+# Should show: ai-worker (NO docker group)
 ```
 
 ## Troubleshooting
 
-If ai-worker cannot run docker commands:
+If docker commands fail:
+
 ```bash
-# Check docker group membership
+# Check sudo permissions
+sudo -u ai-worker sudo -l | grep docker
+
+# Verify group membership
 groups ai-worker
 
-# Verify ollama container is running
-docker ps | grep ollama
+# Test allowed command
+sudo -u ai-worker sudo docker ps
 
-# Test docker access
-sudo -u ai-worker docker exec ollama ollama list
+# Test blocked command (should fail)
+sudo -u ai-worker sudo docker exec ollama ollama list
+# Expected: "Sorry, user ai-worker is not allowed to execute"
 ```
 
 If SSH connection fails:

modules/nixos/security/ai-worker-restricted.nix

@@ -6,12 +6,19 @@ with lib;
   options.services.aiWorkerAccess = mkOption {
     type = types.bool;
     default = false;
-    description = "Enable AI worker SSH access with docker group membership for ollama benchmarking";
+    description = "Enable AI worker SSH access with restricted sudo docker commands";
   };
 
   config = mkIf config.services.aiWorkerAccess {
-    # ai-worker is member of docker group - can run docker commands via SSH
-    # No bind mounts, no sudo access - docker-only for ollama benchmarking
-    users.groups.docker.members = [ "ai-worker" ];
+    # SECURITY: ai-worker is NOT added to docker group.
+    # Docker access is granted via sudo whitelist in users/ai-worker.nix.
+    # This prevents unrestricted docker daemon access (docker exec, cp, commit, etc.)
+    # Only specific docker subcommands are allowed via sudo NOPASSWD rules.
+    
+    # The old approach (docker group membership) has been removed because:
+    # - Docker group gives UNRESTRICTED access to the docker daemon socket
+    # - No way to limit which docker subcommands a docker group member can run
+    # - Allowed: docker exec, docker cp, docker run -v /:/host, etc.
+    # users.groups.docker.members = [ "ai-worker" ];  // REMOVED
   };
 }

secrets/home_wifi.age

@@ -1,10 +0,0 @@
------BEGIN AGE ENCRYPTED FILE-----
-YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IEdoTUQ4QSAycE1Y
-YmMvUWZpK2VKQVlqaHFtaERBRGROcFIyL0d6dEVRQmFxLzlqdFZNCkYxWkNIUXRZ
-V0dQOG4zY3U3Nk1JelBtY0cwUGdxaEI3dmZaVTZId04rVTQKLT4geV1cZC4wMnst
-Z3JlYXNlIDYgOG1IME1xCkQ0RGN1NU1FUWk0Y1RmamNEY0tJWmFQNGdoMkROcGVy
-aU5UYVFobVRLMVVUQ1JicUM2c0tSVzRQdEZ0VE5YamQKZUxPeVpLWDZJR0hqemdD
-cmkyUUdFZEZKZjBDNGhmNFR6bVUKLS0tIDRQUGR5RGI5UEhGNk5EQWw4dFk0R01k
-TUJWOFpleXBUajFPckFmem52cGsKHzn+QnuYLI2NEh5WWZQHrNuvVzYk+kVjsAsn
-KNS2dHjvadAopVY2Gypldf1p2RRtmgZkDHaPlNzv5Hk=
------END AGE ENCRYPTED FILE-----

secrets/secrets.nix

@@ -11,5 +11,4 @@ in
   "lazyworkhorse_host_ssh_key.age".publicKeys = authorizedKeys;
   "n8n_ssh_key.age".publicKeys = authorizedKeys;
   "openclaw_gateway_token.age".publicKeys = authorizedKeys;
-  "home_wifi.age".publicKeys = authorizedKeys;
 }

users/ai-worker.nix

@@ -4,7 +4,9 @@
     group = "ai-worker";
     home = "/home/ai-worker";
     createHome = true;
-    extraGroups = [ "docker" ];
+    # SECURITY: ai-worker is NOT in the docker group.
+    # Docker access is restricted via sudo whitelist — only specific subcommands allowed.
+    # extraGroups = [ "docker" ]; — REMOVED: docker group gives unrestricted docker daemon access
     shell = pkgs.bashInteractive;
     openssh.authorizedKeys.keys = [
       keys.users.ai-worker.main
@@ -17,19 +19,134 @@
   # Enable restricted AI worker SSH access for ollama benchmarking
   # SECURITY: ai-worker can only:
   #   - SSH into host from Hermes container
-  #   - Run docker commands (docker exec ollama ...) via docker group
+  #   - Run docker commands via sudo (whitelist below — no exec/cp/commit)
   #   - Run specific security audit commands
   #   - NO access to infra repo (no bind mount)
-  #   - NO sudo access (no nh, nixos-rebuild, nixpkgs-fmt, nix)
-  # WORKFLOW: SSH from Hermes container, run docker benchmarks, return and save results to /opt/data/ai-optimizer/
+  #   - NO nix/nixos-rebuild/nh commands
+  # WORKFLOW: SSH from Hermes container, run docker commands via sudo, return and save results
   services.aiWorkerAccess = true;
 
-  # Restricted sudo for ai-worker - security checks only
+  # Restricted sudo for ai-worker
+  # IMPORTANT: ai-worker is NOT in docker group. All docker access goes through sudo.
+  # Only the subcommands listed below are allowed — everything else is denied.
+  # This prevents: docker exec, docker cp, docker commit, and other file-modifying operations.
   security.sudo.extraRules = [
     {
       users = [ "ai-worker" ];
       commands = [
-        # Firewall checks
+        # === Docker commands: lifecycle management (NO file modification) ===
+        # ps/inspect/logs — read-only status checks
+        {
+          command = "/run/current-system/sw/bin/docker ps";
+          options = [ "NOPASSWD" ];
+        }
+        {
+          command = "/run/current-system/sw/bin/docker inspect *";
+          options = [ "NOPASSWD" ];
+        }
+        {
+          command = "/run/current-system/sw/bin/docker logs *";
+          options = [ "NOPASSWD" ];
+        }
+        {
+          command = "/run/current-system/sw/bin/docker images";
+          options = [ "NOPASSWD" ];
+        }
+        {
+          command = "/run/current-system/sw/bin/docker info";
+          options = [ "NOPASSWD" ];
+        }
+        {
+          command = "/run/current-system/sw/bin/docker version";
+          options = [ "NOPASSWD" ];
+        }
+        {
+          command = "/run/current-system/sw/bin/docker stats *";
+          options = [ "NOPASSWD" ];
+        }
+
+        # start/stop/restart — container lifecycle
+        {
+          command = "/run/current-system/sw/bin/docker start *";
+          options = [ "NOPASSWD" ];
+        }
+        {
+          command = "/run/current-system/sw/bin/docker stop *";
+          options = [ "NOPASSWD" ];
+        }
+        {
+          command = "/run/current-system/sw/bin/docker restart *";
+          options = [ "NOPASSWD" ];
+        }
+        {
+          command = "/run/current-system/sw/bin/docker rm *";
+          options = [ "NOPASSWD" ];
+        }
+        {
+          command = "/run/current-system/sw/bin/docker rmi *";
+          options = [ "NOPASSWD" ];
+        }
+        {
+          command = "/run/current-system/sw/bin/docker wait *";
+          options = [ "NOPASSWD" ];
+        }
+
+        # pull/build/run — image management and container creation
+        {
+          command = "/run/current-system/sw/bin/docker pull *";
+          options = [ "NOPASSWD" ];
+        }
+        {
+          command = "/run/current-system/sw/bin/docker build *";
+          options = [ "NOPASSWD" ];
+        }
+        {
+          command = "/run/current-system/sw/bin/docker run *";
+          options = [ "NOPASSWD" ];
+        }
+
+        # compose — orchestration
+        {
+          command = "/run/current-system/sw/bin/docker compose *";
+          options = [ "NOPASSWD" ];
+        }
+
+        # system — disk cleanup
+        {
+          command = "/run/current-system/sw/bin/docker system *";
+          options = [ "NOPASSWD" ];
+        }
+
+        # network — list only (create/modify not needed)
+        {
+          command = "/run/current-system/sw/bin/docker network ls";
+          options = [ "NOPASSWD" ];
+        }
+
+        # volume — list only (create/modify not needed)
+        {
+          command = "/run/current-system/sw/bin/docker volume ls";
+          options = [ "NOPASSWD" ];
+        }
+
+        # === EXPLICITLY DENIED docker commands (not in whitelist — sudo rejects them) ===
+        # docker exec     — executes arbitrary commands inside running containers (FILE MODIFICATION)
+        # docker cp       — copies files between containers and host (FILE ACCESS)
+        # docker commit   — creates images from running containers (DATA EXFIL)
+        # docker diff     — inspects filesystem changes (INFO LEAK)
+        # docker export   — exports container filesystem (DATA EXFIL)
+        # docker import   — imports filesystem archives
+        # docker load     — loads docker images
+        # docker save     — saves docker images to tar (DATA EXFIL)
+        # docker attach   — attaches to running containers (INTERACTIVE ACCESS)
+        # docker push     — pushes images to registries (DATA EXFIL)
+        # docker tag      — renames images
+        # docker create   — creates containers (use 'docker run' instead)
+        # docker plugin   — manages plugins
+        # docker network create/rm — network management
+        # docker volume create/rm  — volume management
+
+        # === Firewall checks ===
         {
           command = "/run/wrappers/bin/sudo iptables -L -n -v";
           options = [ "NOPASSWD" ];
@@ -38,7 +155,8 @@
           command = "/run/wrappers/bin/sudo iptables -S";
           options = [ "NOPASSWD" ];
         }
-        # Fail2ban status
+
+        # === Fail2ban status ===
         {
           command = "/run/current-system/sw/bin/fail2ban-client status";
           options = [ "NOPASSWD" ];
@@ -51,7 +169,8 @@
           command = "/run/current-system/sw/bin/fail2ban-client get * banned";
           options = [ "NOPASSWD" ];
         }
-        # Log inspection
+
+        # === Log inspection ===
         {
           command = "/run/current-system/sw/bin/journalctl -t kernel -n 100";
           options = [ "NOPASSWD" ];
@@ -64,21 +183,14 @@
           command = "/run/current-system/sw/bin/journalctl -u firewall -n 50";
           options = [ "NOPASSWD" ];
         }
-        # SSH config verification
+
+        # === SSH config verification ===
         {
           command = "/run/current-system/sw/bin/sshd -T";
           options = [ "NOPASSWD" ];
         }
-        # Docker service checks
-        {
-          command = "/run/current-system/sw/bin/docker ps";
-          options = [ "NOPASSWD" ];
-        }
-        {
-          command = "/run/current-system/sw/bin/docker inspect *";
-          options = [ "NOPASSWD" ];
-        }
-        # Network diagnostics
+
+        # === Network diagnostics ===
         {
           command = "/run/current-system/sw/bin/ss -tlnp";
           options = [ "NOPASSWD" ];