diff --git a/Proxy_Containers/docker-socket-proxy/compose.yaml b/Proxy_Containers/docker-socket-proxy/compose.yaml
index b185c67..2144247 100644
--- a/Proxy_Containers/docker-socket-proxy/compose.yaml
+++ b/Proxy_Containers/docker-socket-proxy/compose.yaml
@@ -5,12 +5,13 @@ services:
     restart: unless-stopped
     security_opt:
       - no-new-privileges:true
+    # Access is container-to-container only via the internal bridge.
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock:ro
     environment:
-      # Traefik only needs CONTAINERS
-      CONTAINERS: 1
-      # Everything else explicitly off
+      CONTAINERS: 1      # Flame label discovery + Traefik routing
+      NETWORKS: 1        # Optional: Flame network-grouping feature # Set to 0 if you don't use that feature
+      # Hard denies — every write surface explicitly closed
       BUILD: 0
       COMMIT: 0
       CONFIGS: 0
@@ -18,10 +19,9 @@ services:
       EXEC: 0
       IMAGES: 0
       INFO: 0
-      NETWORKS: 0
       NODES: 0
       PLUGINS: 0
-      POST: 0
+      POST: 0            # Critical — blocks ALL write methods
       SECRETS: 0
       SERVICES: 0
       SESSION: 0
@@ -31,9 +31,12 @@ services:
       VOLUMES: 0
     networks:
       - socket_proxy
+    # constrain resource usage so a runaway process can't starve the host
+    mem_limit: 64m
+    cpus: "0.25"
 
 networks:
   socket_proxy:
     name: docker_socket_proxy
     driver: bridge
-    internal: true  # no external routing — container-to-container only
\ No newline at end of file
+    internal: true
\ No newline at end of file