services:
  socket-proxy:
    image: tecnativa/docker-socket-proxy:latest
    container_name: socket-proxy
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    # Access is container-to-container only via the internal bridge.
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
    environment:
      CONTAINERS: 1      # Flame label discovery + Traefik routing
      NETWORKS: 1        # Optional: Flame network-grouping feature # Set to 0 if you don't use that feature
      # Hard denies — every write surface explicitly closed
      BUILD: 0
      COMMIT: 0
      CONFIGS: 0
      DISTRIBUTION: 0
      EXEC: 0
      IMAGES: 0
      INFO: 0
      NODES: 0
      PLUGINS: 0
      POST: 0            # Critical — blocks ALL write methods
      SECRETS: 0
      SERVICES: 0
      SESSION: 0
      SWARM: 0
      SYSTEM: 0
      TASKS: 0
      VOLUMES: 0
    networks:
      - socket_proxy
    # constrain resource usage so a runaway process can't starve the host
    mem_limit: 64m
    cpus: "0.25"

networks:
  socket_proxy:
    name: docker_socket_proxy
    driver: bridge
    internal: true