pattern-engineer-containerlisted

# pattern-engineer-container ## When to activate Activate when editing `Dockerfile`, `docker-compose.yaml` / `.yml`, `compose.yaml` / `.yml`, `.dockerignore`, or scaffolding container artifacts. Skip for Kubernetes / Helm / non-Docker runtimes without an explicit Docker tie-in. ## Project memory overlay After loading this skill, also check `$MAIN_ROOT/.claude/memory/patterns/pattern-engineer-container.md` in the consuming project (resolve `MAIN_ROOT="$(dirname "$(git rev-parse --path-format=absolute --git-common-dir)")"`). If present, load it as an **additive overlay** to the rules below; if absent, skip silently. See `memory-convention` for the full contract (additivity, severity floor, conflict surfacing). ## Patterns ### Dockerfile shape - **Multi-stage, always at least three:** `base` (system deps + runtime), `build` (compile / bundle), `final` (minimal runtime). - **Pinned tags, never `:latest`.** Use immutable tags (`node:20.11.1-alpine`, `python:3.12.4-slim`, `nginx:1.27.0-alpine`). Digest pinning (`@sha256:...`) for production base images. - **Vet base images with `docker scout`** before pinning. Reject any image with MEDIUM+ CVEs that have a fix available; switch to the fixed tag. - **Run as non-root** in `final`: `RUN addgroup -S app && adduser -S app -G app` then `USER app`. - **Every writable path is user-writable.** Redirect PID files, cache, nginx `*_temp_path` (and `client_body_temp_path`, `proxy_temp_path`, `fastcgi_temp_path` when in use) to `/tmp/...`