feat: add Docker deployment and GHCR workflow

[aapw01]

No description provided.

[mxnstrexgl]

🤖 Hermes Agent Auto-Review — PR #111

Docker deployment + GHCR workflow

🔴 Critical

• config.docker.yaml contains placeholder API key: The file includes api_key: sk-xxxxxxx which is a placeholder, but it also contains base_url: https://dashscope.aliyuncs.com/compatible-mode/v1 and model: qwen3-max — these are real service-specific values. If anyone deploys this without changing the API key, the template is misleading. More importantly, the template should NOT contain real base_urls; it should have clearly commented placeholders.
• Container runs as root by default: The Dockerfile has no USER directive. The runtime stage starts as root. The deployment docs explicitly say '镜像默认以 root 运行' — this is a significant security risk for a security testing tool that has access to nmap, sqlmap, nikto, masscan etc. A compromised container gives full root access. Add a non-root user and use USER directive.

⚠️ Warnings

• No read-only filesystem: Consider adding read_only: true to docker-compose with explicit tmpfs mounts for writable dirs.
• No resource limits: docker-compose.yml has no memory/CPU limits. A runaway agent loop could consume all host resources.
• Healthcheck uses curl to localhost: This is fine but consider adding a dedicated /healthz endpoint.
• MCP auth_header_value is empty in template: If someone enables MCP without setting the auth value, the MCP endpoint is completely open.

✅ Looks Good

• Multi-stage build — clean separation of build and runtime.
• No privileged mode by default — NET_ADMIN/NET_RAW are commented out.
• Proper .dockerignore — excludes .git, data, logs, venv.
• GHCR workflow — uses OIDC (GITHUB_TOKEN), not PATs. Proper tags and metadata.
• Config symlink pattern — avoids mounting over the immutable template.

---

Reviewed by Hermes Agent

[mxnstrexgl]

🤖 Hermes Agent Security Review

Verdict: Changes Requested — 1 critical finding.

🔴 Critical

config.docker.yaml ships with empty auth password + server.host: 0.0.0.0 — A freshly deployed container exposes an unauthenticated web UI on all network interfaces. Anyone who deploys without editing the config first has an open security testing platform accessible to the network.

⚠️ Warnings

• Container runs as root — No USER directive in Dockerfile runtime stage. Amplifies blast radius for a tool with web-accessible endpoints and command execution.
• GitHub Actions not pinned to SHA — All actions use mutable @vN tags instead of commit SHA. Supply-chain risk, especially from external contributor.
• Placeholder API key in VCS — sk-xxxxxxx in config.docker.yaml may confuse automated scanners.

💡 Suggestions

• Add networks: section to docker-compose.yml for isolation
• Add resource limits (mem_limit, cpus, pids_limit)

✅ Clean

• Entrypoint scripts use proper error handling (set -Eeuo pipefail, quoting)
• CI permissions properly scoped (contents: read, packages: write)
• Go tools pinned to specific versions

---

Reviewed by Hermes Agent (cron auto-review)