# Docker profile

Enable this profile for repositories containing Dockerfiles, Compose files, container entrypoints, reverse proxy configuration, or containerized deployment logic.

## Rules

Codex MUST:

- avoid `latest` tags;
- prefer pinned or explicit versions;
- keep images small and reproducible;
- avoid privileged containers unless explicitly justified in an ADR;
- avoid unnecessary published ports;
- use least-privilege users where practical;
- avoid storing secrets in images or Compose files;
- use healthchecks when useful and practical;
- document exposed ports, volumes, networks, and runtime assumptions;
- keep entrypoints simple and explicit.

## Project mode behavior

If `.codex/project.md` sets `project_mode: work`, Codex SHOULD prefer Red Hat UBI minimal images when possible and reasonable.

If `.codex/project.md` sets `project_mode: personal`, Codex may use the most appropriate base image for the project, but it MUST still avoid `latest` tags and unsafe defaults.

## Validation examples

Use project-specific Docker-based commands, for example:

```bash
docker compose config
```

```bash
docker compose build
```

```bash
docker compose run --rm app pytest
```