TelivANT · TelivANT · Feb 25, 2026 · Feb 25, 2026
diff --git a/Dockerfile b/Dockerfile
@@ -36,9 +36,15 @@ RUN apt-get update && apt-get install -y \
     curl \
     && rm -rf /var/lib/apt/lists/*
 
+# Create non-root user (DevOps red line: never run as root in containers)
+RUN groupadd -r memoryos && useradd -r -g memoryos -d /app -s /sbin/nologin memoryos
+
 WORKDIR /app
 
 COPY --from=builder /build/target/release/memoryos-gateway /app/
+RUN chown -R memoryos:memoryos /app
+
+USER memoryos
 
 EXPOSE 8080
 

diff --git a/Dockerfile.worker b/Dockerfile.worker
@@ -33,8 +33,14 @@ RUN apt-get update && apt-get install -y \
     libssl3 \
     && rm -rf /var/lib/apt/lists/*
 
+# Create non-root user
+RUN groupadd -r memoryos && useradd -r -g memoryos -d /app -s /sbin/nologin memoryos
+
 WORKDIR /app
 
 COPY --from=builder /build/target/release/memoryos-worker /app/
+RUN chown -R memoryos:memoryos /app
+
+USER memoryos
 
 CMD ["./memoryos-worker"]
diff --git a/crates/memoryos-core/src/error.rs b/crates/memoryos-core/src/error.rs
@@ -190,7 +190,7 @@ mod tests {
 
     #[test]
     fn all_variants_have_unique_error_codes() {
-        let variants = vec![
+        let variants = [
             AppError::Config("".into()),
             AppError::BadRequest("".into()),
             AppError::Unauthorized("".into()),

diff --git a/crates/memoryos-mcp/src/tools.rs b/crates/memoryos-mcp/src/tools.rs
@@ -266,7 +266,6 @@ impl ServerHandler for MemoryOsServer {
                 name: "memoryos-mcp".to_string(),
                 version: env!("CARGO_PKG_VERSION").to_string(),
             },
-            ..Default::default()
         }
     }
 }
diff --git a/crates/memoryos-wiki-gen/src/endpoint/fastapi_extractor.rs b/crates/memoryos-wiki-gen/src/endpoint/fastapi_extractor.rs
@@ -86,8 +86,12 @@ impl FastApiExtractor {
     }
 
     fn find_next_function(&self, lines: &[&str], start: usize) -> Option<String> {
-        for i in (start + 1)..lines.len().min(start + 5) {
-            let trimmed = lines[i].trim();
+        for line in lines
+            .iter()
+            .take(lines.len().min(start + 5))
+            .skip(start + 1)
+        {
+            let trimmed = line.trim();
             if trimmed.starts_with("def ") || trimmed.starts_with("async def ") {
                 let name_part = trimmed
                     .trim_start_matches("async ")

diff --git a/crates/memoryos-wiki-gen/src/storage/local.rs b/crates/memoryos-wiki-gen/src/storage/local.rs
@@ -18,11 +18,11 @@ impl LocalConnector {
         let full_path = self.root.join(path);
         let canonical = full_path
             .canonicalize()
-            .map_err(|e| crate::error::WikiGenError::Io(e))?;
+            .map_err(crate::error::WikiGenError::Io)?;
         let root_canonical = self
             .root
             .canonicalize()
-            .map_err(|e| crate::error::WikiGenError::Io(e))?;
+            .map_err(crate::error::WikiGenError::Io)?;
         if !canonical.starts_with(&root_canonical) {
             return Err(crate::error::WikiGenError::Storage(
                 "Path traversal denied: path escapes root directory".to_string(),

diff --git a/docs/RELEASE_CHECKLIST.md b/docs/RELEASE_CHECKLIST.md
@@ -211,6 +211,13 @@
 | 4 | API key 用 SHA-256 hash（无 salt） | API key 是高熵随机字符串，不同于密码，SHA-256 足够 |
 | 5 | ADMIN_TOKEN 未设置时仍可启动 | 已有 warn 日志，开发环境需要 |
 
+### AGENTS.md 审计 Round 2
+
+| # | 违规规则 | 角色 | 文件 | 修复 |
+|---|---------|------|------|------|
+| 1 | 🔴 DevOps: 容器不以 root 运行 | DevOps/SRE | Dockerfile, Dockerfile.worker | ✅ 添加 memoryos 非 root 用户 |
+| 2 | 🟡 Rust: cargo clippy 干净 | Rust 工程师 | error.rs, local.rs, tools.rs, fastapi_extractor.rs | ✅ 修复 4 个 Clippy 警告 |
+
 ---
 
 ## 六条准则审查 Round 9 (PR #103 后)