docker build updates to improve security

README.md

@@ -79,10 +79,35 @@ docker run \
 ### Docker Compose
 
 ```bash
-# Edit docker-compose.yml with your credentials
+# Edit prod.env with your credentials, then:
 docker-compose up
 ```
 
+#### Security: Running as Non-Root User
+
+By default, the container runs as a non-root user (UID 1000, GID 1000) for improved security. You can customize the user and group IDs by setting environment variables before running:
+
+```bash
+# Use specific user and group IDs
+USER_ID=1001 GROUP_ID=1001 docker-compose up
+
+# Use default (1000:1000)
+docker-compose up
+```
+
+The user and group IDs can also be specified in a `.env` file:
+
+```env
+USER_ID=1001
+GROUP_ID=1001
+REDDIT_CLIENT_ID=your_client_id
+REDDIT_CLIENT_SECRET=your_client_secret
+REDDIT_USERNAME=bot_username
+REDDIT_PASSWORD=bot_password
+SUBREDDIT=your_subreddit
+WIKI_PAGE=testpostsbot_config
+```
+
 ### Standalone
 
 ```bash
@@ -96,3 +121,10 @@ python bot.py
 - The config is fetched fresh for each trigger, so you can update the wiki while the bot is running.
 - Only the first matching trigger per message is processed.
 - All processed messages are tracked in `DB/chat_wiki_requests.txt` to avoid duplicate processing.
+
+## Security
+
+- **Non-Root Execution:** The Docker container runs as a non-root user (UID 1000, GID 1000) by default to minimize security risks. This can be customized via `USER_ID` and `GROUP_ID` environment variables.
+- **Credentials:** Store Reddit API credentials in environment variables or `.env` files, never hardcode them.
+- **Moderator-Only Commands:** All bot triggers and commands require the sender to be a moderator of the target subreddit.
+- **DB Directory:** Processed message IDs are stored in a local `DB/` directory to prevent duplicate processing and maintain stateful operation.