Final touches on devcontainer

install/production-filesystem/services/scripts/check-root.sh

@@ -0,0 +1,31 @@
+#!/bin/sh
+# check-root.sh - ensure the container is not running as root.
+
+CURRENT_UID="$(id -u)"
+
+if [ "${CURRENT_UID}" -eq 0 ]; then
+    YELLOW=$(printf '\033[1;33m')
+    RESET=$(printf '\033[0m')
+    >&2 printf "%s" "${YELLOW}"
+    >&2 cat <<'EOF'
+══════════════════════════════════════════════════════════════════════════════
+⚠️  ATTENTION: NetAlertX is running as root (UID 0).
+
+    This defeats every hardening safeguard built into the image. You just
+    handed a high-value network monitoring appliance full control over your
+    host. If an attacker compromises NetAlertX now, the entire machine goes
+    with it.
+
+    Run the container as the dedicated 'netalertx' user instead:
+      * Keep the default USER in the image (20211:20211), or
+      * In docker-compose.yml, remove any 'user:' override that sets UID 0.
+
+    Bottom line: never run security tooling as root unless you are actively
+    trying to get pwned.
+══════════════════════════════════════════════════════════════════════════════
+EOF
+    >&2 printf "%s" "${RESET}"
+    exit 1
+fi
+
+exit 0