Feature: socket-proxy support for coolify-sentinel (reduce RW docker socket exposure)

[mantas21]

Problem

coolify-sentinel is deployed with a read-write /var/run/docker.sock mount and no user
restriction (runs as root). This grants the sentinel process — and any vulnerability in it —
full Docker daemon control, which is root-equivalent on the host.

Proposed solution

Add an optional docker-socket-proxy (tecnativa/docker-socket-proxy) sidecar for sentinel,
similar to the approach recommended in Authentik's own docs for their worker. Sentinel only
needs read access to container stats/events — a proxy scoped to CONTAINERS=1 INFO=1 EVENTS=1
and no POST would be sufficient.

Environment

• Coolify version: 4.0.0-beta.463
• Sentinel version: 0.0.18
• Host: Linux (arm64), managed by Coolify

References

• https://docs.goauthentik.io/add-secure-apps/outposts/integrations/docker/
• https://github.com/Tecnativa/docker-socket-proxy
• OWASP Docker Security Cheat Sheet