docs: clarify container privilege drop in security architecture (#385)

Copilot · Mossaka · web-flow · commit cd1eb82b09cb · 2026-01-22T11:00:57.000-08:00
* Initial plan

* docs: clarify container privilege drop in security architecture

Co-authored-by: Mossaka &lt;5447827+Mossaka@users.noreply.github.com&gt;

---------

Co-authored-by: copilot-swe-agent[bot] &lt;198982749+Copilot@users.noreply.github.com&gt;
Co-authored-by: Mossaka &lt;5447827+Mossaka@users.noreply.github.com&gt;
diff --git a/docs-site/src/content/docs/reference/security-architecture.md b/docs-site/src/content/docs/reference/security-architecture.md
@@ -92,7 +92,7 @@ graph TB
 
 **Host iptables (DOCKER-USER chain)** — The outermost defense. Docker evaluates DOCKER-USER rules *before* container-specific chains, making it the right place to catch traffic from containers we didn't create directly. When the agent runs `docker run`, the spawned container joins `awf-net` and its egress hits DOCKER-USER where we route it through the proxy.
 
-**Container iptables (NAT table)** — Inside the agent container, NAT rules intercept outbound HTTP (port 80) and HTTPS (port 443) traffic, rewriting the destination to Squid at `172.30.0.10:3128`. This handles traffic from the agent process itself and any child processes (including stdio MCP servers).
+**Container iptables (NAT table)** — Inside the agent container, NAT rules intercept outbound HTTP (port 80) and HTTPS (port 443) traffic, rewriting the destination to Squid at `172.30.0.10:3128`. This handles traffic from the agent process itself and any child processes (including stdio MCP servers). After rule setup, the container drops `CAP_NET_ADMIN` capability, preventing malicious code from modifying firewall rules.
 
 **Squid ACL** — The primary control point. Squid receives CONNECT requests, extracts the target domain from SNI (for HTTPS) or Host header (for HTTP), and checks against the allowlist and blocklist. The evaluation order is:
 
