docs: mark SEC_REVIEW F22 as fixed in d9006eb

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

doc/SEC_REVIEW.md

@@ -11,7 +11,7 @@
 >
 > Each finding is referenced as **F<N>** for later citation.
 >
-> **Findings rolled up:** 5 sev-3 (5 fixed, 0 open), 27 sev-2 (12 fixed, 15 open), 42 sev-1.
+> **Findings rolled up:** 5 sev-3 (5 fixed, 0 open), 27 sev-2 (13 fixed, 14 open), 42 sev-1.
 
 ---
 
@@ -788,6 +788,23 @@
   `/internal/jobs/*`. Pin the base image digest and the apk versions
   or build a real image.
 - **Severity: 2**
+- **Status:** Fixed. Replaced the inline `image: alpine:3` + runtime
+  `apk add` with a real build context at `scheduler/`. The new
+  `scheduler/Dockerfile` pins `FROM alpine:3.21@sha256:48b0309c…`
+  and installs `curl=8.14.1-r2`, `tini=0.19.0-r3`,
+  `ca-certificates=20260413-r0` at build time; restarts now reuse
+  the locally-built image with no network fetch. The crontab
+  (`scheduler/scheduler.crontab`) is baked into the image, which
+  also removes the previously dangling `./docker/scheduler.crontab`
+  bind-mount path. The compose service runs `read_only: true` with
+  `no-new-privileges:true` and only `/run` + `/tmp` tmpfs mounts;
+  `cap_drop: [ALL]` was tested and rejected because busybox crond
+  calls `initgroups()` before each fork and dies with
+  "can't set groups" without `CAP_SETGID`. Verified end-to-end:
+  `docker compose -f docker-compose.yml -f compose.scheduler.yml
+  up -d` brings the sidecar up healthy and within one minute the
+  api responds `{"job":"tick","status":"success",...}` to the
+  scheduled curl.
 
 ### F23 — `jumbojett/openid-connect-php ^1.x` constraint pins a major with historical CVEs
 - **File:** `ui/composer.json:19`