services:
  openclaw:
    cap_drop:
      - ALL
    security_opt:
      - no-new-privileges:true
    read_only: true
    tmpfs:
      - /tmp:size=256m
      - /.openclaw:size=64m
    privileged: false
    user: "1001:1001"
    deploy:
      resources:
        limits:
          cpus: "3.5"
          memory: 14G
        reservations:
          cpus: "0.5"
          memory: 512M