diff --git a/docs/SECURITY_PLAN.md b/docs/SECURITY_PLAN.md
index b7169c1..749e7c4 100644
--- a/docs/SECURITY_PLAN.md
+++ b/docs/SECURITY_PLAN.md
@@ -79,7 +79,7 @@ This plan turns the audit findings into a tracked, testable remediation roadmap.
 
 ### 1) Games Endpoint Risk Reduction
 - [x] Increase PIN entropy or move to a join token.
-- [ ] Require host proof (secret or auth) for state mutation endpoints.
+- [x] Require host proof (secret or auth) for state mutation endpoints.
 - [ ] Add per-endpoint throttling for public lookups.
 
 ### 2) Logging and Error Hygiene
diff --git a/server/sandbox/Dockerfile b/server/sandbox/Dockerfile
index 1b28fc9..b6c62bc 100644
--- a/server/sandbox/Dockerfile
+++ b/server/sandbox/Dockerfile
@@ -1,8 +1,8 @@
 FROM node:22-alpine
 
 RUN apk add --no-cache libreoffice curl \
-    && addgroup -g 1000 sandbox \
-    && adduser -u 1000 -G sandbox -s /bin/sh -D sandbox \
+    && addgroup -S sandbox \
+    && adduser -S -G sandbox -s /bin/sh -D sandbox \
     && mkdir -p /app /tmp/convert \
     && chown -R sandbox:sandbox /app /tmp/convert