diff --git a/README.md b/README.md
index a7f4f0a..4cca4a3 100644
--- a/README.md
+++ b/README.md
@@ -3,7 +3,7 @@
 Base container images for Chaitin MonkeyCode developer workflows.
 
 ## Base image (bookworm)
-- Dockerfile: `docker/base/bookworm/Dockerfile` (Debian bookworm-slim, git/curl/build-essential/python3/gh, en_US.UTF-8 locale, default user root).
+- Dockerfile: `docker/base/bookworm/Dockerfile` (Debian bookworm-slim, git/git-lfs/curl/build-essential/python3/gh, Chaitin root CA, en_US.UTF-8 locale, default user root).
 - Build locally: `STACK=base VERSION=bookworm ./scripts/build.sh`
 - Push to GHCR: `PUSH=true REGISTRY=ghcr.io/chaitin/monkeycode-runner STACK=base VERSION=bookworm ./scripts/build.sh` (needs `docker login ghcr.io`).
 - Override apt mirrors by setting `DEBIAN_MIRROR` / `DEBIAN_SECURITY_MIRROR` before building.
@@ -28,6 +28,7 @@ Base container images for Chaitin MonkeyCode developer workflows.
 - **Node.js 22.22.0**: with Corepack (pnpm, yarn enabled)
 - **Python 3.11**: with pip (PIP_BREAK_SYSTEM_PACKAGES enabled)
   - Pre-installed packages: requests, flask, django, beautifulsoup4, scrapy
+- **Git LFS**: inherited from the base image and available as `git-lfs`
 - **Diagnostic tools**: htop, iputils-ping, iproute2, wget
 
 ### Example Usage:
@@ -39,6 +40,7 @@ docker run --rm -it -v $(pwd):/workspace ghcr.io/chaitin/monkeycode-runner/devbo
 go version      # Go 1.25.6
 node --version  # v22.22.0
 python3 --version  # 3.11.x
+git-lfs --version
 npm install     # Works with Corepack enabled
 python3 -c "import requests; print('requests:', requests.__version__)"  # 2.32.5
 python3 -c "import flask; print('flask:', flask.__version__)"  # 3.1.2
diff --git a/docker/base/bookworm/Dockerfile b/docker/base/bookworm/Dockerfile
index b63eca5..31c97fc 100644
--- a/docker/base/bookworm/Dockerfile
+++ b/docker/base/bookworm/Dockerfile
@@ -17,6 +17,7 @@ ARG DEBIAN_SECURITY_MIRROR="https://security.debian.org/debian-security"
 
 COPY --from=base-ca /etc/ssl/certs/ /etc/ssl/certs/
 COPY --from=base-ca /usr/share/ca-certificates/ /usr/share/ca-certificates/
+COPY docker/base/bookworm/certs/chaitin-ltd-root-ca.crt /usr/local/share/ca-certificates/chaitin-ltd-root-ca.crt
 
 RUN set -eux; \
     printf 'deb %s bookworm main contrib non-free non-free-firmware\n' "${DEBIAN_MIRROR}" > /etc/apt/sources.list; \
@@ -30,6 +31,7 @@ RUN apt-get update \
         locales \
         curl \
         git \
+        git-lfs \
         gnupg \
         build-essential \
         pkg-config \
@@ -58,6 +60,7 @@ RUN apt-get update \
     && echo "en_US.UTF-8 UTF-8" > /etc/locale.gen \
     && locale-gen \
     && update-locale LANG=en_US.UTF-8 LC_ALL=en_US.UTF-8 \
+    && update-ca-certificates \
     && rm -rf /var/lib/apt/lists/*
 
 RUN mkdir -p /workspace
diff --git a/docker/base/bookworm/certs/chaitin-ltd-root-ca.crt b/docker/base/bookworm/certs/chaitin-ltd-root-ca.crt
new file mode 100644
index 0000000..312bbdc
--- /dev/null
+++ b/docker/base/bookworm/certs/chaitin-ltd-root-ca.crt
@@ -0,0 +1,37 @@
+-----BEGIN CERTIFICATE-----
+MIIGfjCCBGagAwIBAgIJAKQholQQn3b0MA0GCSqGSIb3DQEBCwUAMIHLMQswCQYD
+VQQGEwJDTjEQMA4GA1UECAwHQmVpamluZzEQMA4GA1UEBwwHQmVpamluZzEtMCsG
+A1UECgwkQmVpamluZyBDaGFpdGluIFRlY2hub2xvZ3kgQ28uLCBMdGQuMSowKAYD
+VQQLDCFTZXJ2aWNlIEluZnJhc3RydWN0dXJlIERlcGFydG1lbnQxHDAaBgNVBAMM
+E0NoYWl0aW4gTHRkIFJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9AY2hhaXRp
+bi5jb20wHhcNMTYwNzIyMDEyOTU2WhcNMzYwNzE3MDEyOTU2WjCByzELMAkGA1UE
+BhMCQ04xEDAOBgNVBAgMB0JlaWppbmcxEDAOBgNVBAcMB0JlaWppbmcxLTArBgNV
+BAoMJEJlaWppbmcgQ2hhaXRpbiBUZWNobm9sb2d5IENvLiwgTHRkLjEqMCgGA1UE
+CwwhU2VydmljZSBJbmZyYXN0cnVjdHVyZSBEZXBhcnRtZW50MRwwGgYDVQQDDBND
+aGFpdGluIEx0ZCBSb290IENBMR8wHQYJKoZIhvcNAQkBFhBpbmZvQGNoYWl0aW4u
+Y29tMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA2dTYYnnhzTQOpzZj
+OhVpRljaOE7IPfPtIH2Xeveb4q7tMvJ3yfvBe88hLVJGgClyGx8Z5O/N3W4/ruKz
+e4zbPfNIj7klBF6tJQpbFCHw3AejVNidYcavf+hR9XJP4bbgIaVUUwAJcTWbxP74
+sgkJkibW1g0TjO8nBSo/nu0+OIGpiTQaEadrq72UzfgBa82jmISn96NTJHAIog+g
+5oe6Ji3ksXd2VlmesF+/1R+Y1xfxfPJl5VtG5bBZvmITg371F+ucOHJdxkozPQSV
+DAmqCCZtkgi2W/5ThpW+OpsVR6MbCXEbr2wzelnnxFAL+oPwgzqh4JLBj/2AOTKW
+8/c8h2zL/sZdQXD2j7N4avrLi6AM1ZG/RHxgETTzpLXRn2qRK8aTT2hLQGxi0/d6
+YB5Y1LUXiZR6J+8YGAZbTX4bArGLhGpy4p0a+IZeG5sMyfFy4fE4iTWIDWPWznGX
+n7E+GNr4jK/dDILWxyNv9fZnWXhYUZAb8s/ZSp89e+pnePAvy192jGGebCeN4s4w
+p4i2pFIeaIxl0Prff/SjNFsqAVW3Kqoua4VmxpYRnspy1vIyrkubkuE2Oe8VQiLD
+LxIAJTWRF4O/88b0n09ZFTVo07uNE6cE2Z08rAQDE+trQHfwHht56/AyMBGTBZU/
+G1OR3exQ/A0iZJ43pCSZ9B6eU68CAwEAAaNjMGEwHQYDVR0OBBYEFBDCKLRt3Ocv
+MwFeWxCHJJge8MRWMB8GA1UdIwQYMBaAFBDCKLRt3OcvMwFeWxCHJJge8MRWMA8G
+A1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEBCwUAA4IC
+AQDKGNkvFONlQAyBJTb4UX3YgURP+kiM0yfOEIQwy2759kA2xTYNqhfcmCQ+oujI
+Ljdj50H7cBCSHVOnTxRSd47rnPkF+/nkkutdTuhvdtcm2ZxnosnRRtLitZYrrUq7
+OFgeaR1dApvV5mGmXDqJWwG91TVO/E9PjIux9QuITc1QH6SydZYgJvMzXv6qpwHg
+LAw9kwTrIEgR/o1u+Ej7UjHUXXD14VBBMEE66TbJz61zqPcmFPiAHvxVrTqQxU8U
+xFqcZpgWx3iSEPd7X+CRNaRhltSZkJshh2hRT2F3UyCYqONJh2oNO7rI6u+Knj5O
+IiRNfb5DPR+xqHJ7tk8oQT53qWo3yiKoS6qIYIZscq+8g4zhDEhzHEFmT0eW7KSZ
+h1qmGP/ipo34P3su66sjhfzcq3jWOGl430ZiuchGK59P00rtnWBXY8ROI1RqF4r1
+rbxL61ncmZxFH/k/wdxeJIMLpSeXVcK6CylkvR1SB0wpT0LCx/F6bHyAi/J2+3tA
+T4toQr/IuS282wEZNrIXGb6H3+1ua/FbCXexj/wG1UAy+Wp+mkc3JqvuJ4+B+bx1
+P59JfuJhu47Fi0HIXmlrCxn76D0VNniWNwYnqjR4jpkZiy7NyVMAuJTiXgHGnI6e
+IN/bXNXf9TdIzad4Wg2/FUY5C3UEdLa4DzcgWl8d1F8AMw==
+-----END CERTIFICATE-----