security hardening

Dockerfile

@@ -1,18 +1,83 @@
-FROM node:20-alpine
+# syntax=docker/dockerfile:1
+
+# ---------------------------------------------------------------------------
+# Base image pin
+# ---------------------------------------------------------------------------
+# Pinned to a specific minor (20.19) so rebuilds are reproducible and satisfy
+# the package.json `engines` constraint (">=20.19 <22 || >=22.12").
+# A digest pin is PREFERRED for full immutability, e.g.:
+#   FROM node:20.19-alpine@sha256:<real-digest>
+# Add the real sha256 (from `docker buildx imagetools inspect node:20.19-alpine`)
+# when you have network access. We do NOT invent a fake digest here.
+
+# ===========================================================================
+# Stage 1 — builder: install ALL deps, generate Prisma client, build the app
+# ===========================================================================
+FROM node:20.19-alpine AS builder
+
+# openssl is required by Prisma's engines.
 RUN apk add --no-cache openssl
 
-EXPOSE 3000
+WORKDIR /app
+
+# Install the full dependency tree (incl. devDependencies needed by the
+# Vite / React Router build toolchain). NODE_ENV is intentionally left unset
+# here so `npm ci` does not prune devDependencies.
+COPY package.json package-lock.json* ./
+RUN npm ci
+
+# Copy the rest of the source and produce the production build + Prisma client.
+COPY . .
+RUN npx prisma generate \
+ && npm run build
+
+# ===========================================================================
+# Stage 2 — runtime: pruned prod deps + only the artifacts needed to run
+# ===========================================================================
+FROM node:20.19-alpine AS runtime
+
+# openssl for Prisma engines at runtime (migrate deploy / query engine).
+RUN apk add --no-cache openssl
 
 WORKDIR /app
 
 ENV NODE_ENV=production
+# Keep npm + Prisma incidental writes off the (dev) read-only root filesystem:
+# both are redirected to the tmpfs-backed /tmp mount.
+ENV NPM_CONFIG_CACHE=/tmp/.npm
+ENV CHECKPOINT_DISABLE=1
 
+# Install ONLY production dependencies.
 COPY package.json package-lock.json* ./
-
 RUN npm ci --omit=dev && npm cache clean --force
 
-COPY . .
+# Prisma schema + migrations are needed for `prisma generate` (below) and for
+# `prisma migrate deploy` on container start.
+COPY --from=builder /app/prisma ./prisma
+# Bake the generated Prisma client into the image so the container start
+# command only has to run migrations (no generate at runtime → compatible with
+# a read-only root filesystem).
+RUN npx prisma generate
 
-RUN npm run build
+# Application artifacts required at runtime.
+COPY --from=builder /app/build ./build
+COPY --from=builder /app/public ./public
+COPY --from=builder /app/server.js ./server.js
 
+# Run as the unprivileged, pre-existing `node` user (uid/gid 1000). Ensure the
+# app tree is owned by it. NOTE: the SQLite DB is written to the /data bind
+# mount — the HOST directory mounted at /data MUST be chown'd to uid 1000
+# (see deploy/README.md), otherwise migrations/writes will fail as non-root.
+RUN chown -R node:node /app
+USER node
+
+EXPOSE 3000
+
+# Container-level health probe hitting the unauthenticated /healthz route.
+# busybox wget ships with node:alpine.
+HEALTHCHECK --interval=30s --timeout=5s --start-period=20s --retries=3 \
+  CMD wget -qO- http://127.0.0.1:3000/healthz || exit 1
+
+# Functionally equivalent to today's start: runs DB migrations then the server.
+# (`docker-start` no longer needs `prisma generate` — the client is baked above.)
 CMD ["npm", "run", "docker-start"]