fix: remaining security and deployment hardening (#6 #7 #10)
#7 Transport Security:
- Removed legacy _ssl_ctx alias from config.py
- proxy.py now uses _internal_ssl_ctx directly (explicitly scoped)
- No global TLS bypass remains
#10 Deployment Hardening:
- Inventory Dockerfile: non-root (node user), health check, production deps
- Budget Dockerfile: non-root (node user), health check, npm ci, multi-stage ready
- Frontend-v2 Dockerfile: multi-stage build, non-root (node user), health check
- Added /health endpoints to inventory and budget (before auth middleware)
- All 6 containers now run as non-root with health checks
All services verified: gateway, trips, fitness, inventory, budget, frontend
2026-03-29 09:35:39 -05:00
|
|
|
FROM node:20-alpine AS builder
|
2026-03-28 23:20:40 -05:00
|
|
|
|
|
|
|
|
WORKDIR /app
|
|
|
|
|
COPY package*.json ./
|
fix: remaining security and deployment hardening (#6 #7 #10)
#7 Transport Security:
- Removed legacy _ssl_ctx alias from config.py
- proxy.py now uses _internal_ssl_ctx directly (explicitly scoped)
- No global TLS bypass remains
#10 Deployment Hardening:
- Inventory Dockerfile: non-root (node user), health check, production deps
- Budget Dockerfile: non-root (node user), health check, npm ci, multi-stage ready
- Frontend-v2 Dockerfile: multi-stage build, non-root (node user), health check
- Added /health endpoints to inventory and budget (before auth middleware)
- All 6 containers now run as non-root with health checks
All services verified: gateway, trips, fitness, inventory, budget, frontend
2026-03-29 09:35:39 -05:00
|
|
|
RUN npm ci
|
2026-03-28 23:20:40 -05:00
|
|
|
COPY . .
|
|
|
|
|
RUN npm run build
|
|
|
|
|
|
fix: remaining security and deployment hardening (#6 #7 #10)
#7 Transport Security:
- Removed legacy _ssl_ctx alias from config.py
- proxy.py now uses _internal_ssl_ctx directly (explicitly scoped)
- No global TLS bypass remains
#10 Deployment Hardening:
- Inventory Dockerfile: non-root (node user), health check, production deps
- Budget Dockerfile: non-root (node user), health check, npm ci, multi-stage ready
- Frontend-v2 Dockerfile: multi-stage build, non-root (node user), health check
- Added /health endpoints to inventory and budget (before auth middleware)
- All 6 containers now run as non-root with health checks
All services verified: gateway, trips, fitness, inventory, budget, frontend
2026-03-29 09:35:39 -05:00
|
|
|
FROM node:20-alpine
|
|
|
|
|
|
|
|
|
|
WORKDIR /app
|
|
|
|
|
COPY --from=builder /app/build ./build
|
|
|
|
|
COPY --from=builder /app/package.json ./
|
|
|
|
|
COPY --from=builder /app/node_modules ./node_modules
|
|
|
|
|
|
2026-03-28 23:20:40 -05:00
|
|
|
EXPOSE 3000
|
fix: remaining security and deployment hardening (#6 #7 #10)
#7 Transport Security:
- Removed legacy _ssl_ctx alias from config.py
- proxy.py now uses _internal_ssl_ctx directly (explicitly scoped)
- No global TLS bypass remains
#10 Deployment Hardening:
- Inventory Dockerfile: non-root (node user), health check, production deps
- Budget Dockerfile: non-root (node user), health check, npm ci, multi-stage ready
- Frontend-v2 Dockerfile: multi-stage build, non-root (node user), health check
- Added /health endpoints to inventory and budget (before auth middleware)
- All 6 containers now run as non-root with health checks
All services verified: gateway, trips, fitness, inventory, budget, frontend
2026-03-29 09:35:39 -05:00
|
|
|
ENV NODE_ENV=production
|
2026-03-28 23:20:40 -05:00
|
|
|
|
fix: remaining security and deployment hardening (#6 #7 #10)
#7 Transport Security:
- Removed legacy _ssl_ctx alias from config.py
- proxy.py now uses _internal_ssl_ctx directly (explicitly scoped)
- No global TLS bypass remains
#10 Deployment Hardening:
- Inventory Dockerfile: non-root (node user), health check, production deps
- Budget Dockerfile: non-root (node user), health check, npm ci, multi-stage ready
- Frontend-v2 Dockerfile: multi-stage build, non-root (node user), health check
- Added /health endpoints to inventory and budget (before auth middleware)
- All 6 containers now run as non-root with health checks
All services verified: gateway, trips, fitness, inventory, budget, frontend
2026-03-29 09:35:39 -05:00
|
|
|
HEALTHCHECK --interval=30s --timeout=5s --retries=3 CMD wget -qO- http://localhost:3000/ || exit 1
|
2026-03-28 23:20:40 -05:00
|
|
|
|
fix: remaining security and deployment hardening (#6 #7 #10)
#7 Transport Security:
- Removed legacy _ssl_ctx alias from config.py
- proxy.py now uses _internal_ssl_ctx directly (explicitly scoped)
- No global TLS bypass remains
#10 Deployment Hardening:
- Inventory Dockerfile: non-root (node user), health check, production deps
- Budget Dockerfile: non-root (node user), health check, npm ci, multi-stage ready
- Frontend-v2 Dockerfile: multi-stage build, non-root (node user), health check
- Added /health endpoints to inventory and budget (before auth middleware)
- All 6 containers now run as non-root with health checks
All services verified: gateway, trips, fitness, inventory, budget, frontend
2026-03-29 09:35:39 -05:00
|
|
|
USER node
|
|
|
|
|
CMD ["node", "build"]
|
