From 0ed8f1f83ec1df8230a0c9ef5f964e2359847935 Mon Sep 17 00:00:00 2001
From: Yusuf Suleman <yusuf@quadjourney.com>
Date: Sun, 29 Mar 2026 09:18:42 -0500
Subject: [PATCH] =?UTF-8?q?fix:=20deployment=20hardening=20=E2=80=94=20non?=
 =?UTF-8?q?-root=20containers=20and=20health=20checks=20(#10)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Gateway, Trips, Fitness Dockerfiles: run as non-root (appuser)
- Added HEALTHCHECK to gateway, trips, fitness
- Used --chown=appuser on COPY for correct file permissions
- Created data dirs with proper ownership before USER switch
- Trips Dockerfile no longer copies whole context (only server.py)

Partial fix for #10 — Node services (inventory, budget, frontend) not yet hardened.
---
 gateway/Dockerfile                  | 10 +++++++---
 services/fitness/Dockerfile.backend |  8 ++++++--
 services/trips/Dockerfile           | 12 ++++++------
 3 files changed, 19 insertions(+), 11 deletions(-)

diff --git a/gateway/Dockerfile b/gateway/Dockerfile
index f4ced20..668e102 100644
--- a/gateway/Dockerfile
+++ b/gateway/Dockerfile
@@ -1,8 +1,12 @@
 FROM python:3.12-slim
 WORKDIR /app
-RUN pip install bcrypt
-COPY server.py config.py database.py sessions.py proxy.py responses.py auth.py dashboard.py command.py ./
-COPY integrations/ ./integrations/
+RUN pip install --no-cache-dir bcrypt
+RUN adduser --disabled-password --no-create-home appuser
+RUN mkdir -p /app/data && chown -R appuser /app/data
+COPY --chown=appuser server.py config.py database.py sessions.py proxy.py responses.py auth.py dashboard.py command.py ./
+COPY --chown=appuser integrations/ ./integrations/
 EXPOSE 8100
 ENV PYTHONUNBUFFERED=1
+HEALTHCHECK --interval=30s --timeout=5s --retries=3 CMD python3 -c "import urllib.request; urllib.request.urlopen('http://localhost:8100/api/health', timeout=3)" || exit 1
+USER appuser
 CMD ["python3", "server.py"]
diff --git a/services/fitness/Dockerfile.backend b/services/fitness/Dockerfile.backend
index ce89e6a..d43a60a 100644
--- a/services/fitness/Dockerfile.backend
+++ b/services/fitness/Dockerfile.backend
@@ -1,7 +1,11 @@
 FROM python:3.12-slim
 WORKDIR /app
-RUN pip install bcrypt
-COPY server.py .
+RUN pip install --no-cache-dir bcrypt
+RUN adduser --disabled-password --no-create-home appuser
+RUN mkdir -p /app/data/images && chown -R appuser /app/data
+COPY --chown=appuser server.py .
 EXPOSE 8095
 ENV PYTHONUNBUFFERED=1
+HEALTHCHECK --interval=30s --timeout=5s --retries=3 CMD python3 -c "import urllib.request; urllib.request.urlopen('http://localhost:8095/api/health', timeout=3)" || exit 1
+USER appuser
 CMD ["python3", "server.py"]
diff --git a/services/trips/Dockerfile b/services/trips/Dockerfile
index 16bb965..46f88ea 100644
--- a/services/trips/Dockerfile
+++ b/services/trips/Dockerfile
@@ -1,11 +1,11 @@
 FROM python:3.12-slim
-
 WORKDIR /app
-
 ENV PYTHONUNBUFFERED=1
-
 RUN pip install --no-cache-dir PyPDF2 bcrypt
-
-COPY . .
-
+RUN adduser --disabled-password --no-create-home appuser
+RUN mkdir -p /app/data/images && chown -R appuser /app/data
+COPY --chown=appuser server.py .
+EXPOSE 8087
+HEALTHCHECK --interval=30s --timeout=5s --retries=3 CMD python3 -c "import urllib.request; urllib.request.urlopen('http://localhost:8087/api/health', timeout=3)" || exit 1
+USER appuser
 CMD ["python3", "server.py"]