CapaKraken

Hartmut/CapaKraken

Fork 0

Commit Graph

Author	SHA1	Message	Date
Hartmut	805bb0464f	security(docker): remove hardcoded dev password, stop placeholder secrets leaking into migrator image (#50 ) - docker-compose.yml: require ${POSTGRES_PASSWORD} for the postgres service and the app container's DATABASE_URL. No default — compose refuses to start without it, mirroring the existing PGADMIN_PASSWORD pattern. - Dockerfile.prod: move auth/db ENV assignments from persistent ENV lines into an inline env prefix on the `pnpm build` RUN step. Placeholders are still available to `next build` but no longer persist in the builder layer or in the published migrator image (which is FROM builder). - Dockerfile.dev: add HEALTHCHECK against /api/health and install curl for it. - .dockerignore: cover nested */.env, */.pem, */.key, /secrets/. - runtime-env.ts: add the CI build placeholder strings to the disallowed-secret set so a misconfigured prod deploy using the baked-in ARG defaults fails startup instead of silently running with a known-bad secret. - .env.example: document the new POSTGRES_PASSWORD requirement. - CI: write POSTGRES_PASSWORD into the Fresh-Linux Docker Deploy job's .env (must match docker-compose.ci.yml's hardcoded DATABASE_URL), and provide a dummy value in the E2E job where compose validates all services' interp. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-04-17 14:50:05 +02:00
Hartmut	0d78fe1770	feat: Sprint 0 — CI/CD pipeline, production Docker, health checks CI Pipeline (.github/workflows/ci.yml): - 5 jobs: typecheck, lint, test, build, e2e (parallel where possible) - PostgreSQL 16 + Redis 7 service containers for test/e2e - pnpm store, Turborepo, Playwright browser caching - Concurrency groups cancel in-progress runs Production Docker: - Dockerfile.prod: 3-stage build (deps → build → runtime ~150MB) - docker-compose.prod.yml: postgres + redis + app with health checks - .dockerignore for fast builds - next.config.ts: output: "standalone" for minimal runtime Health Check Endpoints: - GET /api/health — liveness probe (200 OK, no deps) - GET /api/ready — readiness probe (postgres + redis connectivity) Documentation: - docs/ci-cd-manual.md — full pipeline manual with troubleshooting - plan.md — Product Owner strategic plan (bottlenecks, growth, automation) Co-Authored-By: claude-flow <ruv@ruv.net>	2026-03-19 20:33:18 +01:00

Author

SHA1

Message

Date

Hartmut

805bb0464f

security(docker): remove hardcoded dev password, stop placeholder secrets leaking into migrator image (#50 )

- docker-compose.yml: require ${POSTGRES_PASSWORD} for the postgres service
  and the app container's DATABASE_URL. No default — compose refuses to start
  without it, mirroring the existing PGADMIN_PASSWORD pattern.
- Dockerfile.prod: move auth/db ENV assignments from persistent ENV lines into
  an inline env prefix on the `pnpm build` RUN step. Placeholders are still
  available to `next build` but no longer persist in the builder layer or in
  the published migrator image (which is FROM builder).
- Dockerfile.dev: add HEALTHCHECK against /api/health and install curl for it.
- .dockerignore: cover nested **/.env*, **/*.pem, **/*.key, **/secrets/**.
- runtime-env.ts: add the CI build placeholder strings to the disallowed-secret
  set so a misconfigured prod deploy using the baked-in ARG defaults fails
  startup instead of silently running with a known-bad secret.
- .env.example: document the new POSTGRES_PASSWORD requirement.
- CI: write POSTGRES_PASSWORD into the Fresh-Linux Docker Deploy job's .env
  (must match docker-compose.ci.yml's hardcoded DATABASE_URL), and provide a
  dummy value in the E2E job where compose validates all services' interp.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

2026-04-17 14:50:05 +02:00

Hartmut

0d78fe1770

feat: Sprint 0 — CI/CD pipeline, production Docker, health checks

CI Pipeline (.github/workflows/ci.yml):
- 5 jobs: typecheck, lint, test, build, e2e (parallel where possible)
- PostgreSQL 16 + Redis 7 service containers for test/e2e
- pnpm store, Turborepo, Playwright browser caching
- Concurrency groups cancel in-progress runs

Production Docker:
- Dockerfile.prod: 3-stage build (deps → build → runtime ~150MB)
- docker-compose.prod.yml: postgres + redis + app with health checks
- .dockerignore for fast builds
- next.config.ts: output: "standalone" for minimal runtime

Health Check Endpoints:
- GET /api/health — liveness probe (200 OK, no deps)
- GET /api/ready — readiness probe (postgres + redis connectivity)

Documentation:
- docs/ci-cd-manual.md — full pipeline manual with troubleshooting
- plan.md — Product Owner strategic plan (bottlenecks, growth, automation)

Co-Authored-By: claude-flow <ruv@ruv.net>

2026-03-19 20:33:18 +01:00

2 Commits