feat(devops): improve multi-stage production Dockerfile for NestJS API

- Use pnpm deploy --prod for pruned production node_modules (smaller image)
- Add docker-entrypoint.sh with optional Prisma migration support (RUN_MIGRATIONS)
- Copy generated Prisma client explicitly into production stage
- Add OCI image labels for container registry metadata
- Update .dockerignore: exclude apps/web, libs/ai-services, agent configs, Python artifacts
- Add build directive + RUN_MIGRATIONS env to docker-compose.prod.yml
- Maintain non-root user, dumb-init signal handling, and healthcheck

Co-Authored-By: Paperclip <noreply@paperclip.ing>

.dockerignore

@@ -7,6 +7,7 @@ dist
 .git
 .github
 .husky
+.gitignore
 
 # Documentation and tests
 docs
@@ -30,6 +31,7 @@ playwright-report
 coverage
 .turbo
 .cache
+.nx
 
 # OS files
 .DS_Store
@@ -37,8 +39,22 @@ Thumbs.db
 
 # Docker files (avoid recursive context)
 docker-compose*.yml
+Dockerfile*
 monitoring
 
 # Dev tools
 scripts/backup
 *.log
+
+# Python / AI services (not needed for API build)
+libs/ai-services
+__pycache__
+*.pyc
+.venv
+
+# Frontend (not needed for API build, has its own Dockerfile)
+apps/web
+
+# Agent configs (Paperclip / Claude)
+.claude
+agents

apps/api/Dockerfile

@@ -1,9 +1,16 @@
+# =============================================================================
+# GoodGo API — Multi-stage Production Dockerfile
+# Build: docker build -f apps/api/Dockerfile .   (from repo root)
+# =============================================================================
+
 # ---- Base ----
 FROM node:22-slim AS base
 RUN corepack enable && corepack prepare pnpm@10.27.0 --activate
 WORKDIR /app
 
 # ---- Dependencies ----
+# Install ALL deps (dev + prod) needed for the build step.
+# Layer caching: lockfile + manifests change less often than source code.
 FROM base AS deps
 COPY pnpm-lock.yaml pnpm-workspace.yaml package.json turbo.json ./
 COPY apps/api/package.json apps/api/
@@ -12,6 +19,8 @@ COPY prisma/ prisma/
 RUN pnpm install --frozen-lockfile --filter @goodgo/api...
 
 # ---- Build ----
+# Compile TypeScript for mcp-servers lib (workspace dep), then the NestJS API,
+# then generate the Prisma client.
 FROM base AS build
 COPY --from=deps /app/node_modules ./node_modules
 COPY --from=deps /app/apps/api/node_modules ./apps/api/node_modules
@@ -20,22 +29,46 @@ COPY tsconfig.base.json ./
 COPY prisma/ prisma/
 COPY libs/mcp-servers/ libs/mcp-servers/
 COPY apps/api/ apps/api/
-RUN pnpm --filter @goodgo/mcp-servers build 2>/dev/null || true
+
-RUN cd apps/api && npx nest build
+RUN pnpm --filter @goodgo/mcp-servers build 2>/dev/null || true \
-RUN npx prisma generate
+    && cd apps/api && npx nest build \
+    && cd /app && npx prisma generate
+
+# Use pnpm deploy to produce a flat, production-only node_modules
+# This strips devDependencies and hoists only what @goodgo/api needs.
+RUN pnpm deploy --filter @goodgo/api --prod /app/pruned
 
 # ---- Production ----
 FROM node:22-slim AS production
-RUN apt-get update && apt-get install -y --no-install-recommends dumb-init && rm -rf /var/lib/apt/lists/*
+
+LABEL org.opencontainers.image.title="goodgo-api" \
+      org.opencontainers.image.description="GoodGo Platform NestJS API" \
+      org.opencontainers.image.vendor="GoodGo" \
+      org.opencontainers.image.source="https://github.com/goodgo/goodgo-platform-ai"
+
+# dumb-init for proper PID 1 signal handling
+RUN apt-get update \
+    && apt-get install -y --no-install-recommends dumb-init \
+    && rm -rf /var/lib/apt/lists/*
+
 WORKDIR /app
 
 ENV NODE_ENV=production
 
+# Copy pruned production node_modules from pnpm deploy
+COPY --from=build --chown=node:node /app/pruned/node_modules ./node_modules
+# Copy compiled application
 COPY --from=build --chown=node:node /app/apps/api/dist ./dist
-COPY --from=build --chown=node:node /app/node_modules ./node_modules
+# Prisma schema + migrations (needed for runtime client & migrate deploy)
-COPY --from=build --chown=node:node /app/apps/api/node_modules ./apps/api/node_modules
 COPY --from=build --chown=node:node /app/prisma ./prisma
+# Copy generated Prisma client into node_modules
+COPY --from=build --chown=node:node /app/node_modules/.prisma ./node_modules/.prisma
+COPY --from=build --chown=node:node /app/node_modules/@prisma/client ./node_modules/@prisma/client
+# Package metadata
 COPY --from=build --chown=node:node /app/apps/api/package.json ./package.json
+# Entrypoint script
+COPY --chown=node:node apps/api/docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh
+RUN chmod +x /usr/local/bin/docker-entrypoint.sh
 
 EXPOSE 3001
 
@@ -44,5 +77,5 @@ HEALTHCHECK --interval=30s --timeout=5s --start-period=15s --retries=3 \
 
 USER node
 
-ENTRYPOINT ["dumb-init", "--"]
+ENTRYPOINT ["dumb-init", "--", "docker-entrypoint.sh"]
 CMD ["node", "dist/main"]

apps/api/docker-entrypoint.sh

@@ -0,0 +1,18 @@
+#!/bin/sh
+set -e
+
+# =============================================================================
+# GoodGo API — Docker Entrypoint
+#
+# Optionally runs Prisma migrations before starting the application.
+# Set RUN_MIGRATIONS=true to apply pending migrations on startup.
+# In Kubernetes, prefer running migrations as an init container instead.
+# =============================================================================
+
+if [ "${RUN_MIGRATIONS}" = "true" ]; then
+  echo "[entrypoint] Running Prisma migrations..."
+  npx prisma migrate deploy --schema ./prisma/schema.prisma
+  echo "[entrypoint] Migrations complete."
+fi
+
+exec "$@"

docker-compose.prod.yml

@@ -1,6 +1,10 @@
 services:
   # ── Application Services ──────────────────────────────────────────────────────
   api:
+    build:
+      context: .
+      dockerfile: apps/api/Dockerfile
+      target: production
     image: ${REGISTRY_URL:-ghcr.io/goodgo}/goodgo-api:${IMAGE_TAG:-latest}
     container_name: goodgo-api
     restart: unless-stopped
@@ -21,6 +25,7 @@ services:
       MINIO_SECRET_KEY: ${MINIO_SECRET_KEY}
       AI_SERVICES_URL: http://ai-services:8000
       AI_SERVICES_API_KEY: ${AI_API_KEY}
+      RUN_MIGRATIONS: ${RUN_MIGRATIONS:-false}
     depends_on:
       postgres:
         condition: service_healthy