- Add resource limits (memory/CPU) and reservations for all services
- Add security hardening: read_only, no-new-privileges, tmpfs for temp dirs
- Add missing prod services: loki, promtail, pg-backup from dev compose
- Fix API healthcheck to include catch() for proper exit codes
- Add json-file logging driver with rotation limits across all services
- Remove exposed PostgreSQL port in prod (internal only)
- Add shm_size for PostgreSQL shared memory
- Add non-root user (appuser) to AI services Dockerfile
- Add --chown=node:node to COPY directives in API/Web Dockerfiles
- Harden .dockerignore: exclude IDE files, OS files, docker-compose files
- Fix Redis URL to include password authentication
- Add JWT_REFRESH_SECRET to API environment
- Add Grafana dependency on Loki for log datasource
Co-Authored-By: Paperclip <noreply@paperclip.ing>
- Add dumb-init + --timeout-graceful-shutdown 30 to AI service Dockerfile
- Add slowapi rate limiting (configurable via AI_RATE_LIMIT) and X-API-Key auth middleware
- Pin all Python dependencies to exact versions for reproducible builds
- Move Grafana admin credentials from env vars to Docker secrets in production compose
Co-Authored-By: Paperclip <noreply@paperclip.ing>
- Multi-stage Dockerfile for apps/api (NestJS) and apps/web (Next.js standalone)
- Production docker-compose.prod.yml with all services, health checks, and security
- Real deploy.yml pipeline: build → push to GHCR → deploy staging/production
- .dockerignore for optimized build context
- Enable Next.js standalone output mode
Co-Authored-By: Paperclip <noreply@paperclip.ing>
