ebc1966103
Backend: new `app` user (UID 10001), STORAGE_DIR pre-chowned so the named volume inherits ownership, curl installed for the HEALTHCHECK that pings /api/v1/health. The crawler's Chromium uses --no-sandbox already so dropping privileges costs nothing operationally. Frontend: switch `npm install` to `npm ci` (matches CI; deterministic versions; refuses to silently rewrite package-lock.json mid-build). Run as the built-in `node` user via --chown=node:node, add a busybox wget HEALTHCHECK on port 3000. Both images now expose container-level health so orchestrators can take a wedged container out of rotation instead of letting it keep serving timeouts. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2.6 KiB
2.6 KiB