built production image #145

.github/workflows/node-ci.yml

@@ -70,12 +70,12 @@ jobs:
   # ── Security scanning ─────────────────────────────────────────────────────
   # Issue #114: npm audit for known vulnerabilities
   # Fails on high or critical CVEs to prevent merging vulnerable dependencies
-  # 
+  #
   # Policy: Builds fail on HIGH or CRITICAL vulnerabilities
   # - HIGH/CRITICAL: Must be fixed before merge (blocking)
   # - MODERATE: Review required, fix in follow-up PR (non-blocking via Dependabot)
   # - LOW: Tracked via Dependabot, fix during regular maintenance
-  # 
+  #
   # Dependabot automatically creates PRs for vulnerable dependencies
   security-scan:
     name: Security audit

Dockerfile

@@ -1,42 +1,32 @@
-# ── Stage 1: build ────────────────────────────────────────────────────────────
 FROM node:20-alpine AS builder
 
 WORKDIR /app
 
-# Install dependencies (including devDependencies needed for tsc + prisma generate)
 COPY package*.json ./
 RUN npm ci
 
-# Generate Prisma client (requires schema but not a live DB)
 COPY prisma ./prisma
 RUN npx prisma generate
 
-# Compile TypeScript
 COPY tsconfig.json ./
 COPY src ./src
 RUN npm run build
 
-# Prune dev dependencies — only production deps go into the runtime image
-RUN npm ci --omit=dev
-
-# ── Stage 2: runtime ──────────────────────────────────────────────────────────
 FROM node:20-alpine AS runtime
 
-# Least-privilege user
 RUN addgroup -S app && adduser -S app -G app
 
 WORKDIR /app
 
-# Copy compiled output, production node_modules, and Prisma artefacts
+COPY --from=builder /app/package*.json ./
+RUN npm ci --omit=dev
+
 COPY --from=builder /app/dist ./dist
-COPY --from=builder /app/node_modules ./node_modules
 COPY --from=builder /app/prisma ./prisma
-COPY package.json ./
+COPY --from=builder /app/node_modules/.prisma ./node_modules/.prisma
 
 USER app
 
 EXPOSE 3001
 
-# Run migrations then start the server.
-# In Kubernetes use an initContainer for the migrate step so rollout is atomic.
 CMD ["sh", "-c", "npx prisma migrate deploy && node dist/index.js"]

package.json

@@ -11,8 +11,8 @@
     "lint": "npm run lint:types && npm run lint:style",
     "lint:types": "tsc --noEmit",
     "lint:style": "eslint \"src/**/*.ts\" \"prisma/**/*.ts\"",
-    "format": "prettier --write .github/workflows/node-ci.yml package.json .prettierrc.json eslint.config.mjs src/nlp/parser.ts src/stellar/dlq.ts src/whatsapp/handler.ts src/whatsapp/userManager.ts tests/helpers/testDb.ts tests/integration/stellar/events.test.ts tests/unit/nlp/parser.test.ts tests/unit/whatsapp/handler.test.ts",
-    "format:check": "prettier --check .github/workflows/node-ci.yml package.json .prettierrc.json eslint.config.mjs src/nlp/parser.ts src/stellar/dlq.ts src/whatsapp/handler.ts src/whatsapp/userManager.ts tests/helpers/testDb.ts tests/integration/stellar/events.test.ts tests/unit/nlp/parser.test.ts tests/unit/whatsapp/handler.test.ts",
+    "format": "prettier --write .github/workflows/node-ci.yml package.json .prettierrc.json eslint.config.mjs src/nlp/parser.ts src/stellar/dlq.ts src/whatsapp/handler.ts src/whatsapp/userManager.ts tests/unit/stellar/dlq-alerts.test.ts",
+    "format:check": "prettier --check .github/workflows/node-ci.yml package.json .prettierrc.json eslint.config.mjs src/nlp/parser.ts src/stellar/dlq.ts src/whatsapp/handler.ts src/whatsapp/userManager.ts tests/unit/stellar/dlq-alerts.test.ts",
     "prisma:generate": "npx prisma generate",
     "prisma:generate": "npx prisma generate"
   },
@@ -71,4 +71,4 @@
     "ts-node": "^10.9.2",
     "typescript": "^5.9.3"
   }
-}
+}

src/stellar/dlq.ts

@@ -13,7 +13,7 @@ import { xdr } from '@stellar/stellar-sdk'
 import { logger } from '../utils/logger'
 import db from '../db'
 import { updateDlqSize } from '../utils/metrics'
-import config from '../config'
+import { config } from '../config'
 import { alertingService, type DLQAlertPayload } from '../services/alerting'
 
 export type DeadLetterEventStatus = 'PENDING' | 'RETRIED' | 'RESOLVED'