curo/Business-Management
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Align all app containers to UID 1001, add infra protocol, update README

Browse Source 
- frontend prod: USER root for adduser, then USER appuser (1001:1001); fixes
  build failure caused by nginx-unprivileged already setting USER nginx
- docker-compose: frontend user updated to 1001:1001 (was 101:101)
- CLAUDE.md: add infrastructure change protocol (update README + test both
  stacks after any Dockerfile/compose/nginx change); fix stale passlib ref
- README: container table shows nginx-unprivileged image, UID column, internal
  port 8080 note; Current State notes all containers run as non-root

Both dev and prod stacks tested and verified (health, login, /users/me,
frontend serving, all containers confirmed non-root via docker inspect).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
curo1305
2026-04-13 17:29:02 +02:00
parent a5baef73d9
commit e117a33a73
5 changed files with 49 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files
CLAUDE.md
+16 -1
View File
@@ -7,7 +7,7 @@ This file provides guidance to Claude Code (claude.ai/code) when working with co
| Layer | Tech |
|---|---|
| Backend | FastAPI (async), SQLAlchemy 2 (async), Alembic, PostgreSQL |
| Auth | JWT via `python-jose`, bcrypt via `passlib` |
| Auth | JWT via `python-jose`, bcrypt via `bcrypt` (direct, no passlib) |
| Frontend | React 18, TypeScript, Vite, React Router v6, TanStack Query, Axios |
| Dev DB | PostgreSQL 16 via Docker Compose |
@@ -92,6 +92,21 @@ Browser → Vite dev server (:5173)
Always run `git push` immediately after every `git commit`.
## Infrastructure change protocol
After **any** change to Dockerfiles, `docker-compose*.yml`, `nginx.conf`, setup scripts, or installation / usage procedures:
1. **Update `README.md`** — keep the Containers table, ports, image names, and Current State section accurate.
2. **Spin up the dev stack** and verify that login and registration work end-to-end:
```bash
docker compose -f docker-compose.yml -f docker-compose.dev.yml up --build
```
3. **Spin up the prod stack** and run the same checks:
```bash
docker compose up --build -d
```
4. Confirm each container is running as a non-root user (`docker inspect <container> --format '{{.Config.User}}'`).
## Security hook
A pre-commit hook lives in `.githooks/pre-commit` and runs `scripts/security_check.py` inside a Docker container. It is registered via `git config core.hooksPath .githooks` (already set in this repo).