- Pin NATS image to nats:2.10-alpine for reproducible builds
- Add nginx healthcheck using wget (curl not present in alpine)
- Upgrade nginx depends_on to use condition: service_started
- Add proxy buffer directives to http block (prevents JWT/large-header truncation)
- Add X-Content-Type-Options, X-Frame-Options, X-XSS-Protection, and
Referrer-Policy security headers to all SPA location blocks across
all five server blocks
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
ADMIN_EMAIL and ADMIN_PASSWORD were in the .env file but not
forwarded to the API container — bootstrap_admin() couldn't
read them, so no initial user was created. Login returned 400
on every attempt because no user existed in the database.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Nginx container now builds the Vue frontend in a Node stage
instead of mounting local dist/ files. This means:
- No need to commit dist/ or build locally before deploying
- docker compose up --build handles everything end-to-end
- Removed obsolete compose version key
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
NATS minimal image has no shell tools for health probes. The API
already handles NATS unavailability gracefully, so service_started
is sufficient.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The old healthcheck used nats-server --signal ldm which puts NATS into
lame duck (shutdown) mode. Use the /healthz HTTP endpoint instead.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Config file already sets jetstream and store_dir. Duplicate CLI flags
cause NATS to exit with error.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
