feat: harden Ellie for production readiness

[Alexi5000]

Summary

This pull request hardens Ellie into a professional full-stack application baseline with backend operational readiness, production configuration validation, Docker support, release documentation, repository hygiene, and a visible About surface for users and reviewers.

Backend and production readiness

• Adds structured environment metadata and safe public status reporting without exposing secret values.
• Adds backend liveness and readiness endpoints: /api/health, /api/readiness, and /api/ready.
• Adds database readiness checks for deployment gates and operations.
• Adds Express security headers while preserving the existing tRPC and Vite full-stack runtime.
• Adds scripts/validate-env.ts and pnpm run validate:env / pnpm run validate:env:production.
• Adds Docker support with healthcheck-aligned runtime behavior.

Repository and product polish

• Rewrites the README as a production-grade engineering overview.
• Adds SETUP.md, RELEASES.md, and docs/PRODUCTION_READINESS.md.
• Adds a professional About page and links it from the application shell.
• Updates contribution guidance, PR template, docs index, GitHub automation notes, .gitignore, .dockerignore, and environment inventory.

Validation performed locally

Gate	Result
Frozen install	Passed
Environment inventory	Passed
TypeScript check	Passed
Unit tests	Passed: 2 files, 15 tests
Production build	Passed
Combined gate	Passed via pnpm run ci
Runtime health	Passed: /api/health returned HTTP 200 JSON
Runtime readiness	Passed expected fail-closed behavior: /api/readiness and /api/ready returned HTTP 503 JSON with dependency details when dummy DB was unavailable
Patch quality	Passed: git diff --check

Workflow-permission note

The originally approved local patch also modernized .github/workflows/*.yml, but GitHub rejected workflow file updates because the authenticated app token does not have workflow-write permission. To keep this PR reviewable and avoid blocking the backend/docs hardening, workflow changes were preserved as separate local proposal artifacts and excluded from this pushed branch.

Deployment note

This branch is build-verified and Dockerfile-ready. A live production deployment still requires real production secrets and infrastructure values, especially DATABASE_URL, JWT_SECRET, BUILT_IN_FORGE_API_URL, and BUILT_IN_FORGE_API_KEY. The readiness endpoint intentionally fails closed until critical dependencies are reachable.

[qodo-code-review]

CI Feedback 🧐

(Feedback updated until commit 606f40c)

A test triggered by this PR failed. Here is an AI-generated analysis of the failure:

Action: Comment on PR

Failed stage: Comment [❌]

Failed test name: ""

Failure summary: The action failed when actions/github-script tried to create a PR comment via github.rest.issues.createComment and the GitHub API returned HttpError: Resource not accessible by integration (see dist/index.js:9537:21). This indicates the token used (github-token) did not have sufficient authorization in this workflow context to write the comment to the PR issue (common causes include workflows triggered from forks or restricted GITHUB_TOKEN permissions), so the API call to POST /repos/{owner}/{repo}/issues/{issue_number}/comments was denied and the step exited with an unhandled error.

Relevant error logs: 1: ##[group]Runner Image Provisioner 2: Hosted Compute Agent ... 49: 50: await github.rest.issues.createComment({ 51: owner: context.repo.owner, 52: repo: context.repo.repo, 53: issue_number: context.payload.pull_request.number, 54: body: comment 55: }); 56: 57: github-token: *** 58: debug: false 59: user-agent: actions/github-script 60: result-encoding: json 61: retries: 0 62: retry-exempt-status-codes: 400,401,403,404,422 63: ##[endgroup] 64: RequestError [HttpError]: Resource not accessible by integration 65: at /home/runner/work/_actions/actions/github-script/v7/dist/index.js:9537:21 ... 77: 'content-security-policy': "default-src 'none'", 78: 'content-type': 'application/json; charset=utf-8', 79: date: 'Sun, 17 May 2026 00:01:38 GMT', 80: 'referrer-policy': 'origin-when-cross-origin, strict-origin-when-cross-origin', 81: server: 'github.com', 82: 'strict-transport-security': 'max-age=31536000; includeSubdomains; preload', 83: 'transfer-encoding': 'chunked', 84: vary: 'Accept-Encoding, Accept, X-Requested-With', 85: 'x-accepted-github-permissions': 'issues=write; pull_requests=write', 86: 'x-content-type-options': 'nosniff', 87: 'x-frame-options': 'deny', 88: 'x-github-api-version-selected': '2022-11-28', 89: 'x-github-media-type': 'github.v3; format=json', 90: 'x-github-request-id': 'E008:17636:AECBBC8:B16A586:6A090562', 91: 'x-ratelimit-limit': '5000', 92: ##[error]Unhandled error: HttpError: Resource not accessible by integration 93: 'x-ratelimit-remaining': '4990',

[qodo-code-review]

Review Summary by Qodo

Production hardening: operational endpoints, security headers, Docker support, and documentation baseline

✨ Enhancement 📝 Documentation

Walkthroughs

Description

• **Backend operational readiness**: Adds structured environment validation, security headers
  middleware, and operational endpoints (/api/health, /api/readiness) with database dependency
  checks for production deployment gates
• **Production configuration**: Implements safe environment metadata reporting, fail-closed
  readiness validation, and scripts/validate-env.ts for release gates without exposing secrets
• **Docker support**: Adds multi-stage Dockerfile with non-root user, healthchecks aligned to
  operational endpoints, and .dockerignore for optimized builds
• **Documentation overhaul**: Rewrites README as engineering overview, adds SETUP.md,
  RELEASES.md, and docs/PRODUCTION_READINESS.md with release gates and roadmap
• **Product visibility**: Adds professional About page explaining backend architecture and
  operational posture, linked from home navigation
• **Repository hygiene**: Updates contribution guide, PR template, GitHub automation docs, and
  environment inventory with production-focused guidance
• **Version bump**: Increments to v1.1.0 as production-hardening baseline with validation evidence

Diagram

flowchart LR
  ENV["Structured ENV<br/>Validation"]
  SEC["Security Headers<br/>Middleware"]
  OPS["Operational<br/>Endpoints"]
  DB["Database<br/>Readiness Check"]
  DOCKER["Docker Build<br/>with Healthcheck"]
  DOCS["Production Docs<br/>& Release Gates"]
  ABOUT["About Page<br/>& Navigation"]
  
  ENV --> OPS
  SEC --> OPS
  DB --> OPS
  OPS --> DOCKER
  OPS --> DOCS
  DOCS --> ABOUT

Loading

File Changes

1. server/_core/index.ts ✨ Enhancement +108/-3

Add operational endpoints and security headers to Express server

• Adds security headers middleware (applySecurityHeaders) with CSP, X-Frame-Options, and
 Permissions-Policy
• Implements /api/health and /api/readiness endpoints for operational probes and dependency
 checks
• Adds getServiceDependencyStatus() and readinessReport() functions to report configuration and
 database readiness
• Replaces ad hoc environment parsing with structured ENV object and adds
 assertProductionEnvironment() validation

server/_core/index.ts

---

2. server/_core/env.ts ✨ Enhancement +122/-8

Implement structured environment validation and safe status reporting

• Replaces simple environment variable getters with a structured ENVIRONMENT_VARIABLES inventory
 and type-safe ENV object
• Adds getEnvironmentChecks(), getMissingProductionVariables(), and getEnvironmentStatus()
 functions for safe status reporting
• Implements assertProductionEnvironment() to fail closed when production-required variables are
 missing
• Classifies variables as required or optional in production without exposing secret values

server/_core/env.ts

---

3. server/db.ts ✨ Enhancement +60/-3

Add database readiness check for operational probes

• Adds DependencyReadiness type to represent database health status with latency tracking
• Implements checkDatabaseReadiness() function that tests database connectivity and reports
 configuration state
• Updates getDb() to use the structured ENV.databaseUrl instead of raw process.env

server/db.ts

---

View more (16)

4. scripts/validate-env.ts ✨ Enhancement +25/-0

Add environment validation script for release gates

• New script that prints safe environment inventory without exposing secret values
• Reports production readiness status and lists configured vs. missing variables
• Exits with error code 1 if production mode is detected with missing required variables

scripts/validate-env.ts

---

5. README.md 📝 Documentation +177/-499

Rewrite README as production-grade engineering overview

• Rewrites README from feature-focused marketing copy to production-shaped engineering overview
• Adds backend architecture diagram, API surface documentation, and data model explanation
• Documents operational endpoints, configuration requirements, available scripts, and Docker
 workflow
• Replaces detailed feature tables with current product capabilities and planned backend milestones
• Adds release status, roadmap, and references to setup, production-readiness, and release
 documentation

README.md

---

6. CONTRIBUTING.md 📝 Documentation +85/-453

Streamline contribution guide for production-hardened workflow

• Replaces detailed contribution workflow with concise working agreement focused on backend
 truthfulness and operational readiness
• Simplifies branch strategy, commit message conventions, and validation gate requirements
• Adds backend contribution rules for tRPC routers, database schema, provider integrations, and
 secrets handling
• Documents documentation update requirements and pull request expectations with validation evidence

CONTRIBUTING.md

---

7. docs/README.md 📝 Documentation +100/-224

Reorganize documentation hub for current hardened baseline

• Replaces extensive documentation hub with concise index pointing to current active documentation
• Reorganizes docs into Start Here, Repository Map, Operational, Testing, CI, Product, and Migration
 sections
• Marks legacy and reference material clearly while highlighting current source-of-truth documents
• Adds maintenance rules for keeping documentation in sync with code changes

docs/README.md

---

8. .github/README.md 📝 Documentation +65/-98

Update GitHub automation documentation for current workflow

• Replaces detailed workflow documentation with concise GitHub automation overview
• Documents current review standard and validation gates required for pull requests
• Inventories existing workflow files with maintainer notes on alignment with root pnpm scripts
• Lists required secrets for production workflows and guidance on workflow permission requirements

.github/README.md

---

9. .github/PULL_REQUEST_TEMPLATE.md 📝 Documentation +69/-120

Simplify pull request template for operational focus

• Replaces lengthy PR template with focused template emphasizing validation evidence and operational
 impact
• Adds explicit sections for backend/data impact, validation evidence checklist, and security
 checklist
• Simplifies type-of-change options and adds reviewer focus areas and deployment notes
• Removes verbose checklists in favor of concise, actionable requirements

.github/PULL_REQUEST_TEMPLATE.md

---

10. docs/PRODUCTION_READINESS.md 📝 Documentation +88/-0

Add production readiness documentation and release gates

• New document defining production-readiness baseline for version 1.1.0
• Documents executive assessment, operational endpoints, required configuration, and release gate
 checklist
• Identifies backend hardening roadmap and production risk register with mitigations
• Provides maintainer notes on keeping documentation in sync with backend milestones

docs/PRODUCTION_READINESS.md

---

11. client/src/pages/About.tsx ✨ Enhancement +109/-0

Add About page explaining product and backend posture

• New About page explaining Ellie as a production-shaped full-stack application
• Displays backend architecture, operational endpoints, and current capabilities
• Documents what is ready to harden next and lists backend capabilities for future work
• Uses consistent design system with amber and cyan accents matching the Neural Noir theme

client/src/pages/About.tsx

---

12. SETUP.md 📝 Documentation +135/-0

Add comprehensive setup and deployment guide

• New setup guide documenting local development, production environment, database setup, and
 validation gates
• Provides step-by-step instructions for installation, environment configuration, and production
 build
• Documents Docker workflow with health and readiness checks
• Includes troubleshooting table and notes on next backend build-out

SETUP.md

---

13. RELEASES.md 📝 Documentation +71/-0

Add release history and planned backend milestones

• New release history document tracking product, backend, operational, and documentation milestones
• Documents version 1.1.0 as production-hardening baseline with validation requirements
• Outlines planned 1.2.0 backend milestone and 2.0.0 production SaaS milestone with acceptance
 criteria
• Provides clear release intent separate from commit history for reviewer understanding

RELEASES.md

---

14. client/src/pages/Home.tsx ✨ Enhancement +4/-3

Link About page from home navigation and footer

• Adds About button to navigation menu linking to the new /about route
• Updates footer text to reference tRPC, Drizzle, and production readiness checks instead of just
 Gemini and Whisper
• Makes footer text clickable to navigate to About page

client/src/pages/Home.tsx

---

15. .dockerignore ⚙️ Configuration changes +14/-0

Add Docker build context exclusion rules

• New file specifying build context exclusions for Docker image creation
• Excludes node_modules, build artifacts, environment files, git metadata, and logs
• Preserves .env.example for reference in the image

.dockerignore

---

16. .env.example ⚙️ Configuration changes +36/-18

Environment template restructured with production guidance

• Reorganized environment variables into logical sections with clear headers (Runtime, Database,
 Sessions, Forge AI, Branding)
• Added comprehensive documentation comments explaining purpose and production requirements for each
 variable
• Updated placeholder values to be more descriptive (e.g., replace-with-a-high-entropy-secret,
 https://api.example.com/)
• Removed deprecated variables and clarified optional vs. required configuration

.env.example

---

17. Dockerfile ⚙️ Configuration changes +29/-0

Production-ready Docker configuration with healthchecks

• Created multi-stage Docker build (base, deps, build, runtime) for optimized image size
• Configured production runtime with non-root ellie user for security
• Added healthcheck using /api/health endpoint with 30s interval and 15s startup grace period
• Installed pnpm via corepack and set up proper working directory and environment variables

Dockerfile

---

18. package.json ✨ Enhancement +7/-2

Added validation scripts and refined database commands

• Bumped version from 1.0.0 to 1.1.0
• Added validate:env and validate:env:production scripts for environment validation
• Added ci script that runs full validation gate (env, type check, tests, build)
• Refactored database scripts: split db:push into separate db:generate and db:migrate commands

package.json

---

19. client/src/App.tsx ✨ Enhancement +2/-0

Added About page route to application

• Imported new About component from ./pages/About
• Added /about route to the application router

client/src/App.tsx

---

[qodo-code-review]

Code Review by Qodo

🐞 Bugs (4) 📘 Rule violations (0) 📎 Requirement gaps (0)

1. Docker runtime lacks node_modules 🐞 Bug ≡ Correctness

Description

The runtime Docker stage copies only package.json and dist/, but the server build uses esbuild
--packages=external, so imports like express remain external and require node_modules at
runtime; the container will fail to start with module-resolution errors. This breaks the advertised
Docker production workflow.

Code

Dockerfile[R18-29]

+FROM node:22.13.0-slim AS runtime
+ENV NODE_ENV=production
+ENV PORT=3000
+WORKDIR /app
+RUN groupadd --system ellie && useradd --system --gid ellie --home-dir /app ellie
+COPY --from=build --chown=ellie:ellie /app/package.json ./package.json
+COPY --from=build --chown=ellie:ellie /app/dist ./dist
+USER ellie
+EXPOSE 3000
+HEALTHCHECK --interval=30s --timeout=5s --start-period=15s --retries=3 \
+  CMD node -e "fetch('http://127.0.0.1:' + (process.env.PORT || 3000) + '/api/health').then(r => process.exit(r.ok ? 0 : 1)).catch(() => process.exit(1))"
+CMD ["node", "dist/index.js"]

Evidence

The runtime image never installs or copies dependencies, while the build explicitly externalizes
packages, so runtime will need node_modules to resolve imports.

Dockerfile[9-29]
package.json[6-13]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
The Docker runtime image does not contain Node dependencies, but the built server bundle is not self-contained because the build uses esbuild `--packages=external`.

## Issue Context
- `package.json` builds the server with externalized packages.
- `Dockerfile` runtime stage does not run `pnpm install` and does not copy `node_modules` from the build stages.

## Fix Focus Areas
- Dockerfile[18-29]
- package.json[6-18]

## Suggested fix options
Choose one:
1) **Preferred**: In the runtime stage, copy `package.json` + `pnpm-lock.yaml`, enable corepack, run `pnpm install --prod --frozen-lockfile`, then copy `dist/`.
2) Copy `node_modules/` from the `deps` (or `build`) stage into the runtime stage (be careful with pnpm symlinks/store; validate the container starts).
3) Make the server bundle self-contained by removing `--packages=external` (or explicitly bundling needed dependencies), then ensure `dist/` contains everything required.

Validate by running the built container and confirming `node dist/index.js` starts and `/api/health` returns 200.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

2. CSP includes unsafe-eval 🐞 Bug ⛨ Security

Description

applySecurityHeaders sets a Content-Security-Policy that includes `script-src 'unsafe-inline'
'unsafe-eval'` for all requests, including production, which materially weakens XSS protections.
This undercuts the PR’s production-hardening intent and expands the blast radius of any script
injection bug.

Code

server/_core/index.ts[R32-63]

+function applySecurityHeaders(req: Request, res: Response, next: NextFunction) {
+  const connectSrc = ["'self'"];
+
+  if (ENV.forgeApiUrl) {
+    try {
+      connectSrc.push(new URL(ENV.forgeApiUrl).origin);
+    } catch {
+      // Invalid URLs are reported by environment validation; do not block boot in development.
+    }
+  }
+
+  res.setHeader("X-Content-Type-Options", "nosniff");
+  res.setHeader("X-Frame-Options", "DENY");
+  res.setHeader("Referrer-Policy", "strict-origin-when-cross-origin");
+  res.setHeader("Permissions-Policy", "camera=(), geolocation=(), payment=(), usb=()");
+  res.setHeader(
+    "Content-Security-Policy",
+    [
+      "default-src 'self'",
+      "base-uri 'self'",
+      "frame-ancestors 'none'",
+      "img-src 'self' data: blob: https:",
+      "media-src 'self' blob: https:",
+      "font-src 'self' data:",
+      "style-src 'self' 'unsafe-inline'",
+      "script-src 'self' 'unsafe-inline' 'unsafe-eval'",
+      `connect-src ${connectSrc.join(" ")}`,
+    ].join("; ")
+  );
+
+  next();
+}

Evidence

The CSP explicitly allows unsafe-inline and unsafe-eval, and the middleware is applied globally
before routes are mounted.

server/_core/index.ts[32-63]
server/_core/index.ts[108-117]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
The server applies a CSP that allows `unsafe-eval` and `unsafe-inline` for scripts in all environments.

## Issue Context
The middleware is registered unconditionally (`app.use(applySecurityHeaders)`), so these allowances ship in production.

## Fix Focus Areas
- server/_core/index.ts[32-63]
- server/_core/index.ts[114-117]

## Suggested fix
- Make CSP **environment-aware**:
 - In **production**, remove `'unsafe-eval'` (and ideally `'unsafe-inline'`) from `script-src`.
 - If inline scripts are required, prefer **nonce**-based or hash-based CSP rather than `unsafe-inline`.
- Consider whether `connect-src` truly needs the Forge API origin (if the browser does not call it directly, keep `connect-src 'self'`).
- Verify the built app loads in production mode with the tightened CSP.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

3. Readiness exposes raw DB errors 🐞 Bug ⛨ Security

Description

/api/readiness returns raw database error.message strings and a detailed environment/dependency
report to unauthenticated callers, which can reveal internal connection details and operational
posture. This creates unnecessary information disclosure risk for a public endpoint.

Code

server/db.ts[R68-76]

+  } catch (error) {
+    return {
+      name: "database",
+      configured: true,
+      healthy: false,
+      critical: true,
+      message: error instanceof Error ? error.message : "Database readiness check failed.",
+      latencyMs: Date.now() - startedAt,
+    };

Evidence

The DB readiness check returns error.message verbatim, and readinessReport returns both
environment and dependencies objects on a public route.

server/db.ts[32-77]
server/_core/index.ts[90-105]
server/_core/index.ts[127-134]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
Readiness endpoints include raw DB error messages and detailed environment status in the JSON response.

## Issue Context
- `/api/readiness` and `/api/ready` are mounted without auth.
- DB readiness uses `error.message` verbatim.

## Fix Focus Areas
- server/db.ts[68-76]
- server/_core/index.ts[90-105]
- server/_core/index.ts[127-134]

## Suggested fix
- Replace raw DB error message in readiness with a **sanitized** message (e.g., `"Database connection failed"`) and optionally a stable `reason`/`code` field.
- Consider reducing detail for public callers:
 - Option A: only return `{ ok, service, timestamp }` publicly and gate verbose dependency detail behind an internal header/network allowlist.
 - Option B: keep details only in non-production, and in production return a minimal dependency summary without internal strings.
- Keep secret *values* out (already true), but also avoid leaking internal hostnames/usernames via driver error strings.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

4. Docs port mismatch 🐞 Bug ⚙ Maintainability

Description

Docs instruct users to run Docker and curl health/readiness on port 5000 and claim PORT defaults
to 5000, but the actual runtime default and Dockerfile are 3000; following the docs will fail
health/readiness checks. This breaks the documented setup and release gates.

Code

README.md[R159-196]

+| Variable | Required in Production | Purpose |
+|---|---:|---|
+| `DATABASE_URL` | Yes | MySQL-compatible connection string used by Drizzle. |
+| `JWT_SECRET` | Yes | Session and token signing secret. |
+| `BUILT_IN_FORGE_API_URL` | Yes | AI/provider gateway endpoint. |
+| `BUILT_IN_FORGE_API_KEY` | Yes | AI/provider gateway credential. |
+| `VITE_APP_ID` | No | Optional public app identifier. |
+| `VITE_APP_TITLE` | No | Optional public app title. |
+| `OAUTH_SERVER_URL` | No | Optional OAuth provider URL for authenticated deployments. |
+| `OWNER_OPEN_ID` | No | Optional initial owner identity. |
+| `PORT` | No | HTTP port, defaulting to `5000` where supported. |

-### Typography
+## Available Scripts

-| Font | Usage |
+| Command | Purpose |
|---|---|
-| **Space Grotesk** | Display headings, navigation |
-| **IBM Plex Sans** | Body text, descriptions |
-| **JetBrains Mono** | Code, metrics, timestamps |
+| `pnpm dev` | Start the development server with Vite middleware and backend hot reload. |
+| `pnpm validate:env` | Print safe configuration inventory for the current environment. |
+| `pnpm validate:env:production` | Fail if production-required variables are missing. |
+| `pnpm check` | Run TypeScript typechecking without emitting files. |
+| `pnpm test` | Run the Vitest suite. |
+| `pnpm build` | Build the Vite frontend and bundled Node server. |
+| `pnpm start` | Start the built production server. |
+| `pnpm ci` | Run environment validation, typecheck, tests, and build as one release gate. |
+| `pnpm db:generate` | Generate Drizzle migrations. |
+| `pnpm db:migrate` | Apply Drizzle migrations. |
+| `pnpm db:push` | Generate and apply migrations through the project script. |
+
+## Docker
+
+Ellie includes a production Dockerfile and `.dockerignore`. The image installs dependencies with pnpm, builds the frontend and server, and starts the bundled production runtime.

-### Signature Elements
+```bash
+docker build -t ellie-ai:local .
+docker run --rm -p 5000:5000 --env-file .env ellie-ai:local
+curl http://localhost:5000/api/health
+curl http://localhost:5000/api/readiness
+```

Evidence

Docs explicitly reference port 5000, while .env.example, ENV.port defaulting logic, and the
Dockerfile are set to 3000.

README.md[159-196]
SETUP.md[53-119]
Dockerfile[18-28]
server/_core/env.ts[22-35]
.env.example[7-10]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
Multiple docs now reference port 5000 for Docker and default `PORT`, but the code and Dockerfile use 3000.

## Issue Context
- `.env.example` sets `PORT=3000`.
- Server default is 3000 when `PORT` is unset.
- Dockerfile sets/exposes 3000.
- README/SETUP/RELEASES show `-p 5000:5000` and `curl http://localhost:5000/...`.

## Fix Focus Areas
- README.md[159-196]
- SETUP.md[53-119]
- RELEASES.md[40-47]
- Dockerfile[18-28]
- server/_core/env.ts[22-35]
- .env.example[7-10]

## Suggested fix
Pick one consistent standard and apply everywhere:
- **Option A (simplest):** standardize on **3000**:
 - Update docs to `docker run ... -p 3000:3000` and curl `http://localhost:3000/...`.
 - Change doc text to “defaults to 3000”.
- **Option B:** keep host port 5000 but map correctly: `-p 5000:3000` and curl localhost:5000.

Also ensure Dockerfile `EXPOSE` and `ENV PORT` match the chosen standard.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

[qodo-code-review]

1. Docker runtime lacks node_modules 🐞 Bug ≡ Correctness

The runtime Docker stage copies only package.json and dist/, but the server build uses esbuild
--packages=external, so imports like express remain external and require node_modules at
runtime; the container will fail to start with module-resolution errors. This breaks the advertised
Docker production workflow.

Agent Prompt

## Issue description
The Docker runtime image does not contain Node dependencies, but the built server bundle is not self-contained because the build uses esbuild `--packages=external`.

## Issue Context
- `package.json` builds the server with externalized packages.
- `Dockerfile` runtime stage does not run `pnpm install` and does not copy `node_modules` from the build stages.

## Fix Focus Areas
- Dockerfile[18-29]
- package.json[6-18]

## Suggested fix options
Choose one:
1) **Preferred**: In the runtime stage, copy `package.json` + `pnpm-lock.yaml`, enable corepack, run `pnpm install --prod --frozen-lockfile`, then copy `dist/`.
2) Copy `node_modules/` from the `deps` (or `build`) stage into the runtime stage (be careful with pnpm symlinks/store; validate the container starts).
3) Make the server bundle self-contained by removing `--packages=external` (or explicitly bundling needed dependencies), then ensure `dist/` contains everything required.

Validate by running the built container and confirming `node dist/index.js` starts and `/api/health` returns 200.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools