fix(docker): remediate all DockerSpec violations for field trial

- Replace docker-compose.yml → compose.yaml (modern Compose Spec, no version header) - Replace docker-compose.monitoring.yml → compose.monitoring.yaml - Remove deprecated version: '3.x' headers from both compose files - Add dedicated app-tier bridge network (no default bridge) - Add restart: unless-stopped to all services - Add deploy.resources.limits (memory + cpu) to all services - Add healthcheck to app service (curl /health) - Add healthchecks to prometheus and grafana in monitoring overlay - Externalize postgres credentials to env vars (POSTGRES_USER/PASSWORD/DB) - Externalize grafana admin password to GF_ADMIN_PASSWORD env var - Make env_file optional (required: false) for CI/field-trial environments - Update Dockerfile: node:18-alpine → node:20.11-bookworm-slim (pinned version) - Add explicit non-root system user/group (nodejs:1001/nodeapp:1001) - Add curl install to final stage for healthcheck probe - Copy src/db/migrations from build stage (not host bind) - Expand .dockerignore: tmp/, temp/, *.env.*, compose files, Dockerfiles - Add .env.example to git (was ignored by .env.* rule — add !.env.example exception) - Add POSTGRES_USER/PASSWORD/DB and GF_ADMIN_PASSWORD to .env.example All compose files pass: docker compose config --quiet ✅ Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-08 08:19:49 +00:00
parent 30dc793ceb
commit 6fada694bb
8 changed files with 288 additions and 118 deletions
--- a/.env.example
+++ b/.env.example
@@ -0,0 +1,79 @@
+# SentryAgent.ai AgentIdP — Environment Variables
+# Copy this file to .env and fill in the values for your environment.
+
+# ── Server ──────────────────────────────────────────────────────────────────
+NODE_ENV=development
+PORT=3000
+CORS_ORIGIN=*
+
+# ── Database ─────────────────────────────────────────────────────────────────
+# Individual credentials — used by compose.yaml to construct DATABASE_URL
+POSTGRES_USER=sentryagent
+POSTGRES_PASSWORD=change-me-in-production
+POSTGRES_DB=sentryagent_idp
+
+DATABASE_URL=postgresql://${POSTGRES_USER}:${POSTGRES_PASSWORD}@localhost:5432/${POSTGRES_DB}
+
+# PostgreSQL connection pool tuning (task 2.1)
+DB_POOL_MAX=20
+DB_POOL_MIN=2
+DB_POOL_IDLE_TIMEOUT_MS=30000
+DB_POOL_CONNECTION_TIMEOUT_MS=5000
+
+# ── Redis ────────────────────────────────────────────────────────────────────
+REDIS_URL=redis://localhost:6379
+
+# Rate limiting (task 1.2 / 1.3)
+# Set REDIS_RATE_LIMIT_ENABLED=true to use Redis-backed sliding-window rate limiting.
+# When false (or not set) the rate limiter operates in-process (RateLimiterMemory).
+REDIS_RATE_LIMIT_ENABLED=true
+
+# Sliding-window rate-limit configuration (task 1.3)
+RATE_LIMIT_WINDOW_MS=60000
+RATE_LIMIT_MAX_REQUESTS=100
+
+# ── JWT ──────────────────────────────────────────────────────────────────────
+# RS256 key pair — generate with:
+#   openssl genrsa -out private.pem 2048
+#   openssl rsa -in private.pem -pubout -out public.pem
+JWT_PRIVATE_KEY="-----BEGIN RSA PRIVATE KEY-----\n...\n-----END RSA PRIVATE KEY-----"
+JWT_PUBLIC_KEY="-----BEGIN PUBLIC KEY-----\n...\n-----END PUBLIC KEY-----"
+
+# ── HashiCorp Vault (optional) ────────────────────────────────────────────────
+# When set, new agent credentials are stored in Vault KV v2 instead of bcrypt.
+# VAULT_ADDR=http://127.0.0.1:8200
+# VAULT_TOKEN=root
+# VAULT_KV_MOUNT=secret
+
+# ── OPA (optional) ───────────────────────────────────────────────────────────
+# URL of a running OPA server used for policy evaluation health checks.
+# OPA_URL=http://localhost:8181
+
+# ── Kafka (optional) ─────────────────────────────────────────────────────────
+# Comma-separated list of Kafka brokers. Leave unset to disable Kafka.
+# KAFKA_BROKERS=localhost:9092
+
+# ── TLS ──────────────────────────────────────────────────────────────────────
+# In production, set ENFORCE_TLS=true to redirect all HTTP requests to HTTPS.
+# ENFORCE_TLS=false
+
+# ── Billing (Stripe) ─────────────────────────────────────────────────────────
+# Set BILLING_ENABLED=false to disable free-tier enforcement (useful in dev/test).
+BILLING_ENABLED=false
+STRIPE_SECRET_KEY=sk_test_...
+STRIPE_WEBHOOK_SECRET=whsec_...
+STRIPE_PRICE_ID=price_...
+
+# ── Monitoring (Grafana) ─────────────────────────────────────────────────────
+# Used by compose.monitoring.yaml — must be changed from default
+GF_ADMIN_PASSWORD=change-me-in-production
+
+# ── Phase 6 Feature Flags ─────────────────────────────────────────────────────
+# Set ANALYTICS_ENABLED=false to disable /api/v1/analytics/* routes (returns 404).
+ANALYTICS_ENABLED=true
+
+# Set TIER_ENFORCEMENT=false to disable tier-based rate limit enforcement.
+TIER_ENFORCEMENT=true
+
+# Set COMPLIANCE_ENABLED=false to disable /api/v1/compliance/* routes (returns 404).
+COMPLIANCE_ENABLED=true