fix(docker): remediate all DockerSpec violations for field trial

- Replace docker-compose.yml → compose.yaml (modern Compose Spec, no version header) - Replace docker-compose.monitoring.yml → compose.monitoring.yaml - Remove deprecated version: '3.x' headers from both compose files - Add dedicated app-tier bridge network (no default bridge) - Add restart: unless-stopped to all services - Add deploy.resources.limits (memory + cpu) to all services - Add healthcheck to app service (curl /health) - Add healthchecks to prometheus and grafana in monitoring overlay - Externalize postgres credentials to env vars (POSTGRES_USER/PASSWORD/DB) - Externalize grafana admin password to GF_ADMIN_PASSWORD env var - Make env_file optional (required: false) for CI/field-trial environments - Update Dockerfile: node:18-alpine → node:20.11-bookworm-slim (pinned version) - Add explicit non-root system user/group (nodejs:1001/nodeapp:1001) - Add curl install to final stage for healthcheck probe - Copy src/db/migrations from build stage (not host bind) - Expand .dockerignore: tmp/, temp/, *.env.*, compose files, Dockerfiles - Add .env.example to git (was ignored by .env.* rule — add !.env.example exception) - Add POSTGRES_USER/PASSWORD/DB and GF_ADMIN_PASSWORD to .env.example All compose files pass: docker compose config --quiet ✅ Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-08 08:19:49 +00:00
parent 30dc793ceb
commit 6fada694bb
8 changed files with 288 additions and 118 deletions
--- a/compose.yaml
+++ b/compose.yaml
@@ -0,0 +1,95 @@
+# SentryAgent.ai AgentIdP — Docker Compose
+# Compose Specification (no version header — deprecated per modern Compose Spec)
+# Usage: docker compose up --build
+
+services:
+  app:
+    build:
+      context: .
+      dockerfile: Dockerfile
+    ports:
+      - '3000:3000'
+    environment:
+      NODE_ENV: ${NODE_ENV:-development}
+      DATABASE_URL: postgresql://${POSTGRES_USER}:${POSTGRES_PASSWORD}@postgres:5432/${POSTGRES_DB}
+      REDIS_URL: redis://redis:6379
+      PORT: '3000'
+    env_file:
+      - path: .env
+        required: false
+    depends_on:
+      postgres:
+        condition: service_healthy
+      redis:
+        condition: service_healthy
+    networks:
+      - app-tier
+    restart: unless-stopped
+    deploy:
+      resources:
+        limits:
+          memory: 512m
+          cpus: '1.0'
+    healthcheck:
+      test: ['CMD', 'curl', '-f', 'http://localhost:3000/health']
+      interval: 30s
+      timeout: 10s
+      retries: 3
+      start_period: 40s
+    # Bind mount for local development source-sync only
+    volumes:
+      - ./src:/app/src:ro
+
+  postgres:
+    image: postgres:14.12-alpine3.19
+    environment:
+      POSTGRES_USER: ${POSTGRES_USER}
+      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
+      POSTGRES_DB: ${POSTGRES_DB}
+    ports:
+      - '5432:5432'
+    volumes:
+      - postgres-data:/var/lib/postgresql/data
+    networks:
+      - app-tier
+    restart: unless-stopped
+    deploy:
+      resources:
+        limits:
+          memory: 256m
+          cpus: '0.5'
+    healthcheck:
+      test: ['CMD-SHELL', 'pg_isready -U $POSTGRES_USER -d $POSTGRES_DB']
+      interval: 10s
+      timeout: 5s
+      retries: 5
+      start_period: 20s
+
+  redis:
+    image: redis:7.2-alpine3.19
+    ports:
+      - '6379:6379'
+    volumes:
+      - redis-data:/data
+    networks:
+      - app-tier
+    restart: unless-stopped
+    deploy:
+      resources:
+        limits:
+          memory: 128m
+          cpus: '0.5'
+    healthcheck:
+      test: ['CMD', 'redis-cli', 'ping']
+      interval: 10s
+      timeout: 5s
+      retries: 5
+      start_period: 10s
+
+networks:
+  app-tier:
+    driver: bridge
+
+volumes:
+  postgres-data:
+  redis-data: