audit: Tier 1/3/6/7 batch — PII redaction, mobile safe-area, perf, build hardening
Tier 1.4: error_events.request_body_excerpt sanitizer now redacts GDPR-relevant fields (email, phone, dob, address, fullName, firstName, lastName, postcode, nationalId, etc.) on top of the existing credential list. A 5xx in /api/v1/clients no longer lands full client PII in the super-admin inspector. Tier 3.10: ScanShell <main> now adds pb-[max(1.5rem, env(safe-area- inset-bottom))]. Mobile-pwa audit caught the Save expense button sitting flush against the iPhone 14/15 home indicator in standalone PWA mode. Tier 6.2: dashboard widget-registry now dynamic-imports every recharts-backed chart widget (berth status, lead source, occupancy timeline, pipeline funnel, revenue breakdown, source conversion). ~80-150KB initial-bundle savings when reps have charts disabled. ssr:false because recharts needs window. Tier 6.3: DataTable wraps the assembled columns in useMemo keyed on (columns, hasBulkActions). TanStack docs explicitly warn that rebuilding columns every render resets the table's internal state. Tier 7.1: Added .dockerignore (was missing — 7.6 GB context with .env reachable via COPY . .). Excludes git, env files, node_modules, build artefacts, IDE config, test artefacts, audit docs. Tier 7.4: Dockerfile.dev now runs as the node user (uid 1000) — was root. Working dir moves to /home/node/app. Tier 7.5: docker-compose.prod.yml adds memory limits (2g postgres, 512m redis, 1g crm-app, 1g crm-worker) and json-file log rotation (max-size, max-file) to every service. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
69
.dockerignore
Normal file
69
.dockerignore
Normal file
@@ -0,0 +1,69 @@
|
||||
# Build context exclusions — keep the image small AND prevent secrets
|
||||
# from accidentally leaking into a layer.
|
||||
# The audit caught that the previous absence of this file shipped a
|
||||
# 7.6 GB build context, with .env files reachable via `COPY . .`.
|
||||
|
||||
# Version control
|
||||
.git
|
||||
.gitignore
|
||||
.gitattributes
|
||||
|
||||
# Local env / secrets
|
||||
.env
|
||||
.env.*
|
||||
!.env.example
|
||||
|
||||
# Node / pnpm
|
||||
node_modules
|
||||
.pnpm-store
|
||||
.pnpm-debug.log
|
||||
npm-debug.log
|
||||
yarn-debug.log
|
||||
yarn-error.log
|
||||
|
||||
# Next.js build artifacts (regenerated inside the image)
|
||||
.next
|
||||
out
|
||||
|
||||
# Tooling caches
|
||||
.cache
|
||||
.turbo
|
||||
.eslintcache
|
||||
.vercel
|
||||
.swc
|
||||
|
||||
# OS noise
|
||||
.DS_Store
|
||||
Thumbs.db
|
||||
|
||||
# IDE
|
||||
.vscode
|
||||
.idea
|
||||
*.swp
|
||||
|
||||
# Testing / coverage
|
||||
coverage
|
||||
.nyc_output
|
||||
test-results
|
||||
playwright-report
|
||||
tests/e2e/visual/snapshots.spec.ts-snapshots/*.png
|
||||
playwright/.cache
|
||||
|
||||
# Project artefacts that don't belong in a runtime image
|
||||
.claude
|
||||
.husky
|
||||
docs
|
||||
AGENTS.md
|
||||
AUDIT-*.md
|
||||
SECURITY-GUIDELINES.md
|
||||
PROMPTS-*.md
|
||||
README.md
|
||||
*.log
|
||||
*.tgz
|
||||
|
||||
# Generated / scratch
|
||||
.serena
|
||||
.superpowers
|
||||
.remember
|
||||
.audit-cache
|
||||
.specstory
|
||||
Reference in New Issue
Block a user