fix(docker): merge prod deps into standalone node_modules (not replace)

Replacing the Next standalone node_modules broke turbopack's externalized-
module resolution: the standalone tree is a matched set with the turbopack
server chunks, resolving externals (better-auth, postgres, pino, minio, ...)
by hashed id. With it replaced, every route using them 500'd with
"Failed to load external module <pkg>-<hash>" — confirmed on prod, while
`node .next/standalone/server.js` with the intact tree serves GET / (307)
and /api/health (200) cleanly.

So keep the standalone tree intact and MERGE the complete hoisted prod tree
in with `rsync --ignore-existing`: it adds the custom server's missing CJS
requires (socket.io closure: accepts/ws/engine.io/cors; drizzle-orm/index.cjs)
and skips everything the trace already provides — and tolerates the trace's
pnpm symlinks, where COPY/cp/tar/fs.cpSync all error on symlink-vs-dir.

Validated end-to-end on a host assembly of (intact standalone + merged prod
deps + the polyfilled server bundle): GET / → 307, /api/health → 200, zero
"Failed to load external module", zero MODULE_NOT_FOUND, server listening.
rsync --ignore-existing merge semantics verified in node:20-alpine.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Dockerfile

@@ -41,21 +41,24 @@ COPY --from=builder --chown=nextjs:nodejs /app/.next/standalone ./
 COPY --from=builder --chown=nextjs:nodejs /app/.next/static ./.next/static
 COPY --from=builder --chown=nextjs:nodejs /app/public ./public
 COPY --from=builder --chown=nextjs:nodejs /app/dist/server.js ./server-custom.js
-# server-custom.js is CJS (esbuild --packages=external) and require()s its
+# The Next standalone node_modules is a MATCHED SET with the turbopack
-# deps at runtime — socket.io's full closure (engine.io→accepts/ws/cors),
+# server chunks — it resolves turbopack's externalized packages (better-auth,
-# drizzle-orm's CJS entry (index.cjs), zod, etc. The Next standalone trace
+# postgres, pino, minio, ...) by their hashed ids, so REPLACING it makes
-# builds node_modules for the APP's ESM imports, so it omits the socket
+# every route that uses them 500 with "Failed to load external module".
-# server's deps entirely (MODULE_NOT_FOUND 'accepts') AND ships ESM-only
+# But the custom server (server-custom.js, CJS via esbuild --packages=external)
-# entries for shared packages (drizzle-orm/index.cjs missing). A NODE_PATH
+# require()s deps the trace omits or ships ESM-only: socket.io's closure
-# fallback can't fix the latter — Node finds the incomplete package in the
+# (accepts/ws/engine.io/cors) and drizzle-orm's CJS entry (index.cjs). So
-# standalone tree and errors instead of falling through. So replace the
+# MERGE the complete hoisted prod tree INTO the standalone node_modules with
-# traced node_modules with the complete hoisted prod tree: every external
+# rsync --ignore-existing: it ADDS the missing packages/files and SKIPS
-# the custom server requires resolves. Next's standalone .next runs fine
+# everything the trace already provides (and unlike COPY/cp it tolerates the
-# on the full `next` package (same version, superset of the trace); the
+# trace's pnpm symlinks instead of erroring on symlink-vs-dir). The one
-# one thing the standalone bootstrap would set — globalThis.AsyncLocalStorage
+# thing the standalone server bootstrap would set — globalThis.AsyncLocalStorage
 # — is handled up-front by src/server-runtime-preamble.ts.
-RUN rm -rf ./node_modules
+COPY --from=prod-deps --chown=nextjs:nodejs /app/node_modules /opt/prod-node-modules
-COPY --from=prod-deps --chown=nextjs:nodejs /app/node_modules ./node_modules
+RUN apk add --no-cache --virtual .merge-deps rsync \
+ && rsync -a --ignore-existing /opt/prod-node-modules/ ./node_modules/ \
+ && rm -rf /opt/prod-node-modules \
+ && apk del .merge-deps
 USER nextjs
 EXPOSE 3000
 HEALTHCHECK --interval=30s --timeout=5s --start-period=20s --retries=3 \