Pin versions, add resource limits, and harden config

- Pin all Docker image tags (mysql 8.0.40, python 3.12.13-slim, node 20.20.1-alpine, nginx 1.29.6-alpine) - Pin all frontend npm dependencies to exact versions (remove ^ ranges) - Add mem_limit and cpus resource limits to all three containers - Add non-root appuser to backend Dockerfile - Migrate JWT from python-jose to PyJWT - Remove default admin_password in config.py — must be explicitly set in .env - Add DOCS_ENABLED flag to config and .env.example (default false) - Add indexes on session_date, is_active, event_type in session models - Add limit/offset pagination to all log endpoints Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-22 00:01:32 -07:00
parent 3022bc328b
commit 663b506868
9 changed files with 45 additions and 21 deletions
--- a/.env.example
+++ b/.env.example
@@ -14,6 +14,9 @@ REFRESH_TOKEN_EXPIRE_DAYS=30
 # Comma-separated allowed CORS origins (no trailing slash)
 CORS_ORIGINS=http://localhost:8054

-# Super admin credentials (server-level access)
+# Super admin credentials — REQUIRED, no defaults ship with the service
 ADMIN_USERNAME=admin
-ADMIN_PASSWORD=change_me_admin_password
+ADMIN_PASSWORD=change_me_strong_password_here
+
+# Set to true only for local development (exposes /api/docs, /api/redoc)
+DOCS_ENABLED=false