Pin versions, add resource limits, and harden config

- Pin all Docker image tags (mysql 8.0.40, python 3.12.13-slim, node 20.20.1-alpine, nginx 1.29.6-alpine) - Pin all frontend npm dependencies to exact versions (remove ^ ranges) - Add mem_limit and cpus resource limits to all three containers - Add non-root appuser to backend Dockerfile - Migrate JWT from python-jose to PyJWT - Remove default admin_password in config.py — must be explicitly set in .env - Add DOCS_ENABLED flag to config and .env.example (default false) - Add indexes on session_date, is_active, event_type in session models - Add limit/offset pagination to all log endpoints Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-22 00:01:32 -07:00
parent 3022bc328b
commit 663b506868
9 changed files with 45 additions and 21 deletions
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -1,6 +1,6 @@
 services:
  db:
-    image: mysql:8.0
+    image: mysql:8.0.40
    container_name: homeschool_db
    restart: unless-stopped
    environment:
@@ -17,6 +17,8 @@ services:
      interval: 10s
      timeout: 5s
      retries: 5
+    mem_limit: 512m
+    cpus: 1.0

  backend:
    build: ./backend
@@ -29,13 +31,15 @@ services:
      ACCESS_TOKEN_EXPIRE_MINUTES: ${ACCESS_TOKEN_EXPIRE_MINUTES:-30}
      REFRESH_TOKEN_EXPIRE_DAYS: ${REFRESH_TOKEN_EXPIRE_DAYS:-30}
      CORS_ORIGINS: ${CORS_ORIGINS:-http://localhost:8057}
-      ADMIN_USERNAME: ${ADMIN_USERNAME:-admin}
-      ADMIN_PASSWORD: ${ADMIN_PASSWORD:-change_me_admin_password}
+      ADMIN_USERNAME: ${ADMIN_USERNAME}
+      ADMIN_PASSWORD: ${ADMIN_PASSWORD}
    depends_on:
      db:
        condition: service_healthy
    networks:
      - homeschool_net
+    mem_limit: 512m
+    cpus: 1.0

  frontend:
    build: ./frontend
@@ -47,6 +51,8 @@ services:
      - backend
    networks:
      - homeschool_net
+    mem_limit: 128m
+    cpus: 0.5

 networks:
  homeschool_net: