Milestone 4: payment abstraction, receipts, refunds, logging, hardened Docker

- lib/payments.ts: provider-agnostic payment interface; cash (immediate) and card stub (swappable for Square/Stripe Terminal/Tyro) - POST /transactions/:id/refund — manager+, server-authoritative, blocks double-refund - GET /transactions/:id/receipt — structured receipt payload for print/email/SMS - lib/logger.ts: minimal structured JSON logger respecting LOG_LEVEL env var - middleware/requestLogger.ts: per-request method/path/status/ms logging - errorHandler now uses structured logger instead of console.error - Dockerfile: non-root user (appuser), HEALTHCHECK via /api/v1/health, npm cache cleared in runtime stage Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-21 06:57:33 -05:00
parent d78ce35104
commit 2aa041d45e
9 changed files with 249 additions and 28 deletions
--- a/35
+++ b/35
@@ -1,44 +1,55 @@
-# Stage 1: Build
+# ─── Stage 1: Build ───────────────────────────────────────────────────────
 FROM node:20-alpine AS builder

 WORKDIR /app

-# Install server deps and build
+# Server
 COPY server/package*.json ./server/
 RUN cd server && npm ci

 COPY server/ ./server/
 RUN cd server && npm run db:generate && npm run build

-# Install client deps and build
+# Client
 COPY client/package*.json ./client/
 RUN cd client && npm ci

 COPY client/ ./client/
 RUN cd client && npm run build

-# Stage 2: Runtime
+# ─── Stage 2: Runtime ─────────────────────────────────────────────────────
 FROM node:20-alpine AS runtime

+# Security: run as non-root
+RUN addgroup -S appgroup && adduser -S appuser -G appgroup
+
 WORKDIR /app

 ENV NODE_ENV=production

-# Copy server production deps
+# Server production deps only
 COPY server/package*.json ./server/
-RUN cd server && npm ci --omit=dev
+RUN cd server && npm ci --omit=dev && npm cache clean --force

-# Copy built server
-COPY --from=builder /app/server/dist ./server/dist
-COPY --from=builder /app/server/prisma ./server/prisma
-COPY --from=builder /app/server/node_modules/.prisma ./server/node_modules/.prisma
-COPY --from=builder /app/server/node_modules/@prisma ./server/node_modules/@prisma
+# Built artifacts
+COPY --from=builder /app/server/dist       ./server/dist
+COPY --from=builder /app/server/prisma     ./server/prisma
+COPY --from=builder /app/server/node_modules/.prisma  ./server/node_modules/.prisma
+COPY --from=builder /app/server/node_modules/@prisma  ./server/node_modules/@prisma

-# Copy built client
+# React SPA
 COPY --from=builder /app/client/dist ./client/dist

+# Data directory for SQLite (bind-mount or volume in production)
+RUN mkdir -p /data && chown appuser:appgroup /data
+
+USER appuser
+
 EXPOSE 8080

+HEALTHCHECK --interval=30s --timeout=5s --start-period=15s --retries=3 \
+  CMD wget -qO- http://localhost:8080/api/v1/health || exit 1
+
 WORKDIR /app/server

 CMD ["sh", "-c", "npx prisma migrate deploy && node dist/index.js"]