From b1fa70eba44d9963d5d3024b32a446bb408063c7 Mon Sep 17 00:00:00 2001
From: jason <stedwell@gmail.com>
Date: Fri, 13 Mar 2026 00:38:50 -0500
Subject: [PATCH] fix: create /app/data after COPY steps to prevent permission
 clobber

The mkdir was running before the standalone COPY, which could overwrite
/app/data contents or permissions. Move it to after all COPY statements
and use chmod 700 so only nextjs owns and can write the SQLite data dir.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 Dockerfile | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 6985157..ac0eb0f 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -34,9 +34,6 @@ ENV DATABASE_URL="file:/app/data/dev.db"
 RUN addgroup --system --gid 1001 nodejs
 RUN adduser --system --uid 1001 nextjs
 
-# Create data directory for SQLite and set permissions
-RUN mkdir -p /app/data && chown nextjs:nodejs /app/data
-
 COPY --from=builder /app/public ./public
 
 # Set the correct permission for prerender cache
@@ -49,6 +46,9 @@ COPY --from=builder --chown=nextjs:nodejs /app/.next/static ./.next/static
 COPY --from=builder --chown=nextjs:nodejs /app/prisma ./prisma
 COPY --from=deps --chown=nextjs:nodejs /app/node_modules ./node_modules
 
+# Create data directory AFTER all copies so permissions are never clobbered
+RUN mkdir -p /app/data && chown nextjs:nodejs /app/data && chmod 700 /app/data
+
 USER nextjs
 
 EXPOSE 3000