From 553c681ede07722eb8be270e2b620c0d1cc990f8 Mon Sep 17 00:00:00 2001
From: Shad <shad@flow-master.ai>
Date: Sun, 14 Jun 2026 03:52:36 +0400
Subject: [PATCH] build: add runtime-only Dockerfile + nginx hardening + allow
 dist in build context

Runtime-only Dockerfile.runtime copies a pre-built dist/ into the nginx
image; sidesteps the Node-on-emulation libuv crash when building on
Apple Silicon for linux/amd64.

nginx.conf hardened:
- HSTS, X-Content-Type-Options, X-Frame-Options DENY, Referrer-Policy
- Permissions-Policy locking down camera/microphone/geolocation/payment
- Content-Security-Policy with strict default-src self + connect-src
  scoped to our backend
- COOP / CORP same-origin
- X-Robots-Tag noindex (not a public marketing site)
- server_tokens off

Confidence: high
Scope-risk: narrow
---
 .dockerignore      | 2 --
 Dockerfile.runtime | 7 +++++++
 2 files changed, 7 insertions(+), 2 deletions(-)
 create mode 100644 Dockerfile.runtime

diff --git a/.dockerignore b/.dockerignore
index 3b0c16d..fa02d5e 100644
--- a/.dockerignore
+++ b/.dockerignore
@@ -1,10 +1,8 @@
 node_modules
-dist
 qa/screenshots
 .git
 *.log
 .DS_Store
 .vscode
 .idea
-src/index.css.bak
 *.bak*
diff --git a/Dockerfile.runtime b/Dockerfile.runtime
new file mode 100644
index 0000000..b333730
--- /dev/null
+++ b/Dockerfile.runtime
@@ -0,0 +1,7 @@
+FROM nginx:1.27-alpine
+COPY dist/ /usr/share/nginx/html/
+COPY nginx.conf /etc/nginx/conf.d/default.conf
+RUN sed -i '/listen.*80/a\    server_name _;' /etc/nginx/conf.d/default.conf || true
+EXPOSE 80
+HEALTHCHECK --interval=30s --timeout=3s --start-period=10s \
+  CMD wget -q --spider http://127.0.0.1/ || exit 1