Merge branch 'develop' into fix/auth-frontend-remediation

apps/api/Dockerfile

@@ -1,6 +1,3 @@
-# syntax=docker/dockerfile:1
-# Enable BuildKit features for cache mounts
-
 # Base image for all stages
 # Uses Debian slim (glibc) instead of Alpine (musl) because native Node.js addons
 # (matrix-sdk-crypto-nodejs, Prisma engines) require glibc-compatible binaries.
@@ -27,9 +24,8 @@ COPY packages/ui/package.json ./packages/ui/
 COPY packages/config/package.json ./packages/config/
 COPY apps/api/package.json ./apps/api/
 
-# Install dependencies with pnpm store cache
-RUN --mount=type=cache,id=pnpm-store,target=/root/.local/share/pnpm/store \
-    pnpm install --frozen-lockfile
+# Install dependencies (no cache mount — Kaniko builds are ephemeral in CI)
+RUN pnpm install --frozen-lockfile
 
 # ======================
 # Builder stage
@@ -57,15 +53,14 @@ RUN pnpm turbo build --filter=@mosaic/api --force
 # ======================
 FROM node:24-slim AS production
 
-# Remove npm (unused in production — we use pnpm) to reduce attack surface
-RUN rm -rf /usr/local/lib/node_modules/npm /usr/local/bin/npm /usr/local/bin/npx
+# Install dumb-init for proper signal handling (static binary from GitHub,
+# avoids apt-get which fails under Kaniko with bookworm GPG signature errors)
+ADD https://github.com/Yelp/dumb-init/releases/download/v1.2.5/dumb-init_1.2.5_x86_64 /usr/local/bin/dumb-init
 
-# Install dumb-init for proper signal handling
-RUN apt-get update && apt-get install -y --no-install-recommends dumb-init \
-    && rm -rf /var/lib/apt/lists/*
-
-# Create non-root user
-RUN groupadd -g 1001 nodejs && useradd -m -u 1001 -g nodejs nestjs
+# Single RUN to minimize Kaniko filesystem snapshots (each RUN = full snapshot)
+RUN rm -rf /usr/local/lib/node_modules/npm /usr/local/bin/npm /usr/local/bin/npx \
+    && chmod 755 /usr/local/bin/dumb-init \
+    && groupadd -g 1001 nodejs && useradd -m -u 1001 -g nodejs nestjs
 
 WORKDIR /app
 

apps/api/src/auth/auth.config.ts

@@ -1,3 +1,4 @@
+import { randomUUID } from "node:crypto";
 import { betterAuth } from "better-auth";
 import { prismaAdapter } from "better-auth/adapters/prisma";
 import { genericOAuth } from "better-auth/plugins";
@@ -216,6 +217,7 @@ export function createAuth(prisma: PrismaClient) {
       updateAge: 60 * 60 * 2, // 2 hours — minimum session age before BetterAuth refreshes the expiry on next request
     },
     advanced: {
+      generateId: () => randomUUID(),
       defaultCookieAttributes: {
         httpOnly: true,
         secure: process.env.NODE_ENV === "production",

apps/api/src/main.ts

@@ -49,8 +49,10 @@ async function bootstrap() {
 
   // Configure CORS for cookie-based authentication
   // Origin list is shared with BetterAuth trustedOrigins via getTrustedOrigins()
+  const trustedOrigins = getTrustedOrigins();
+  console.log(`[CORS] Trusted origins: ${JSON.stringify(trustedOrigins)}`);
   app.enableCors({
-    origin: getTrustedOrigins(),
+    origin: trustedOrigins,
     credentials: true, // Required for cookie-based authentication
     methods: ["GET", "POST", "PUT", "PATCH", "DELETE", "OPTIONS"],
     allowedHeaders: ["Content-Type", "Authorization", "Cookie", "X-CSRF-Token", "X-Workspace-Id"],

apps/coordinator/Dockerfile

@@ -1,14 +1,10 @@
 # Multi-stage build for mosaic-coordinator
-FROM python:3.11-slim AS builder
+# Builder uses the full Python image which already includes gcc/g++/make,
+# avoiding a 336 MB build-essential install that exceeds Kaniko disk budget.
+FROM python:3.11 AS builder
 
 WORKDIR /app
 
-# Install build dependencies
-RUN apt-get update && \
-    apt-get install -y --no-install-recommends \
-    build-essential \
-    && rm -rf /var/lib/apt/lists/*
-
 # Copy dependency files and private registry config
 COPY pyproject.toml .
 COPY pip.conf /etc/pip.conf

apps/orchestrator/Dockerfile

@@ -1,6 +1,3 @@
-# syntax=docker/dockerfile:1
-# Enable BuildKit features for cache mounts
-
 # Base image for all stages
 # Uses Debian slim (glibc) instead of Alpine (musl) for native addon compatibility.
 FROM node:24-slim AS base
@@ -26,9 +23,8 @@ COPY packages/config/package.json ./packages/config/
 COPY apps/orchestrator/package.json ./apps/orchestrator/
 
 # Install ALL dependencies (not just production)
-# This ensures NestJS packages and other required deps are available
-RUN --mount=type=cache,id=pnpm-store,target=/root/.local/share/pnpm/store \
-    pnpm install --frozen-lockfile
+# No cache mount — Kaniko builds are ephemeral in CI
+RUN pnpm install --frozen-lockfile
 
 # ======================
 # Builder stage
@@ -69,15 +65,14 @@ LABEL org.opencontainers.image.vendor="Mosaic Stack"
 LABEL org.opencontainers.image.title="Mosaic Orchestrator"
 LABEL org.opencontainers.image.description="Agent orchestration service for Mosaic Stack"
 
-# Remove npm (unused in production — we use pnpm) to reduce attack surface
-RUN rm -rf /usr/local/lib/node_modules/npm /usr/local/bin/npm /usr/local/bin/npx
+# Install dumb-init for proper signal handling (static binary from GitHub,
+# avoids apt-get which fails under Kaniko with bookworm GPG signature errors)
+ADD https://github.com/Yelp/dumb-init/releases/download/v1.2.5/dumb-init_1.2.5_x86_64 /usr/local/bin/dumb-init
 
-# Install wget and dumb-init
-RUN apt-get update && apt-get install -y --no-install-recommends wget dumb-init \
-    && rm -rf /var/lib/apt/lists/*
-
-# Create non-root user
-RUN groupadd -g 1001 nodejs && useradd -m -u 1001 -g nodejs nestjs
+# Single RUN to minimize Kaniko filesystem snapshots (each RUN = full snapshot)
+RUN rm -rf /usr/local/lib/node_modules/npm /usr/local/bin/npm /usr/local/bin/npx \
+    && chmod 755 /usr/local/bin/dumb-init \
+    && groupadd -g 1001 nodejs && useradd -m -u 1001 -g nodejs nestjs
 
 WORKDIR /app
 
@@ -105,7 +100,7 @@ EXPOSE 3001
 
 # Health check
 HEALTHCHECK --interval=30s --timeout=10s --start-period=40s --retries=3 \
-  CMD wget --no-verbose --tries=1 --spider http://localhost:3001/health || exit 1
+  CMD node -e "require('http').get('http://localhost:3001/health', (r) => {process.exit(r.statusCode === 200 ? 0 : 1)})"
 
 # Use dumb-init to handle signals properly
 ENTRYPOINT ["dumb-init", "--"]

apps/web/Dockerfile

@@ -1,6 +1,3 @@
-# syntax=docker/dockerfile:1
-# Enable BuildKit features for cache mounts
-
 # Base image for all stages
 # Uses Debian slim (glibc) for consistency with API/orchestrator and to prevent
 # future native addon compatibility issues with Alpine's musl libc.
@@ -27,9 +24,8 @@ COPY packages/ui/package.json ./packages/ui/
 COPY packages/config/package.json ./packages/config/
 COPY apps/web/package.json ./apps/web/
 
-# Install dependencies with pnpm store cache
-RUN --mount=type=cache,id=pnpm-store,target=/root/.local/share/pnpm/store \
-    pnpm install --frozen-lockfile
+# Install dependencies (no cache mount — Kaniko builds are ephemeral in CI)
+RUN pnpm install --frozen-lockfile
 
 # ======================
 # Builder stage
@@ -79,18 +75,15 @@ RUN mkdir -p ./apps/web/public
 # ======================
 FROM node:24-slim AS production
 
-# Remove npm (unused in production — we use pnpm) to reduce attack surface
-RUN rm -rf /usr/local/lib/node_modules/npm /usr/local/bin/npm /usr/local/bin/npx
+# Install dumb-init for proper signal handling (static binary from GitHub,
+# avoids apt-get which fails under Kaniko with bookworm GPG signature errors)
+ADD https://github.com/Yelp/dumb-init/releases/download/v1.2.5/dumb-init_1.2.5_x86_64 /usr/local/bin/dumb-init
 
-# Install pnpm (needed for pnpm start command)
-RUN corepack enable && corepack prepare pnpm@10.27.0 --activate
-
-# Install dumb-init for proper signal handling
-RUN apt-get update && apt-get install -y --no-install-recommends dumb-init \
-    && rm -rf /var/lib/apt/lists/*
-
-# Create non-root user
-RUN groupadd -g 1001 nodejs && useradd -m -u 1001 -g nodejs nextjs
+# Single RUN to minimize Kaniko filesystem snapshots (each RUN = full snapshot)
+RUN rm -rf /usr/local/lib/node_modules/npm /usr/local/bin/npm /usr/local/bin/npx \
+    && corepack enable && corepack prepare pnpm@10.27.0 --activate \
+    && chmod 755 /usr/local/bin/dumb-init \
+    && groupadd -g 1001 nodejs && useradd -m -u 1001 -g nodejs nextjs
 
 WORKDIR /app