Merge branch 'develop' into fix/auth-frontend-remediation

apps/api/Dockerfile

@@ -1,6 +1,3 @@
-# syntax=docker/dockerfile:1
-# Enable BuildKit features for cache mounts
-
 # Base image for all stages
 # Uses Debian slim (glibc) instead of Alpine (musl) because native Node.js addons
 # (matrix-sdk-crypto-nodejs, Prisma engines) require glibc-compatible binaries.
@@ -27,9 +24,8 @@ COPY packages/ui/package.json ./packages/ui/
 COPY packages/config/package.json ./packages/config/
 COPY apps/api/package.json ./apps/api/
 
-# Install dependencies with pnpm store cache
-RUN --mount=type=cache,id=pnpm-store,target=/root/.local/share/pnpm/store \
-    pnpm install --frozen-lockfile
+# Install dependencies (no cache mount — Kaniko builds are ephemeral in CI)
+RUN pnpm install --frozen-lockfile
 
 # ======================
 # Builder stage
@@ -57,15 +53,14 @@ RUN pnpm turbo build --filter=@mosaic/api --force
 # ======================
 FROM node:24-slim AS production
 
-# Remove npm (unused in production — we use pnpm) to reduce attack surface
-RUN rm -rf /usr/local/lib/node_modules/npm /usr/local/bin/npm /usr/local/bin/npx
+# Install dumb-init for proper signal handling (static binary from GitHub,
+# avoids apt-get which fails under Kaniko with bookworm GPG signature errors)
+ADD https://github.com/Yelp/dumb-init/releases/download/v1.2.5/dumb-init_1.2.5_x86_64 /usr/local/bin/dumb-init
 
-# Install dumb-init for proper signal handling
-RUN apt-get update && apt-get install -y --no-install-recommends dumb-init \
-    && rm -rf /var/lib/apt/lists/*
-
-# Create non-root user
-RUN groupadd -g 1001 nodejs && useradd -m -u 1001 -g nodejs nestjs
+# Single RUN to minimize Kaniko filesystem snapshots (each RUN = full snapshot)
+RUN rm -rf /usr/local/lib/node_modules/npm /usr/local/bin/npm /usr/local/bin/npx \
+    && chmod 755 /usr/local/bin/dumb-init \
+    && groupadd -g 1001 nodejs && useradd -m -u 1001 -g nodejs nestjs
 
 WORKDIR /app
 

apps/api/src/auth/auth.config.ts

@@ -1,3 +1,4 @@
+import { randomUUID } from "node:crypto";
 import { betterAuth } from "better-auth";
 import { prismaAdapter } from "better-auth/adapters/prisma";
 import { genericOAuth } from "better-auth/plugins";
@@ -216,6 +217,7 @@ export function createAuth(prisma: PrismaClient) {
       updateAge: 60 * 60 * 2, // 2 hours — minimum session age before BetterAuth refreshes the expiry on next request
     },
     advanced: {
+      generateId: () => randomUUID(),
       defaultCookieAttributes: {
         httpOnly: true,
         secure: process.env.NODE_ENV === "production",

apps/api/src/main.ts

@@ -49,8 +49,10 @@ async function bootstrap() {
 
   // Configure CORS for cookie-based authentication
   // Origin list is shared with BetterAuth trustedOrigins via getTrustedOrigins()
+  const trustedOrigins = getTrustedOrigins();
+  console.log(`[CORS] Trusted origins: ${JSON.stringify(trustedOrigins)}`);
   app.enableCors({
-    origin: getTrustedOrigins(),
+    origin: trustedOrigins,
     credentials: true, // Required for cookie-based authentication
     methods: ["GET", "POST", "PUT", "PATCH", "DELETE", "OPTIONS"],
     allowedHeaders: ["Content-Type", "Authorization", "Cookie", "X-CSRF-Token", "X-Workspace-Id"],