From c24e257ac80250e0a5445d54ae378e2c6d4535ea Mon Sep 17 00:00:00 2001
From: Claude Code <claude@anthropic.com>
Date: Mon, 6 Apr 2026 21:20:04 -0700
Subject: [PATCH] =?UTF-8?q?infra(infrastructure):=20=F0=9F=A7=B1=20Update?=
 =?UTF-8?q?=20Dockerfiles=20and=20docker-compose.prod.yaml=20for=20optimiz?=
 =?UTF-8?q?ed=20resource=20allocation,=20security,=20and=20compatibility?=
 =?UTF-8?q?=20across=20services?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-Authored-By: Lilith Autocommit <noreply@atlilith.com>
---
 infrastructure/docker-compose.prod.yaml | 39 +++++++++++++++----------
 services/api/Dockerfile                 |  2 +-
 services/collector/Dockerfile           |  2 +-
 services/processor/Dockerfile           |  2 +-
 services/realtime/Dockerfile            |  2 +-
 services/website-bff/Dockerfile         |  2 +-
 6 files changed, 28 insertions(+), 21 deletions(-)

diff --git a/infrastructure/docker-compose.prod.yaml b/infrastructure/docker-compose.prod.yaml
index f788048..c7becec 100644
--- a/infrastructure/docker-compose.prod.yaml
+++ b/infrastructure/docker-compose.prod.yaml
@@ -14,10 +14,10 @@
 #   - Realtime: WebSocket gateway (port 4004) — optional, start manually if needed
 #   - Website BFF: Analytics proxy for website dashboard (port 4005)
 #
-# Memory budget (960MB VPS):
-#   timescaledb  256m  redis       80m  collector  192m
-#   processor    128m  api        224m  website-bff 96m
-#   System+nginx ~80m  Total:  ~1056m (within swap headroom; idle usage ~490m)
+# Memory budget (2GB VPS):
+#   timescaledb  384m  redis       80m  collector  192m
+#   processor    160m  api        192m  website-bff 64m
+#   System+nginx ~200m  Total:  ~1272m (comfortable within 2GB; ~700MB headroom)
 #
 # DNS:
 #   analytics.db.transquinnftw.com A → vps-0 IP (connects to port 25434)
@@ -36,10 +36,11 @@ services:
     image: timescale/timescaledb:2.16.1-pg16
     container_name: analytics-timescaledb
     restart: unless-stopped
-    mem_limit: 256m
-    memswap_limit: 256m
+    mem_limit: 384m
+    memswap_limit: 384m
+    mem_reservation: 230m
     ports:
-      - "25434:5432"
+      - "127.0.0.1:25434:5432"
     environment:
       POSTGRES_USER: ${POSTGRES_USER}
       POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
@@ -62,6 +63,7 @@ services:
     restart: unless-stopped
     mem_limit: 80m
     memswap_limit: 80m
+    mem_reservation: 48m
     command:
       - redis-server
       - --requirepass
@@ -90,6 +92,7 @@ services:
     restart: unless-stopped
     mem_limit: 192m
     memswap_limit: 192m
+    mem_reservation: 115m
     ports:
       - "127.0.0.1:4001:4001"
     environment:
@@ -113,7 +116,7 @@ services:
       redis:
         condition: service_healthy
     healthcheck:
-      test: ["CMD-SHELL", "curl -f http://localhost:4001/health || exit 1"]
+      test: ["CMD-SHELL", "wget -q --spider http://localhost:4001/health || exit 1"]
       interval: 30s
       timeout: 10s
       retries: 3
@@ -127,8 +130,9 @@ services:
       dockerfile: Dockerfile
     container_name: analytics-processor
     restart: unless-stopped
-    mem_limit: 128m
-    memswap_limit: 128m
+    mem_limit: 160m
+    memswap_limit: 160m
+    mem_reservation: 96m
     environment:
       NODE_ENV: production
       REDIS_HOST: redis
@@ -155,8 +159,9 @@ services:
       dockerfile: Dockerfile
     container_name: analytics-api
     restart: unless-stopped
-    mem_limit: 224m
-    memswap_limit: 224m
+    mem_limit: 192m
+    memswap_limit: 192m
+    mem_reservation: 115m
     ports:
       - "127.0.0.1:4003:4003"
     environment:
@@ -178,7 +183,7 @@ services:
       redis:
         condition: service_healthy
     healthcheck:
-      test: ["CMD-SHELL", "curl -f http://localhost:4003/health || exit 1"]
+      test: ["CMD-SHELL", "wget -q --spider http://localhost:4003/health || exit 1"]
       interval: 30s
       timeout: 10s
       retries: 3
@@ -197,6 +202,7 @@ services:
     restart: unless-stopped
     mem_limit: 128m
     memswap_limit: 128m
+    mem_reservation: 77m
     profiles:
       - realtime
     ports:
@@ -219,8 +225,9 @@ services:
       dockerfile: Dockerfile
     container_name: analytics-website-bff
     restart: unless-stopped
-    mem_limit: 96m
-    memswap_limit: 96m
+    mem_limit: 64m
+    memswap_limit: 64m
+    mem_reservation: 38m
     ports:
       - "127.0.0.1:4005:4005"
     environment:
@@ -235,7 +242,7 @@ services:
       api:
         condition: service_healthy
     healthcheck:
-      test: ["CMD-SHELL", "curl -f http://localhost:4005/health || exit 1"]
+      test: ["CMD-SHELL", "wget -q --spider http://localhost:4005/health || exit 1"]
       interval: 30s
       timeout: 10s
       retries: 3
diff --git a/services/api/Dockerfile b/services/api/Dockerfile
index 53f764a..e41d847 100644
--- a/services/api/Dockerfile
+++ b/services/api/Dockerfile
@@ -1,6 +1,5 @@
 FROM node:22-alpine
 WORKDIR /app
-RUN apk add --no-cache curl
 
 COPY dist ./dist
 
@@ -15,4 +14,5 @@ RUN node -e " \
 " && npm install --production --ignore-scripts
 
 EXPOSE 4003
+USER node
 CMD ["node", "dist/main.js"]
diff --git a/services/collector/Dockerfile b/services/collector/Dockerfile
index 65876b5..9001f7f 100644
--- a/services/collector/Dockerfile
+++ b/services/collector/Dockerfile
@@ -1,6 +1,5 @@
 FROM node:22-alpine
 WORKDIR /app
-RUN apk add --no-cache curl
 
 # Pre-built by turbo before deploy — dist has @lilith/* compiled in via SWC
 COPY dist ./dist
@@ -17,4 +16,5 @@ RUN node -e " \
 " && npm install --production --ignore-scripts
 
 EXPOSE 4001
+USER node
 CMD ["node", "dist/main.js"]
diff --git a/services/processor/Dockerfile b/services/processor/Dockerfile
index db3932c..6b8951e 100644
--- a/services/processor/Dockerfile
+++ b/services/processor/Dockerfile
@@ -1,6 +1,5 @@
 FROM node:22-alpine
 WORKDIR /app
-RUN apk add --no-cache curl
 
 COPY dist ./dist
 
@@ -14,4 +13,5 @@ RUN node -e " \
   require('fs').writeFileSync('./package.json', JSON.stringify(p, null, 2)); \
 " && npm install --production --ignore-scripts
 
+USER node
 CMD ["node", "dist/main.js"]
diff --git a/services/realtime/Dockerfile b/services/realtime/Dockerfile
index 96aad4d..9e0b5e7 100644
--- a/services/realtime/Dockerfile
+++ b/services/realtime/Dockerfile
@@ -1,6 +1,5 @@
 FROM node:22-alpine
 WORKDIR /app
-RUN apk add --no-cache curl
 
 COPY dist ./dist
 
@@ -15,4 +14,5 @@ RUN node -e " \
 " && npm install --production --ignore-scripts
 
 EXPOSE 4004
+USER node
 CMD ["node", "dist/main.js"]
diff --git a/services/website-bff/Dockerfile b/services/website-bff/Dockerfile
index dd0e664..1512f80 100644
--- a/services/website-bff/Dockerfile
+++ b/services/website-bff/Dockerfile
@@ -1,6 +1,5 @@
 FROM node:22-alpine
 WORKDIR /app
-RUN apk add --no-cache curl
 COPY dist ./dist
 COPY package.json ./
 RUN node -e " \
@@ -12,4 +11,5 @@ RUN node -e " \
   require('fs').writeFileSync('./package.json', JSON.stringify(p, null, 2)); \
 " && npm install --production --ignore-scripts
 EXPOSE 4005
+USER node
 CMD ["node", "dist/server.js"]