feat: code quality audit + autoresearch integration + infra hardening (#150)

docker-compose.prod.yml

@@ -0,0 +1,56 @@
+# ── Production Compose Overlay ─────────────────────────────────────────────────
+#
+# Usage:
+#   make docker-prod                     # build + start with prod settings
+#   docker compose -f docker-compose.yml -f docker-compose.prod.yml up -d
+#
+# Differences from dev:
+#   - Runs as non-root user (timmy) from Dockerfile
+#   - No bind mounts — uses image-baked source only
+#   - Named volumes only (no host path dependencies)
+#   - Read-only root filesystem with tmpfs for /tmp
+#   - Resource limits enforced
+#   - Secrets passed via environment variables (set in .env)
+#
+# Security note: Set all secrets in .env before deploying.
+#   Required: L402_HMAC_SECRET, L402_MACAROON_SECRET
+#   Recommended: TASKOSAUR_JWT_SECRET, TASKOSAUR_ENCRYPTION_KEY
+
+services:
+
+  dashboard:
+    # Remove dev-only root user override — use Dockerfile's USER timmy
+    user: ""
+    read_only: true
+    tmpfs:
+      - /tmp:size=100M
+    volumes:
+      # Override: named volume only, no host bind mounts
+      - timmy-data:/app/data
+      # Remove ./src and ./static bind mounts (use baked-in image files)
+    environment:
+      DEBUG: "false"
+      TIMMY_ENV: "production"
+    deploy:
+      resources:
+        limits:
+          cpus: "2.0"
+          memory: 2G
+
+  celery-worker:
+    user: ""
+    read_only: true
+    tmpfs:
+      - /tmp:size=100M
+    volumes:
+      - timmy-data:/app/data
+    deploy:
+      resources:
+        limits:
+          cpus: "1.0"
+          memory: 1G
+
+# Override timmy-data to use a simple named volume (no host bind)
+volumes:
+  timmy-data:
+    driver: local