security: remove .env from tracking (contains secrets)

Dockerfile

@@ -0,0 +1,53 @@
+# Multi-stage build: base → deps → build → prod-deps → runtime
+# Build context: deployserver/ root.
+
+FROM node:20-alpine AS base
+RUN corepack enable && corepack prepare pnpm@10.28.2 --activate \
+    && apk add --no-cache python3 make g++
+WORKDIR /app
+
+# ── deps: install ВСЕ зависимости (включая dev) для сборки TS ───────────────
+FROM base AS deps
+COPY pnpm-lock.yaml pnpm-workspace.yaml package.json ./
+COPY apps/api/package.json apps/api/
+RUN pnpm install --frozen-lockfile --prod=false
+
+# ── build: компилируем TypeScript ───────────────────────────────────────────
+FROM base AS build
+COPY --from=deps /app/node_modules ./node_modules
+COPY --from=deps /app/apps/api/node_modules ./apps/api/node_modules
+COPY . .
+RUN cd apps/api && pnpm build
+
+# ── prod-deps: только production node_modules ──────────────────────────────
+FROM base AS prod-deps
+COPY pnpm-lock.yaml pnpm-workspace.yaml package.json ./
+COPY apps/api/package.json apps/api/
+RUN pnpm install --frozen-lockfile --prod
+
+# ── runtime: минимальный образ для прода ───────────────────────────────────
+FROM node:20-alpine AS runtime
+RUN apk add --no-cache tini wget \
+    && addgroup -S app -g 1001 \
+    && adduser -S app -G app -u 1001
+
+WORKDIR /app/apps/api
+
+COPY --from=prod-deps --chown=app:app /app/node_modules /app/node_modules
+COPY --from=prod-deps --chown=app:app /app/apps/api/node_modules ./node_modules
+COPY --from=build     --chown=app:app /app/apps/api/dist        ./dist
+COPY --from=build     --chown=app:app /app/apps/api/swagger.json ./swagger.json
+COPY --from=build     --chown=app:app /app/apps/api/package.json ./package.json
+
+# logs/ создаётся для audit-log
+RUN mkdir -p /app/logs && chown -R app:app /app/logs
+
+USER app
+
+EXPOSE 3001
+
+HEALTHCHECK --interval=30s --timeout=5s --start-period=10s --retries=3 \
+    CMD wget -qO- http://localhost:3001/api/health || exit 1
+
+ENTRYPOINT ["/sbin/tini", "--"]
+CMD ["node", "dist/index.js"]