fix(docker): hardening phase 3 — closes #1551

Implements the seven follow-up items tracked in #1551 after the phase 1+2
docker hardening pass. Skips item 4 (Better Auth user-not-found log
demotion) which needs runtime reproduction first.

Compose hardening (docker/docker-compose.yml + docker/Dockerfile):
- /tmp tmpfs capped at 64m so misbehaving uploads/streams can't grow
  unbounded into container memory
- pids_limit raised 256 → 512 (Node + Better Auth + proxy fanout
  routinely burst past 100 pids)
- healthcheck switched from BusyBox wget to node -e fetch — guaranteed
  available in the runtime image
- node_modules *.md cleanup narrowed to README* only so packages reading
  nested markdown at runtime (e.g. js-yaml schema docs) keep working

Public stats opt-in:
- /api/v1/public/{usage,free-models,provider-tokens} now require
  MANIFEST_PUBLIC_STATS=true to serve. Default off, returns 404 so
  unauthenticated probes can't even tell the endpoints exist.

Honest HTTP statuses for tool callers:
- proxy-exception.filter and the proxy.controller catch block detect
  chat clients via body.stream === true OR Accept: text/event-stream
- Non-chat clients (curl/CI/monitors/non-streaming SDKs) now get real
  401/400/500 with a structured { error: { message, type, code? } }
  envelope instead of a friendly HTTP-200 stub
- Chat clients continue to receive the friendly envelope

og: tag personalization:
- New rewriteOgTags helper rewrites the SPA index.html's hardcoded
  app.manifest.build to BETTER_AUTH_URL at boot time. SpaFallbackFilter
  performs the substitution once when caching index.html. Self-hosters'
  shared link previews now show their own URL.

/api/v1/messages status filter:
- New status query parameter accepting ok | error | rate_limited |
  fallback_error | errors (where 'errors' expands to the union of the
  three error variants). Lets the dashboard build an errors-only toggle.
- Count cache key extended so different statuses don't share counts.

CI smoke test:
- New .github/workflows/docker-smoke.yml builds the production image,
  boots the compose stack with read_only: true, waits for /health,
  asserts SPA loads + public stats are gated off, then tears down.
  Catches regressions from any future code that silently writes to
  disk.

Author: brunobuddy

.changeset/docker-hardening-phase-3.md

@@ -0,0 +1,5 @@
+---
+"manifest": patch
+---
+
+Docker hardening Phase 3 follow-ups: add a 64MB cap to the manifest container's `/tmp` tmpfs, raise `pids_limit` from 256 to 512, and switch the healthcheck from BusyBox `wget` to a `node -e fetch(...)` invocation that's guaranteed to exist in the runtime image. Narrow the Dockerfile's `node_modules` `*.md` cleanup to `README*` only so packages that read nested markdown at runtime (e.g. `js-yaml` schema docs) keep working. Gate `/api/v1/public/{usage,free-models,provider-tokens}` behind `MANIFEST_PUBLIC_STATS=true` (default off, returns 404) so self-hosted instances don't leak aggregate stats to unauthenticated callers. Detect non-chat callers in the proxy exception filter and the `chat/completions` catch block via `body.stream === true` / `Accept: text/event-stream`; non-chat clients now receive real `401`/`400`/`500` HTTP statuses with a structured error envelope while chat UIs continue to get the friendly HTTP-200 envelope. Rewrite `og:url` / `og:image` in the SPA's `index.html` from `BETTER_AUTH_URL` at boot so self-hosters' shared link previews show their own URL instead of `app.manifest.build`. Add a `status` query parameter to `/api/v1/messages` (`ok`, `error`, `rate_limited`, `fallback_error`, or `errors` for the union of the three error variants) so the dashboard can offer an "errors only" toggle. Add `.github/workflows/docker-smoke.yml` that boots the production compose stack with `read_only: true`, waits for `/api/v1/health`, and tears down — guards against future code that silently writes to disk.

.github/workflows/docker-smoke.yml

@@ -0,0 +1,123 @@
+name: Docker Smoke
+
+# Boots the production compose stack with `read_only: true` and verifies the
+# app comes up cleanly and answers /api/v1/health. Catches regressions from
+# code that silently writes outside /tmp at boot, which would crash users on
+# the locked-down default deployment.
+
+on:
+  pull_request:
+    branches: [main]
+    paths:
+      - ".github/workflows/docker-smoke.yml"
+      - "docker/Dockerfile"
+      - ".dockerignore"
+      - "docker/docker-compose.yml"
+      - "docker/.env.example"
+      - "docker/install.sh"
+      - "packages/backend/**"
+      - "packages/frontend/**"
+      - "packages/shared/**"
+      - "package.json"
+      - "package-lock.json"
+      - "turbo.json"
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  smoke:
+    name: Compose smoke test (read-only)
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: docker/setup-buildx-action@v3
+
+      - name: Build local image as manifestdotbuild/manifest:latest
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          file: docker/Dockerfile
+          push: false
+          load: true
+          tags: manifestdotbuild/manifest:latest
+          platforms: linux/amd64
+          cache-from: type=gha,scope=smoke-amd64
+          cache-to: type=gha,mode=max,scope=smoke-amd64
+
+      - name: Prepare .env from .env.example
+        working-directory: docker
+        run: |
+          cp .env.example .env
+          # Generate a real secret so BETTER_AUTH_SECRET=${VAR:?…} succeeds.
+          secret=$(openssl rand -hex 32)
+          # Replace the empty `BETTER_AUTH_SECRET=` line.
+          new=""
+          while IFS= read -r line || [[ -n "$line" ]]; do
+            if [[ "$line" == "BETTER_AUTH_SECRET=" ]]; then
+              new+="BETTER_AUTH_SECRET=${secret}"$'\n'
+            else
+              new+="$line"$'\n'
+            fi
+          done < .env
+          printf '%s' "$new" > .env
+
+      - name: Boot the stack
+        working-directory: docker
+        run: |
+          docker compose up -d
+          docker compose ps
+
+      - name: Wait for /api/v1/health
+        run: |
+          set -e
+          for i in $(seq 1 60); do
+            if curl -sSf http://127.0.0.1:3001/api/v1/health >/dev/null; then
+              echo "healthy after ${i}s"
+              exit 0
+            fi
+            sleep 2
+          done
+          echo "health never returned 200" >&2
+          (cd docker && docker compose logs manifest)
+          exit 1
+
+      - name: Verify health payload shape
+        run: |
+          response=$(curl -sS http://127.0.0.1:3001/api/v1/health)
+          echo "$response"
+          echo "$response" | grep -q '"status":"healthy"'
+
+      - name: Verify SPA index loads
+        run: |
+          curl -sSf http://127.0.0.1:3001/ -o /tmp/index.html
+          test -s /tmp/index.html
+          grep -q '<title>Manifest</title>' /tmp/index.html
+
+      - name: Verify public stats are gated off by default
+        run: |
+          status=$(curl -s -o /dev/null -w "%{http_code}" http://127.0.0.1:3001/api/v1/public/usage)
+          if [[ "$status" != "404" ]]; then
+            echo "expected 404 for /public/usage when MANIFEST_PUBLIC_STATS is unset, got $status" >&2
+            exit 1
+          fi
+
+      - name: Dump backend logs on success (for diff inspection)
+        if: success()
+        working-directory: docker
+        run: docker compose logs --tail=200 manifest
+
+      - name: Dump backend logs on failure
+        if: failure()
+        working-directory: docker
+        run: |
+          docker compose logs manifest || true
+          docker compose logs postgres || true
+
+      - name: Tear down
+        if: always()
+        working-directory: docker
+        run: docker compose down -v

docker/Dockerfile

@@ -30,7 +30,7 @@ RUN --mount=type=cache,target=/root/.npm npm ci --omit=dev --ignore-scripts && \
     find . -path "*/node_modules/vite-node" -type d -exec rm -rf {} + 2>/dev/null; \
     find . -path "*/node_modules/rollup" -type d -exec rm -rf {} + 2>/dev/null; \
     find . -path "*/node_modules/@vitest" -type d -exec rm -rf {} + 2>/dev/null; \
-    find . -path "*/node_modules/*" \( -name "*.map" -o -name "*.md" \
+    find . -path "*/node_modules/*" \( -name "*.map" -o -name "README*" \
       -o -name "LICENSE*" -o -name "CHANGELOG*" -o -name "*.txt" \
       -o -name "Makefile" -o -name "*.gyp" -o -name "*.gypi" \
       -o \( -name "*.ts" ! -name "*.d.ts" \) \) -delete 2>/dev/null; \
@@ -68,7 +68,7 @@ COPY packages/backend/package.json packages/backend/
 EXPOSE 3001
 
 HEALTHCHECK --interval=30s --timeout=5s --start-period=45s --retries=3 \
-  CMD wget -qO- http://127.0.0.1:3001/api/v1/health || exit 1
+  CMD node -e "fetch('http://127.0.0.1:3001/api/v1/health').then(r=>process.exit(r.ok?0:1)).catch(()=>process.exit(1))"
 
 USER node
 

docker/docker-compose.yml

@@ -51,20 +51,24 @@ services:
       postgres:
         condition: service_healthy
     healthcheck:
-      test: ["CMD-SHELL", "wget -qO- http://127.0.0.1:3001/api/v1/health || exit 1"]
+      test:
+        - "CMD"
+        - "node"
+        - "-e"
+        - "fetch('http://127.0.0.1:3001/api/v1/health').then(r=>process.exit(r.ok?0:1)).catch(()=>process.exit(1))"
       interval: 30s
       timeout: 5s
       start_period: 45s
       retries: 3
     read_only: true
     tmpfs:
-      - /tmp
+      - /tmp:size=64m
     security_opt:
       - no-new-privileges:true
     cap_drop:
       - ALL
     mem_limit: 1g
-    pids_limit: 256
+    pids_limit: 512
     networks:
       - internal
       - frontend

packages/backend/src/analytics/controllers/messages.controller.ts

@@ -24,6 +24,7 @@ export class MessagesController {
       limit: Math.min(query.limit ?? 50, 200),
       cursor: query.cursor,
       agent_name: query.agent_name,
+      status: query.status,
     });
   }
 

packages/backend/src/analytics/dto/messages-query.dto.spec.ts

@@ -55,4 +55,20 @@ describe('MessagesQueryDto', () => {
     const errors = await validate(dto);
     expect(errors.length).toBeGreaterThan(0);
   });
+
+  it('accepts each known status value', async () => {
+    for (const status of ['ok', 'error', 'rate_limited', 'fallback_error', 'errors']) {
+      const dto = plainToInstance(MessagesQueryDto, { status });
+      const errors = await validate(dto);
+      expect(errors).toHaveLength(0);
+    }
+  });
+
+  it('rejects an unknown status value', async () => {
+    const dto = plainToInstance(MessagesQueryDto, { status: 'pending' });
+    const errors = await validate(dto);
+    expect(errors.length).toBeGreaterThan(0);
+    const flat = errors.flatMap((e) => Object.values(e.constraints ?? {}));
+    expect(flat.join('\n')).toMatch(/status must be one of/);
+  });
 });

packages/backend/src/analytics/dto/messages-query.dto.ts

@@ -1,5 +1,14 @@
 import { Type } from 'class-transformer';
-import { IsNumber, IsOptional, IsString, Max, Min } from 'class-validator';
+import { IsIn, IsNumber, IsOptional, IsString, Max, Min } from 'class-validator';
+
+export const MESSAGE_STATUS_FILTER_VALUES = [
+  'ok',
+  'error',
+  'rate_limited',
+  'fallback_error',
+  'errors',
+] as const;
+export type MessageStatusFilter = (typeof MESSAGE_STATUS_FILTER_VALUES)[number];
 
 export class MessagesQueryDto {
   @IsOptional()
@@ -40,4 +49,10 @@ export class MessagesQueryDto {
   @IsOptional()
   @IsString()
   agent_name?: string;
+
+  @IsOptional()
+  @IsIn(MESSAGE_STATUS_FILTER_VALUES, {
+    message: `status must be one of: ${MESSAGE_STATUS_FILTER_VALUES.join(', ')}`,
+  })
+  status?: MessageStatusFilter;
 }

packages/backend/src/analytics/services/messages-query.service.ts

@@ -5,6 +5,9 @@ import { AgentMessage } from '../../entities/agent-message.entity';
 import { rangeToInterval } from '../../common/utils/range.util';
 import { addTenantFilter, formatTimestamp } from './query-helpers';
 import { TenantCacheService } from '../../common/services/tenant-cache.service';
+import type { MessageStatusFilter } from '../dto/messages-query.dto';
+
+const ERROR_STATUSES = ['error', 'fallback_error', 'rate_limited'] as const;
 import {
   DbDialect,
   detectDialect,
@@ -50,6 +53,7 @@ export class MessagesQueryService {
     limit: number;
     cursor?: string;
     agent_name?: string;
+    status?: MessageStatusFilter;
   }) {
     const tenantId = (await this.tenantCache.resolve(params.userId)) ?? undefined;
     const cutoff = params.range ? computeCutoff(rangeToInterval(params.range)) : undefined;
@@ -70,6 +74,12 @@ export class MessagesQueryService {
     if (params.agent_name)
       baseQb.andWhere('at.agent_name = :filterAgent', { filterAgent: params.agent_name });
 
+    if (params.status === 'errors') {
+      baseQb.andWhere('at.status IN (:...errorStatuses)', { errorStatuses: ERROR_STATUSES });
+    } else if (params.status) {
+      baseQb.andWhere('at.status = :statusFilter', { statusFilter: params.status });
+    }
+
     // Provider filter: prefer the stored provider column (populated by the
     // proxy from routing resolution), and fall back to inference for legacy
     // rows that pre-date the column.
@@ -262,6 +272,7 @@ export class MessagesQueryService {
     agent_name?: string;
     cost_min?: number;
     cost_max?: number;
+    status?: MessageStatusFilter;
   }): string {
     return [
       params.userId,
@@ -271,6 +282,7 @@ export class MessagesQueryService {
       params.agent_name ?? '',
       params.cost_min ?? '',
       params.cost_max ?? '',
+      params.status ?? '',
     ].join(':');
   }
 }

packages/backend/src/common/filters/spa-fallback.filter.spec.ts

@@ -4,9 +4,14 @@ jest.mock('../utils/frontend-path', () => ({
   resolveFrontendDir: jest.fn(),
 }));
 
+const SAMPLE_HTML =
+  '<html><head><meta property="og:url" content="https://app.manifest.build" />' +
+  '<meta property="og:image" content="https://app.manifest.build/og-image.png" /></head>' +
+  '<body>SPA</body></html>';
+
 jest.mock('fs', () => ({
   ...jest.requireActual('fs'),
-  readFileSync: jest.fn().mockReturnValue('<html><body>SPA</body></html>'),
+  readFileSync: jest.fn().mockReturnValue(SAMPLE_HTML),
 }));
 
 import { resolveFrontendDir } from '../utils/frontend-path';
@@ -38,19 +43,19 @@ describe('SpaFallbackFilter', () => {
   const exception = new NotFoundException();
 
   // Must re-import after mock setup to pick up the mocked module
-  function loadFilter() {
+  function loadFilter(betterAuthUrl?: string) {
     jest.resetModules();
     jest.mock('../utils/frontend-path', () => ({
       resolveFrontendDir: mockResolveFrontendDir,
     }));
     jest.mock('fs', () => ({
       ...jest.requireActual('fs'),
-      readFileSync: jest.fn().mockReturnValue('<html><body>SPA</body></html>'),
+      readFileSync: jest.fn().mockReturnValue(SAMPLE_HTML),
     }));
     const { SpaFallbackFilter } =
       // eslint-disable-next-line @typescript-eslint/no-require-imports
       require('./spa-fallback.filter') as typeof import('./spa-fallback.filter');
-    return new SpaFallbackFilter();
+    return new SpaFallbackFilter(betterAuthUrl);
   }
 
   describe('when index.html exists', () => {
@@ -67,7 +72,7 @@ describe('SpaFallbackFilter', () => {
       expect(res.setHeader).toHaveBeenCalledWith('Content-Type', 'text/html');
       expect(res.setHeader).toHaveBeenCalledWith('Cache-Control', 'no-cache');
       expect(res.status).toHaveBeenCalledWith(200);
-      expect(res.send).toHaveBeenCalledWith('<html><body>SPA</body></html>');
+      expect(res.send).toHaveBeenCalledWith(SAMPLE_HTML);
     });
 
     it('returns JSON 404 for GET to /api/ routes', () => {
@@ -99,6 +104,40 @@ describe('SpaFallbackFilter', () => {
     });
   });
 
+  describe('og tag rewriting', () => {
+    beforeEach(() => {
+      mockResolveFrontendDir.mockReturnValue('/mock/frontend');
+    });
+
+    it('rewrites og: tags when BETTER_AUTH_URL is provided', () => {
+      const filter = loadFilter('https://manifest.example.com');
+      const { host, res } = createMockHost('GET', '/');
+      filter.catch(exception, host);
+      const sent = (res.send as jest.Mock).mock.calls[0][0] as string;
+      expect(sent).toContain('content="https://manifest.example.com"');
+      expect(sent).toContain('content="https://manifest.example.com/og-image.png"');
+      expect(sent).not.toContain('https://app.manifest.build');
+    });
+
+    it('leaves og: tags alone when BETTER_AUTH_URL is empty', () => {
+      const filter = loadFilter('');
+      const { host, res } = createMockHost('GET', '/');
+      filter.catch(exception, host);
+      const sent = (res.send as jest.Mock).mock.calls[0][0] as string;
+      expect(sent).toContain('content="https://app.manifest.build"');
+    });
+
+    it('falls back to process.env when no constructor arg is provided', () => {
+      process.env['BETTER_AUTH_URL'] = 'https://from-env.example';
+      const filter = loadFilter();
+      const { host, res } = createMockHost('GET', '/');
+      filter.catch(exception, host);
+      const sent = (res.send as jest.Mock).mock.calls[0][0] as string;
+      expect(sent).toContain('content="https://from-env.example"');
+      delete process.env['BETTER_AUTH_URL'];
+    });
+  });
+
   describe('when index.html does not exist', () => {
     let filter: ReturnType<typeof loadFilter>;
 

packages/backend/src/common/filters/spa-fallback.filter.ts

@@ -3,16 +3,19 @@ import { Response, Request } from 'express';
 import { join } from 'path';
 import { readFileSync } from 'fs';
 import { resolveFrontendDir } from '../utils/frontend-path';
+import { rewriteOgTags } from '../utils/og-rewrite';
 
 const API_PREFIXES = ['/api/', '/otlp/', '/v1/'];
 
 @Catch(NotFoundException)
 export class SpaFallbackFilter implements ExceptionFilter {
   private readonly indexContent: string | null;
 
-  constructor() {
+  constructor(betterAuthUrl?: string) {
     const frontendDir = resolveFrontendDir();
-    this.indexContent = frontendDir ? readFileSync(join(frontendDir, 'index.html'), 'utf-8') : null;
+    const raw = frontendDir ? readFileSync(join(frontendDir, 'index.html'), 'utf-8') : null;
+    const baseUrl = betterAuthUrl ?? process.env['BETTER_AUTH_URL'] ?? '';
+    this.indexContent = raw ? rewriteOgTags(raw, baseUrl) : null;
   }
 
   catch(exception: NotFoundException, host: ArgumentsHost) {