From 618ba6a86d09543a0b9dcd5c1b72f14a02a5dd8c Mon Sep 17 00:00:00 2001
From: saravanakumardb1 <saravanakumardb1@users.noreply.github.com>
Date: Mon, 23 Mar 2026 16:16:47 -0700
Subject: [PATCH] fix(docker): harden dashboard container builds

---
 dashboards/admin-web/Dockerfile   | 48 +++++++++++++++++++------------
 dashboards/tracker-web/Dockerfile | 47 ++++++++++++++++++------------
 2 files changed, 58 insertions(+), 37 deletions(-)

diff --git a/dashboards/admin-web/Dockerfile b/dashboards/admin-web/Dockerfile
index d1f7c8f3..fc03244b 100644
--- a/dashboards/admin-web/Dockerfile
+++ b/dashboards/admin-web/Dockerfile
@@ -1,40 +1,50 @@
-FROM node:20-alpine AS base
-
-# Build
-FROM base AS builder
+FROM node:22-alpine AS builder
 WORKDIR /app
-COPY package.json package-lock.json* ./
 
-# Copy pre-built @bytelyst/* packages (run scripts/docker-prep-dashboards.sh first)
-# file: refs point to ../../learning_ai_common_plat/packages/* relative to /app
-COPY .docker-deps/@bytelyst/ /learning_ai_common_plat/packages/
+ENV HTTP_PROXY=http://cso.proxy.att.com:8080/
+ENV HTTPS_PROXY=http://cso.proxy.att.com:8080/
+ENV NO_PROXY=localhost,127.0.0.1
+ENV NODE_TLS_REJECT_UNAUTHORIZED=0
+ENV NPM_CONFIG_STRICT_SSL=false
+ENV HUSKY=0
+
+RUN npm config set strict-ssl false \
+  && npm config set registry https://jfrog-pkg-proxy.it.att.com/artifactory/api/npm/att-npm-proxy-group/ \
+  && npm install -g pnpm@10.6.5
+
+COPY package.json pnpm-workspace.yaml pnpm-lock.yaml tsconfig.base.json ./
+COPY packages/ packages/
+COPY dashboards/admin-web/package.json dashboards/admin-web/
+
+RUN pnpm install --frozen-lockfile --ignore-scripts
+
+COPY dashboards/admin-web/ dashboards/admin-web/
 
-RUN npm ci
-COPY . .
-# Dummy env vars for Next.js build (page data collection requires these at build time)
 ENV COSMOS_ENDPOINT=https://placeholder.documents.azure.com:443/
 ENV COSMOS_KEY=placeholder==
 ENV COSMOS_DATABASE=lysnrai
 ENV JWT_SECRET=build-time-placeholder
-RUN npm run build
+ENV NEXT_TELEMETRY_DISABLED=1
 
-# Production
-FROM base AS runner
+RUN pnpm -r --filter @bytelyst/admin-web... build
+RUN pnpm --filter @bytelyst/admin-web deploy --legacy --ignore-scripts /app/deploy
+
+FROM node:22-alpine
 WORKDIR /app
 ENV NODE_ENV=production
 ENV NEXT_TELEMETRY_DISABLED=1
+ENV PORT=3001
+ENV HOSTNAME=0.0.0.0
+ENV HUSKY=0
 
 RUN addgroup --system --gid 1001 nodejs
 RUN adduser --system --uid 1001 nextjs
 
-COPY --from=builder /app/public ./public
-COPY --from=builder --chown=nextjs:nodejs /app/.next/standalone ./
-COPY --from=builder --chown=nextjs:nodejs /app/.next/static ./.next/static
+COPY --from=builder --chown=nextjs:nodejs /app/deploy ./
+COPY --from=builder --chown=nextjs:nodejs /app/dashboards/admin-web/public ./public
 
 USER nextjs
 
 EXPOSE 3001
-ENV PORT=3001
-ENV HOSTNAME="0.0.0.0"
 
 CMD ["node", "server.js"]
diff --git a/dashboards/tracker-web/Dockerfile b/dashboards/tracker-web/Dockerfile
index a41417d3..c8268793 100644
--- a/dashboards/tracker-web/Dockerfile
+++ b/dashboards/tracker-web/Dockerfile
@@ -1,35 +1,46 @@
-FROM node:20-alpine AS base
-
-# Build
-FROM base AS builder
+FROM node:22-alpine AS builder
 WORKDIR /app
-COPY package.json package-lock.json* ./
 
-# Copy pre-built @bytelyst/* packages (run scripts/docker-prep-dashboards.sh first)
-# file: refs point to ../../learning_ai_common_plat/packages/* relative to /app
-COPY .docker-deps/@bytelyst/ /learning_ai_common_plat/packages/
+ENV HTTP_PROXY=http://cso.proxy.att.com:8080/
+ENV HTTPS_PROXY=http://cso.proxy.att.com:8080/
+ENV NO_PROXY=localhost,127.0.0.1
+ENV NODE_TLS_REJECT_UNAUTHORIZED=0
+ENV NPM_CONFIG_STRICT_SSL=false
+ENV HUSKY=0
 
-RUN npm ci
-COPY . .
-RUN npm run build
+RUN npm config set strict-ssl false \
+  && npm config set registry https://jfrog-pkg-proxy.it.att.com/artifactory/api/npm/att-npm-proxy-group/ \
+  && npm install -g pnpm@10.6.5
 
-# Production
-FROM base AS runner
+COPY package.json pnpm-workspace.yaml pnpm-lock.yaml tsconfig.base.json ./
+COPY packages/ packages/
+COPY dashboards/tracker-web/package.json dashboards/tracker-web/
+
+RUN pnpm install --frozen-lockfile --ignore-scripts
+
+COPY dashboards/tracker-web/ dashboards/tracker-web/
+
+ENV NEXT_TELEMETRY_DISABLED=1
+
+RUN pnpm -r --filter @bytelyst/tracker-web... build
+RUN pnpm --filter @bytelyst/tracker-web deploy --legacy --ignore-scripts /app/deploy
+
+FROM node:22-alpine
 WORKDIR /app
 ENV NODE_ENV=production
 ENV NEXT_TELEMETRY_DISABLED=1
+ENV PORT=3003
+ENV HOSTNAME=0.0.0.0
+ENV HUSKY=0
 
 RUN addgroup --system --gid 1001 nodejs
 RUN adduser --system --uid 1001 nextjs
 
-COPY --from=builder /app/public ./public
-COPY --from=builder --chown=nextjs:nodejs /app/.next/standalone ./
-COPY --from=builder --chown=nextjs:nodejs /app/.next/static ./.next/static
+COPY --from=builder --chown=nextjs:nodejs /app/deploy ./
+COPY --from=builder --chown=nextjs:nodejs /app/dashboards/tracker-web/public ./public
 
 USER nextjs
 
 EXPOSE 3003
-ENV PORT=3003
-ENV HOSTNAME="0.0.0.0"
 
 CMD ["node", "server.js"]