From 1aac9cf4804772074384d751af2f348a04a4c728 Mon Sep 17 00:00:00 2001
From: clawbot <claw@eeqj.com>
Date: Wed, 11 Feb 2026 00:50:13 -0800
Subject: [PATCH] build: Dockerfile non-root user, healthcheck, .dockerignore

---
 .dockerignore | 15 ++++++++-------
 Dockerfile    |  6 +++++-
 2 files changed, 13 insertions(+), 8 deletions(-)

diff --git a/.dockerignore b/.dockerignore
index 72f1915..5004937 100644
--- a/.dockerignore
+++ b/.dockerignore
@@ -1,8 +1,9 @@
-bin/
-chatd
-data.db
-.env
 .git
-*.test
-*.out
-debug.log
+*.md
+!README.md
+chatd
+chat-cli
+data.db
+data.db-wal
+data.db-shm
+.env
diff --git a/Dockerfile b/Dockerfile
index ed05c83..61ae800 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -18,8 +18,12 @@ RUN CGO_ENABLED=1 go build -trimpath -ldflags="-s -w" -o /chat-cli ./cmd/chat-cl
 
 # Final stage — server only
 FROM alpine:3.21
-RUN apk add --no-cache ca-certificates
+RUN apk add --no-cache ca-certificates \
+    && addgroup -S chat && adduser -S chat -G chat
 COPY --from=builder /chatd /usr/local/bin/chatd
 
+USER chat
 EXPOSE 8080
+HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
+    CMD wget -qO- http://localhost:8080/.well-known/healthcheck.json || exit 1
 ENTRYPOINT ["chatd"]