build: Dockerfile non-root user, healthcheck, .dockerignore

Dockerfile

@@ -1,27 +1,32 @@
 # golang:1.24-alpine, 2026-02-26
 FROM golang@sha256:8bee1901f1e530bfb4a7850aa7a479d17ae3a18beb6e09064ed54cfd245b7191 AS builder
-
-RUN apk add --no-cache git build-base make
 WORKDIR /src
+RUN apk add --no-cache git build-base make
 
-# golangci-lint v2.1.6, 2026-02-26
+# golangci-lint v2.1.6 (eabc2638a66d), 2026-02-26
 RUN go install github.com/golangci/golangci-lint/v2/cmd/golangci-lint@eabc2638a66daf5bb6c6fb052a32fa3ef7b6600d
 
 COPY go.mod go.sum ./
 RUN go mod download
+
 COPY . .
 
 # Run all checks — build fails if branch is not green
 RUN make check
 
+# Build binaries
 ARG VERSION=dev
-RUN go build -ldflags "-X main.Version=${VERSION}" -o /chatd ./cmd/chatd
-RUN go build -o /chat-cli ./cmd/chat-cli
+RUN CGO_ENABLED=1 go build -trimpath -ldflags="-s -w -X main.Version=${VERSION}" -o /chatd ./cmd/chatd/
+RUN CGO_ENABLED=1 go build -trimpath -ldflags="-s -w" -o /chat-cli ./cmd/chat-cli/
 
 # alpine:3.21, 2026-02-26
 FROM alpine@sha256:c3f8e73fdb79deaebaa2037150150191b9dcbfba68b4a46d70103204c53f4709
-
-RUN apk add --no-cache ca-certificates
+RUN apk add --no-cache ca-certificates \
+    && addgroup -S chat && adduser -S chat -G chat
 COPY --from=builder /chatd /usr/local/bin/chatd
+
+USER chat
 EXPOSE 8080
-CMD ["chatd"]
+HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
+    CMD wget -qO- http://localhost:8080/.well-known/healthcheck.json || exit 1
+ENTRYPOINT ["chatd"]