Security:
- .dockerignore + Dockerfile: stop baking .env / the 346MB OSM pbf into image
layers; install pinned from uv.lock (reproducible builds) (SEC-04/05).
- docker-compose: DB port binds ${DB_BIND_ADDR:-127.0.0.1} — loopback-only by
default; remote tooling moves to an SSH tunnel (SEC-01).
- webhook_receiver: CRITICAL startup warning + WEBHOOK_REQUIRE_TOKEN=1 fail-closed
when JIMI_WEBHOOK_TOKEN is empty (SEC-02 / FIX-W01).
Correctness:
- FIX-M22/E07: capture cur.rowcount BEFORE RELEASE SAVEPOINT in poll_alarms/
poll_trips/poll_parking — the RELEASE reported -1, producing "Alarms: -4 new
events inserted" logs and negative ingestion_log.rows_inserted.
- FIX-W02: parse application/json push bodies (were silently dropped).
- FIX-W03: move webhook DB work off the event loop via asyncio.to_thread.
- FIX-M23: poll_trips phased so no txn/connection is held across Tracksolid +
Nominatim (1 req/s) network calls.
- FIX-M24: sync_devices disables devices absent from every target (guarded).
- FIX-W04: reject device-clock-garbage alarm_time (2019 timestamps observed).
- get_token(): don't relabel already-aware timestamptz expiries (BUG-P9).
Observability/lifecycle:
- migration 21: v_ingest_health restricted to active pipeline endpoints so
one-shot tools stop wedging /health/ingest at 'stale' (dry-run verified).
- FIX-M25: daily purge_audit_logs() trims ingestion_log (90d) + refresh_log (180d).
- remove orphaned duplicate migrations/10_driver_clock_views.sql; ruff lint config.
+5 webhook tests (82 pass). Report/plan/work-log in docs/reports/260702_*.
Local only; not deployed. CLAUDE.md fix-history edits left uncommitted (that file
also carries unrelated in-progress edits).
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
34 lines
No EOL
1.1 KiB
Docker
34 lines
No EOL
1.1 KiB
Docker
# Use a slim Python image
|
|
FROM python:3.12-slim
|
|
|
|
# Install uv
|
|
COPY --from=ghcr.io/astral-sh/uv:latest /uv /bin/uv
|
|
|
|
# Install system dependencies (Required for Postgres and Healthchecks)
|
|
RUN apt-get update && apt-get install -y \
|
|
libpq5 \
|
|
postgresql-client \
|
|
curl \
|
|
&& rm -rf /var/lib/apt/lists/*
|
|
|
|
# Set working directory
|
|
WORKDIR /app
|
|
|
|
# Copy dependency files (lockfile pins exact versions — SEC-05)
|
|
COPY pyproject.toml uv.lock ./
|
|
|
|
# Install the locked dependency set into the system environment.
|
|
# `uv export --frozen` fails the build if uv.lock is out of sync with pyproject.toml,
|
|
# so image builds are reproducible and can't silently pull newer packages.
|
|
RUN uv export --frozen --no-dev --no-emit-project --format requirements-txt -o /tmp/requirements.txt \
|
|
&& uv pip install --system -r /tmp/requirements.txt \
|
|
&& rm /tmp/requirements.txt
|
|
|
|
# Copy the rest of the application
|
|
COPY . .
|
|
|
|
# Security: Run as a non-privileged user (standard for 24/7 telemetry)
|
|
RUN useradd -m telemetry-user
|
|
USER telemetry-user
|
|
|
|
# CMD is handled by docker-compose.yml to differentiate movement vs events |