feat: add Docker support and professional CI/CD pipeline

- Add multi-stage Dockerfiles for backend (Node 20 Alpine) and AI service (Python 3.11-slim)
- Both images run as non-root users with health checks
- Add docker-compose.yml to orchestrate both services with internal networking
- Add /health endpoint to backend for Docker/LB health checks
- Fix GitHub Actions folder: move workflow/ → workflows/ (singular is ignored by GitHub)
- Replace basic CI with 6-job pipeline: frontend lint+build, backend vitest, security audit (npm audit + pip-audit), Docker image validation, Docker Hub publish on master push

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: adity1raut

.github/workflow/ci.yaml

@@ -0,0 +1,233 @@
+name: CI / CD — ChatConnect
+
+on:
+  push:
+    branches: [master, main]
+  pull_request:
+    branches: [master, main]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+# ─── Jobs ─────────────────────────────────────────────────────────────────────
+jobs:
+
+  # ────────────────────────────────────────────────────────────────────────────
+  # 1. Lint + Test — Frontend (React/Vite)
+  # ────────────────────────────────────────────────────────────────────────────
+  frontend-lint-build:
+    name: Frontend — Lint & Build
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Node.js 20
+        uses: actions/setup-node@v4
+        with:
+          node-version: 20
+          cache: npm
+          cache-dependency-path: client/package-lock.json
+
+      - name: Install dependencies
+        working-directory: client
+        run: npm ci
+
+      - name: Run ESLint
+        working-directory: client
+        run: npm run lint
+
+      - name: Build
+        working-directory: client
+        run: npm run build
+
+      - name: Upload build artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: frontend-dist
+          path: client/dist
+          retention-days: 7
+
+  # ────────────────────────────────────────────────────────────────────────────
+  # 2. Test — Backend (Node.js / Vitest)
+  # ────────────────────────────────────────────────────────────────────────────
+  backend-test:
+    name: Backend — Unit Tests
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Node.js 20
+        uses: actions/setup-node@v4
+        with:
+          node-version: 20
+          cache: npm
+          cache-dependency-path: backend/package-lock.json
+
+      - name: Install dependencies
+        working-directory: backend
+        run: npm ci
+
+      - name: Run Vitest
+        working-directory: backend
+        run: npm test
+        env:
+          NODE_ENV: test
+          JWT_SECRET: test-jwt-secret
+          JWT_REFRESH_SECRET: test-refresh-secret
+          MONGO_URI: ${{ secrets.MONGO_URI_TEST || 'mongodb://localhost:27017/test' }}
+
+  # ────────────────────────────────────────────────────────────────────────────
+  # 3. Security — npm audit + pip-audit
+  # ────────────────────────────────────────────────────────────────────────────
+  security-audit:
+    name: Security Audit
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Node.js 20
+        uses: actions/setup-node@v4
+        with:
+          node-version: 20
+          cache: npm
+          cache-dependency-path: backend/package-lock.json
+
+      - name: npm audit (backend)
+        working-directory: backend
+        run: npm audit --audit-level=high
+        continue-on-error: true   # report but don't block
+
+      - name: npm audit (frontend)
+        working-directory: client
+        run: npm audit --audit-level=high
+        continue-on-error: true
+
+      - name: Setup Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.11"
+
+      - name: pip-audit (AI service)
+        working-directory: server
+        run: |
+          pip install pip-audit --quiet
+          pip-audit -r requirements.txt --skip-editable
+        continue-on-error: true
+
+  # ────────────────────────────────────────────────────────────────────────────
+  # 4. Docker build validation — backend image
+  # ────────────────────────────────────────────────────────────────────────────
+  docker-backend:
+    name: Docker — Build Backend Image
+    runs-on: ubuntu-latest
+    needs: [backend-test]
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Build backend image (no push)
+        uses: docker/build-push-action@v6
+        with:
+          context: ./backend
+          file: ./backend/Dockerfile
+          push: false
+          tags: chatconnect-backend:ci
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+  # ────────────────────────────────────────────────────────────────────────────
+  # 5. Docker build validation — AI service image
+  # ────────────────────────────────────────────────────────────────────────────
+  docker-ai-service:
+    name: Docker — Build AI Service Image
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Build AI service image (no push)
+        uses: docker/build-push-action@v6
+        with:
+          context: ./server
+          file: ./server/Dockerfile
+          push: false
+          tags: chatconnect-ai:ci
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+  # ────────────────────────────────────────────────────────────────────────────
+  # 6. Push to Docker Hub — only on master push, after all checks pass
+  # ────────────────────────────────────────────────────────────────────────────
+  docker-publish:
+    name: Docker — Publish to Docker Hub
+    runs-on: ubuntu-latest
+    if: github.ref == 'refs/heads/master' && github.event_name == 'push'
+    needs: [frontend-lint-build, backend-test, docker-backend, docker-ai-service]
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Extract metadata (tags/labels)
+        id: meta-backend
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ secrets.DOCKERHUB_USERNAME }}/chatconnect-backend
+          tags: |
+            type=sha,prefix=sha-,format=short
+            type=raw,value=latest
+
+      - name: Push backend image
+        uses: docker/build-push-action@v6
+        with:
+          context: ./backend
+          file: ./backend/Dockerfile
+          push: true
+          tags: ${{ steps.meta-backend.outputs.tags }}
+          labels: ${{ steps.meta-backend.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+      - name: Extract metadata — AI service
+        id: meta-ai
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ secrets.DOCKERHUB_USERNAME }}/chatconnect-ai
+          tags: |
+            type=sha,prefix=sha-,format=short
+            type=raw,value=latest
+
+      - name: Push AI service image
+        uses: docker/build-push-action@v6
+        with:
+          context: ./server
+          file: ./server/Dockerfile
+          push: true
+          tags: ${{ steps.meta-ai.outputs.tags }}
+          labels: ${{ steps.meta-ai.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max

.github/workflows/ci.yml

@@ -0,0 +1,12 @@
+node_modules
+npm-debug.log*
+.env
+.env.*
+!.env.example
+tests
+*.test.js
+.git
+.gitignore
+Dockerfile
+.dockerignore
+vercel.json

.github/workflow/dco.yml .github/workflows/dco.yml.github/workflow/dco.yml renamed to .github/workflows/dco.yml

@@ -0,0 +1,38 @@
+# ─── Stage 1: deps ────────────────────────────────────────────────────────────
+FROM node:20-alpine AS deps
+
+WORKDIR /app
+
+# Install only production deps first (layer cache)
+COPY package.json package-lock.json ./
+RUN npm ci --omit=dev
+
+# ─── Stage 2: runner ──────────────────────────────────────────────────────────
+FROM node:20-alpine AS runner
+
+WORKDIR /app
+
+# Security: run as non-root
+RUN addgroup -S appgroup && adduser -S appuser -G appgroup
+
+# Copy production node_modules from deps stage
+COPY --from=deps /app/node_modules ./node_modules
+
+# Copy source
+COPY --chown=appuser:appgroup . .
+
+# Remove dev/test files not needed at runtime
+RUN rm -rf tests .env.example
+
+ENV NODE_ENV=production
+ENV PORT=5000
+
+EXPOSE 5000
+
+USER appuser
+
+# Healthcheck — hits the /health endpoint (add this route if missing)
+HEALTHCHECK --interval=30s --timeout=10s --start-period=15s --retries=3 \
+  CMD wget -qO- http://localhost:5000/health || exit 1
+
+CMD ["node", "main.js"]

backend/.dockerignore

@@ -55,10 +55,15 @@ app.use("/api/friends", friendRoutes);
 app.use("/api/dashboard", dashboardRoutes);
 app.use("/api/ai", aiRoutes);
 
-app.get("/", (req, res) => {
+app.get("/", (_req, res) => {
   res.status(200).json({ message: "Server is running" });
 });
 
+// Docker / load-balancer healthcheck
+app.get("/health", (_req, res) => {
+  res.status(200).json({ status: "ok", uptime: process.uptime() });
+});
+
 const PORT = process.env.PORT || 5000;
 
 httpServer.listen(PORT, () => {