From f45834de7b5ec930db404d2a4a9936f23d808654 Mon Sep 17 00:00:00 2001
From: Cyrille <2franix@users.noreply.github.com>
Date: Sat, 21 Feb 2026 22:57:26 +0100
Subject: [PATCH 1/2] Switch to app user at end of Dockerfile

---
 Dockerfile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/Dockerfile b/Dockerfile
index 27dc2771..49a8f787 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -69,4 +69,5 @@ ENV DATABASE_URL=file:/app/database/hemmelig.db
 HEALTHCHECK --interval=30s --timeout=10s --start-period=10s --retries=3 \
     CMD wget --no-verbose --tries=1 --spider http://localhost:3000/api/health/ready || exit 1
 
+USER app
 ENTRYPOINT ["/app/docker-entrypoint.sh"]

From 2bf03b32313adb629f003779fe4ddf761e22d04f Mon Sep 17 00:00:00 2001
From: Cyrille <2franix@users.noreply.github.com>
Date: Sat, 21 Feb 2026 22:58:16 +0100
Subject: [PATCH 2/2] Update docker-entrypoint.sh

---
 scripts/docker-entrypoint.sh | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/scripts/docker-entrypoint.sh b/scripts/docker-entrypoint.sh
index cbbda968..f5a8bd94 100644
--- a/scripts/docker-entrypoint.sh
+++ b/scripts/docker-entrypoint.sh
@@ -1,8 +1,5 @@
 #!/bin/sh
 set -e
 
-# Fix permissions on mounted volumes (runs as root)
-chown -R app:app /app/database /app/uploads 2>/dev/null || true
-
-# Run migrations and start app as app user
-exec gosu app sh -c 'npx prisma migrate deploy && exec npx tsx server.ts'
+# Run migrations and start app
+sh -c 'npx prisma migrate deploy && exec npx tsx server.ts'