feat: Add optimized Docker implementation with banking-grade security

[devin-ai-integration]

feat: Add optimized Docker implementation with banking-grade security

Summary

This PR introduces a comprehensive Docker implementation for the banking application with multi-stage builds, security hardening, and full local development support. The implementation includes optimized Docker images for both development and production environments, with a complete docker-compose setup supporting PostgreSQL, Redis, and proper service networking.

Key Features:

• Multi-stage Dockerfiles with separate development and production targets
• Non-root user execution for enhanced security
• Health checks and proper signal handling
• Optimized image layers and reduced final image sizes
• Comprehensive docker-compose.yml for local development
• Security scanning integration with Trivy
• Banking-grade security practices including read-only filesystems and no-new-privileges

Technical Changes:

• Added .dockerignore files to optimize build context
• Created Dockerfile and Dockerfile.dev for both applications
• Added nginx.conf for production frontend serving with security headers
• Fixed Node.js 18 compatibility issues in webpack configuration
• Configured environment-based API endpoint configuration
• Added database initialization scripts and Redis configuration

Review & Testing Checklist for Human

• End-to-end stack testing: Run docker-compose up from scratch and verify all 4 services (postgres, redis, bank-server, bank-client) start healthy and can communicate
• Database connectivity: Verify the bank-server can connect to PostgreSQL and execute database operations (check logs for successful queries)
• Production builds: Test both production Docker images (docker build --target production) and verify they run correctly with proper non-root user permissions
• Security configuration validation: Confirm non-root users don't break application functionality and that security headers are properly set in nginx
• Development workflow: Test hot reload functionality - note that backend volume mounts were removed due to permission issues, so backend hot reload may require container restarts

Recommended Test Plan:

1. Clean Docker environment: docker system prune -f
2. Build and start stack: docker-compose up -d
3. Wait for all services to be healthy: docker-compose ps
4. Test frontend: Access http://localhost:3000
5. Test backend API: curl http://localhost:4000/bank/Currencies
6. Test production builds independently
7. Verify database contains initialized data

---

Diagram

%%{ init : { "theme" : "default" }}%%
graph TB
    subgraph "Bank Client (React)"
        ClientDockerfile["bank-client/Dockerfile"]:::major-edit
        ClientDockerfileDev["bank-client/Dockerfile.dev"]:::major-edit
        ClientDockerignore["bank-client/.dockerignore"]:::major-edit
        NginxConf["bank-client/nginx.conf"]:::major-edit
        WebpackConfig["bank-client/internals/webpack/webpack.base.babel.js"]:::minor-edit
        ApiConfig["bank-client/app/utils/api.js"]:::minor-edit
    end

    subgraph "Bank Server (NestJS)"
        ServerDockerfile["bank-server/Dockerfile"]:::major-edit
        ServerDockerfileDev["bank-server/Dockerfile.dev"]:::major-edit
        ServerDockerignore["bank-server/.dockerignore"]:::major-edit
    end

    subgraph "Docker Compose Stack"
        DockerCompose["docker-compose.yml"]:::major-edit
        DockerComposeProd["docker-compose.prod.yml"]:::major-edit
        InitDB["init-db.sql"]:::major-edit
    end

    subgraph "Security & Documentation"
        SecurityScan["security-scan.yml"]:::major-edit
        SecurityDocs["DOCKER_SECURITY.md"]:::major-edit
    end

    DockerCompose --> ClientDockerfile
    DockerCompose --> ServerDockerfile
    DockerCompose --> InitDB
    ClientDockerfile --> NginxConf
    ClientDockerfile --> WebpackConfig
    ServerDockerfile --> ApiConfig

    subgraph Legend
        L1["Major Edit"]:::major-edit
        L2["Minor Edit"]:::minor-edit
        L3["Context/No Edit"]:::context
    end

    classDef major-edit fill:#90EE90
    classDef minor-edit fill:#87CEEB
    classDef context fill:#FFFFFF

Loading

Notes

Important Security Considerations:

• All containers run as non-root users (nestjs:1001, reactjs:1001, nginx-app:1001)
• Production containers use read-only filesystems where possible
• Security headers are configured in nginx for the frontend
• Database and Redis are configured with authentication

Known Issues:

• Backend development container volume mounts were removed due to persistent permission issues with TypeScript compilation. This means backend hot reload requires container restarts instead of live file watching.
• Node.js 18 compatibility required adding NODE_OPTIONS="--openssl-legacy-provider" and disabling some webpack plugins.

Session Information:

• Requested by: Arthur Poon (@akkp-windsurf)
• Devin Session: https://app.devin.ai/sessions/55a8838ca29e44f7abba8897acb7e9ea

The implementation follows banking-grade security practices and has been tested with the complete stack running successfully. All containers achieve healthy status and can communicate properly through the custom Docker network.

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring