Review SCM files and security updates (#3)

hyperpolymath · claude · web-flow · commit 889c451b48ce · 2025-12-17T20:29:13.000Z
- Containerfile: Fix mixed package managers (apt-get/apk), correct
wolfi-base tag (was using Debian bookworm-slim), use adduser instead of
useradd, update to rust:1.83-alpine, use wget instead of curl for
healthcheck
- flake.nix: Correct license to dual MIT/AGPL-3.0-or-later, update
homepage URL, replace docker with podman per RSR container policy
- STATE.scm: Update project status to reflect security hardening phase,
document high-priority issues (SHA-pinned actions, client migration)

Co-authored-by: Claude &lt;noreply@anthropic.com&gt;
diff --git a/STATE.scm b/STATE.scm
@@ -3,20 +3,43 @@
 ;; SPDX-FileCopyrightText: 2025 Jonathan D.A. Jewell
 
 (define metadata
-  '((version . "0.1.0") (updated . "2025-12-15") (project . "universal-language-server-plugin")))
+  '((version . "0.1.0") (updated . "2025-12-17") (project . "universal-language-server-plugin")))
 
 (define current-position
-  '((phase . "v0.1 - Initial Setup")
-    (overall-completion . 25)
-    (components ((rsr-compliance ((status . "complete") (completion . 100)))))))
+  '((phase . "v0.1 - Security Hardening")
+    (overall-completion . 35)
+    (components
+     ((rsr-compliance ((status . "complete") (completion . 100)))
+      (containerfile ((status . "fixed") (completion . 100)))
+      (flake-nix ((status . "fixed") (completion . 100)))
+      (ci-security ((status . "in-progress") (completion . 70)))
+      (client-migration ((status . "pending") (completion . 0)))))))
 
-(define blockers-and-issues '((critical ()) (high-priority ())))
+(define blockers-and-issues
+  '((critical ())
+    (high-priority
+     (("SHA-pin CI workflow actions" . "security")
+      ("Convert VS Code client to ReScript" . "rsr-policy")
+      ("Convert Sublime client to ReScript" . "rsr-policy")))))
 
 (define critical-next-actions
-  '((immediate (("Verify CI/CD" . high))) (this-week (("Expand tests" . medium)))))
+  '((immediate
+     (("SHA-pin GitHub Actions" . high)
+      ("Add security.txt" . medium)))
+    (this-week
+     (("Client ReScript migration" . high)
+      ("Expand test coverage" . medium)
+      ("Add cargo-audit to CI" . medium)))))
 
 (define session-history
-  '((snapshots ((date . "2025-12-15") (session . "initial") (notes . "SCM files added")))))
+  '((snapshots
+     ((date . "2025-12-15") (session . "initial") (notes . "SCM files added"))
+     ((date . "2025-12-17") (session . "security-review")
+      (notes . "Fixed Containerfile (mixed pkg mgr, wrong base), flake.nix (license, docker refs)")))))
 
 (define state-summary
-  '((project . "universal-language-server-plugin") (completion . 25) (blockers . 0) (updated . "2025-12-15")))
+  '((project . "universal-language-server-plugin")
+    (completion . 35)
+    (blockers . 0)
+    (high-priority-issues . 3)
+    (updated . "2025-12-17")))
diff --git a/deployment/Containerfile b/deployment/Containerfile
@@ -1,16 +1,18 @@
-# Universal Language Connector - Dockerfile
+# Universal Language Connector - Containerfile
 # Multi-stage build for optimal image size
+# SPDX-License-Identifier: MIT OR AGPL-3.0-or-later
 
-# Build stage
-FROM rust:1.75-slim as builder
+# Build stage - use rust:alpine for musl-based static binary
+FROM rust:1.83-alpine AS builder
 
 WORKDIR /build
 
-# Install build dependencies
-RUN apt-get update && apk add --no-cache -y \
-    pkg-config \
-    libssl-dev \
-    && rm -rf /var/lib/apt/lists/*
+# Install build dependencies (Alpine uses apk)
+RUN apk add --no-cache \
+    musl-dev \
+    pkgconfig \
+    openssl-dev \
+    openssl-libs-static
 
 # Copy manifests
 COPY server/Cargo.toml server/Cargo.lock ./
@@ -24,37 +26,37 @@ RUN mkdir src && \
 # Copy source code
 COPY server/src ./src
 
-# Build for release
+# Build for release with static linking
 RUN cargo build --release --bin universal-connector-server
 
-# Runtime stage
-FROM cgr.dev/chainguard/wolfi-base:bookworm-slim
+# Runtime stage - use wolfi distroless for security
+FROM cgr.dev/chainguard/wolfi-base:latest
 
 WORKDIR /app
 
-# Install runtime dependencies
-RUN apt-get update && apk add --no-cache -y \
+# Install minimal runtime dependencies (wolfi uses apk)
+RUN apk add --no-cache \
     ca-certificates \
-    && rm -rf /var/lib/apt/lists/*
+    wget
 
 # Copy binary from builder
 COPY --from=builder /build/target/release/universal-connector-server /usr/local/bin/
 
 # Copy web UI (optional, for serving static files)
 COPY web /app/web
 
-# Create non-root user
-RUN useradd -m -u 1000 connector && \
+# Create non-root user (wolfi uses adduser)
+RUN adduser -D -u 1000 connector && \
     chown -R connector:connector /app
 
 USER connector
 
 # Expose ports
 EXPOSE 8080 8081
 
-# Health check
+# Health check using wget (lighter than curl)
 HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
-    CMD ["sh", "-c", "curl -f http://localhost:8080/api/health || exit 1"]
+    CMD ["sh", "-c", "wget -q --spider http://localhost:8080/api/health || exit 1"]
 
 # Run server
 CMD ["universal-connector-server"]
diff --git a/flake.nix b/flake.nix
@@ -83,8 +83,8 @@
 
           meta = with pkgs.lib; {
             description = "LSP-based universal plugin architecture for document conversion";
-            homepage = "https://github.com/universal-connector/universal-language-connector";
-            license = with licenses; [ mit ];
+            homepage = "https://github.com/hyperpolymath/universal-language-server-plugin";
+            license = with licenses; [ mit agpl3Plus ];
             maintainers = [ ];
             mainProgram = "universal-connector-server";
           };
@@ -107,8 +107,8 @@
             rust-analyzer
             just
             nodejs_20
-            docker
-            docker-compose
+            podman
+            podman-compose
           ];
 
           shellHook = ''
