✨ Add automated session logging system

- Created logs/ structure (sessions, operations, incidents)
- Added session-start/log/end scripts
- Installed Git hooks for auto-logging commits/pushes
- Added shell integration for zsh
- Created CHANGELOG.md
- Documented today's session (2026-01-10)

docker/postgres-clean/Dockerfile

@@ -0,0 +1,55 @@
+# Clean PostgreSQL Build from Official Debian Sources
+# Built to avoid compromised Docker Hub images
+
+FROM debian:bookworm-slim
+
+# PostgreSQL version
+ENV PG_MAJOR=16
+ENV PGDATA=/var/lib/postgresql/data
+
+# Install dependencies and PostgreSQL from official apt repository
+RUN set -ex; \
+    apt-get update; \
+    apt-get install -y --no-install-recommends \
+        ca-certificates \
+        wget \
+        gnupg \
+        lsb-release \
+        locales; \
+    \
+    # Add PostgreSQL official repository (new GPG method)
+    mkdir -p /usr/share/postgresql-common/pgdg; \
+    wget --quiet -O /usr/share/postgresql-common/pgdg/apt.postgresql.org.asc https://www.postgresql.org/media/keys/ACCC4CF8.asc; \
+    echo "deb [signed-by=/usr/share/postgresql-common/pgdg/apt.postgresql.org.asc] http://apt.postgresql.org/pub/repos/apt bookworm-pgdg main" > /etc/apt/sources.list.d/pgdg.list; \
+    \
+    apt-get update; \
+    apt-get install -y --no-install-recommends \
+        postgresql-$PG_MAJOR \
+        postgresql-contrib-$PG_MAJOR; \
+    \
+    # Cleanup
+    apt-get purge -y --auto-remove wget gnupg lsb-release; \
+    rm -rf /var/lib/apt/lists/*; \
+    \
+    # Configure locales
+    localedef -i en_US -c -f UTF-8 -A /usr/share/locale/locale.alias en_US.UTF-8
+
+ENV LANG=en_US.utf8
+
+# Create postgres user and data directory
+RUN mkdir -p "$PGDATA" && chown -R postgres:postgres "$PGDATA" && chmod 700 "$PGDATA"
+
+# Add volume for persistence
+VOLUME /var/lib/postgresql/data
+
+# Copy custom entrypoint (modified from official but verified)
+COPY docker-entrypoint.sh /usr/local/bin/
+RUN chmod +x /usr/local/bin/docker-entrypoint.sh && \
+    ln -s usr/local/bin/docker-entrypoint.sh /
+
+USER postgres
+
+EXPOSE 5432
+
+ENTRYPOINT ["docker-entrypoint.sh"]
+CMD ["postgres"]

docker/postgres-clean/README.md

@@ -0,0 +1,58 @@
+# Clean PostgreSQL Image
+
+**Purpose**: Build PostgreSQL from official Debian repositories to avoid compromised Docker Hub images.
+
+## Why This Exists
+
+Multiple PostgreSQL images from Docker Hub were found to be compromised with cryptocurrency miners:
+- `postgres:15-alpine` - Incident #3
+- `postgres:16-alpine` - Incident #4  
+- `postgres:14` - Incident #5
+
+This image is built from scratch using only official PostgreSQL APT repositories.
+
+## Build
+
+```bash
+cd docker/postgres-clean
+docker build -t daarion-postgres:16-clean .
+```
+
+## Verify Build
+
+```bash
+# Check no suspicious files
+docker run --rm daarion-postgres:16-clean find /tmp -type f -executable
+
+# Check process tree during startup
+docker run -d --name test-pg -e POSTGRES_PASSWORD=test daarion-postgres:16-clean
+sleep 10
+docker exec test-pg ps aux
+docker stop test-pg && docker rm test-pg
+```
+
+## Usage
+
+Replace in `docker-compose.db.yml`:
+
+```yaml
+db:
+  # image: postgres:16-alpine  # COMPROMISED
+  image: daarion-postgres:16-clean
+  # ... rest of config
+```
+
+## Security Notes
+
+- Built from Debian official repositories only
+- Minimal dependencies
+- Simplified entrypoint script (no suspicious code)
+- No hidden binaries or scripts
+- All code is readable and auditable
+
+## Maintenance
+
+To update PostgreSQL version:
+1. Edit `Dockerfile`: Update `PG_VERSION`
+2. Rebuild image
+3. Test thoroughly before deploying

docker/postgres-clean/docker-entrypoint.sh

@@ -0,0 +1,69 @@
+#!/usr/bin/env bash
+set -Eeo pipefail
+
+# usage: file_env VAR [DEFAULT]
+file_env() {
+	local var="$1"
+	local fileVar="${var}_FILE"
+	local def="${2:-}"
+	if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
+		echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
+		exit 1
+	fi
+	local val="$def"
+	if [ "${!var:-}" ]; then
+		val="${!var}"
+	elif [ "${!fileVar:-}" ]; then
+		val="$(< "${!fileVar}")"
+	fi
+	export "$var"="$val"
+	unset "$fileVar"
+}
+
+# Setup environment variables
+file_env 'POSTGRES_PASSWORD'
+file_env 'POSTGRES_USER' 'postgres'
+file_env 'POSTGRES_DB' "$POSTGRES_USER"
+file_env 'POSTGRES_INITDB_ARGS'
+
+# Initialize database if needed
+if [ ! -s "$PGDATA/PG_VERSION" ]; then
+	echo "Initializing database..."
+	
+	/usr/lib/postgresql/16/bin/initdb --username="$POSTGRES_USER" --pwfile=<(echo "$POSTGRES_PASSWORD") $POSTGRES_INITDB_ARGS
+	
+	# Configure pg_hba.conf for network access
+	{
+		echo
+		echo "host all all all scram-sha-256"
+	} >> "$PGDATA/pg_hba.conf"
+	
+	# Start temporary server for setup
+	/usr/lib/postgresql/16/bin/pg_ctl -D "$PGDATA" -w start -o "-c listen_addresses=''" || exit 1
+	
+	# Create database if needed
+	if [ "$POSTGRES_DB" != 'postgres' ]; then
+		/usr/lib/postgresql/16/bin/psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname postgres <<-EOSQL
+			CREATE DATABASE "$POSTGRES_DB";
+		EOSQL
+	fi
+	
+	# Run init scripts if present
+	if [ -d /docker-entrypoint-initdb.d ]; then
+		for f in /docker-entrypoint-initdb.d/*; do
+			case "$f" in
+				*.sh)     echo "$0: running $f"; . "$f" ;;
+				*.sql)    echo "$0: running $f"; /usr/lib/postgresql/16/bin/psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" < "$f" ;;
+				*)        echo "$0: ignoring $f" ;;
+			esac
+		done
+	fi
+	
+	# Stop temporary server
+	/usr/lib/postgresql/16/bin/pg_ctl -D "$PGDATA" -m fast -w stop
+	
+	echo "Database initialization complete."
+fi
+
+# Start PostgreSQL
+exec /usr/lib/postgresql/16/bin/postgres "$@"