🔒 security(daarion-web): Hardening after crypto-mining incidents

## Root Cause Analysis
- Found CRITICAL RCE vulnerability in Next.js 15.0.3 (GHSA-9qr9-h5gf-34mp)
- 10 vulnerabilities total including SSRF, DoS, Auth Bypass
- Attack vector: exposed port 3000 + vulnerable Next.js → remote code execution

## Security Fixes
- Upgraded Next.js: 15.0.3 → 15.5.9 (0 vulnerabilities)
- Upgraded eslint-config-next: 15.0.3 → 15.5.9

## Hardening (New Files)
- apps/web/Dockerfile.secure: Multi-stage build, read-only FS, no shell
- docker-compose.web.secure.yml: Resource limits, cap_drop ALL, localhost bind
- scripts/rebuild-daarion-web-secure.sh: Local secure rebuild with Trivy scan
- scripts/deploy-daarion-web-node1.sh: Production deployment to NODE1
- SECURITY-REBUILD-REPORT.md: Full incident analysis and remediation report

## Key Security Measures
- restart: "no" (until verified)
- ports: 127.0.0.1:3000 (localhost only, use Nginx reverse proxy)
- read_only: true
- cap_drop: ALL
- resources.limits: 1 CPU, 512M RAM
- no-new-privileges: true

## Related Incidents
- Incident #1 (Jan 8): catcal, G4NQXBp miners
- Incident #2 (Jan 9): softirq, vrarhpb miners
- Hetzner AbuseID: 10F3971:2A

Co-authored-by: Cursor Agent <agent@cursor.sh>

NODE1-ANALYSIS-2026-01-08.md

@@ -0,0 +1,221 @@
+# 📊 Аналіз стану НОДА1 — 8 січня 2026
+
+**Час аналізу:** 2026-01-08 21:06 UTC  
+**Сервер:** 144.76.224.179 (Ubuntu 24.04)  
+**Uptime:** 1:39 (після останнього перезавантаження)
+
+---
+
+## ✅ Загальний статус
+
+**Сервер:** ✅ Доступний та працює  
+**Основні сервіси:** ✅ Працюють (Router, Gateway, PostgreSQL, Redis, Qdrant)  
+**Firewall:** ✅ Активний та блокує внутрішні мережі  
+**Моніторинг:** ✅ Працює (cron кожні 15 хвилин)
+
+---
+
+## ⚠️ Проблеми, що потребують уваги
+
+### 🔴 Критичні проблеми
+
+#### 1. Контейнери в циклі перезапуску (DNS проблема)
+
+**Контейнери:**
+- `daarion-agents-service` — RestartCount=27, ExitCode=3
+- `daarion-auth` — RestartCount=27, ExitCode=3
+- `daarion-synapse` — RestartCount=25, ExitCode=1
+
+**Причина:**
+```
+socket.gaierror: [Errno -3] Temporary failure in name resolution
+```
+
+**Деталі:**
+- `daarion-agents-service` намагається підключитися до `dagi-postgres:5432`
+- `daarion-auth` намагається підключитися до `dagi-postgres:5432`
+- **Але контейнер називається `daarion-postgres`, а не `dagi-postgres`!**
+
+**Рішення:**
+1. Змінити `DATABASE_URL` в обох контейнерах:
+   - Замість: `postgresql://postgres:postgres@dagi-postgres:5432/daarion`
+   - На: `postgresql://postgres:postgres@daarion-postgres:5432/daarion`
+2. Або створити network alias: `dagi-postgres` → `daarion-postgres`
+
+**Файли для зміни:**
+- Environment variables в `docker-compose.yml` або `.env`
+- Або через `docker network connect` з alias
+
+---
+
+#### 2. Unhealthy контейнери
+
+**Контейнери:**
+- `daarion-city-service` — Up 2 hours (unhealthy)
+- `dagi-ocr-service` — Up 2 hours (unhealthy)
+
+**Дії:**
+- Перевірити логи: `docker logs daarion-city-service --tail 50`
+- Перевірити логи: `docker logs dagi-ocr-service --tail 50`
+- Перевірити health check endpoints
+
+---
+
+### 🟡 Попередження
+
+#### 1. Високе навантаження CPU
+
+**Load Average:** 18.91, 18.57, 22.53  
+**Причина:** PostgreSQL активно працює (1118% CPU — це нормально для бази даних під навантаженням)
+
+**Деталі:**
+- PostgreSQL контейнер: 1718.95% CPU, 2.56GB RAM
+- Це нормально для активної бази даних
+- Система має 20 CPU cores, тому це не критично
+
+**Рекомендація:** Моніторити, але не критично.
+
+---
+
+#### 2. Логи сканування (False Positives)
+
+**Що бачимо:**
+- Багато записів `BLOCKED_INTERNAL_SCAN` в `/var/log/scan_attempts.log`
+- Але це **Kubernetes внутрішній трафік** (10.42.0.x — CNI мережа k3s)
+- **НЕ справжнє сканування Hetzner мережі** (10.126.0.0/16)
+
+**Деталі:**
+- Firewall правила блокуватимуть всі підключення до 10.0.0.0/8
+- Kubernetes використовує 10.42.0.0/16 для своїх pod'ів
+- Це створює false positives в логах
+
+**Рекомендація:**
+- Оновити `/root/monitor_scanning.sh` щоб фільтрувати Kubernetes трафік
+- Або додати виняток для 10.42.0.0/16 в firewall правилах (якщо потрібно)
+
+---
+
+#### 3. Незбережені зміни в Git
+
+**Файли:**
+- `scripts/start-city-space-services.sh` — modified
+- `scripts/stop-city-space-services.sh` — modified
+- `scripts/stop-prod.sh` — modified
+
+**Рекомендація:** Зробити commit або stash змін.
+
+---
+
+## ✅ Що працює добре
+
+### 1. Основні сервіси
+- ✅ `dagi-router` — healthy, працює нормально
+- ✅ `dagi-postgres` (daarion-postgres) — healthy, активно працює
+- ✅ `swapper-service` — healthy
+- ✅ `dagi-nats` — healthy
+- ✅ `dagi-vector-db-service` — healthy
+- ✅ `dagi-web-search-service` — healthy
+- ✅ `dagi-stt-service` — healthy
+- ✅ `dagi-qdrant` — працює
+- ✅ `telegram-bot-api` — працює
+
+### 2. Безпека
+- ✅ Firewall правила активні:
+  - Блокування 10.0.0.0/8 (з винятками для 80/443)
+  - Блокування 172.16.0.0/12
+  - Логування заблокованих спроб
+- ✅ Моніторинг активний:
+  - `/root/monitor_scanning.sh` — cron кожні 15 хвилин
+  - `/root/prevent_scanning.sh` — firewall скрипт
+  - Логи в `/var/log/scan_attempts.log`
+
+### 3. Ресурси
+- ✅ RAM: 8.3GB / 62GB використано (13%)
+- ✅ Disk: 365GB / 1.7TB використано (23%)
+- ✅ CPU: 20 cores доступно
+- ✅ Swap: 0B / 31GB використано
+
+---
+
+## 📋 Рекомендації
+
+### Негайні дії (високий пріоритет)
+
+1. **Виправити DNS проблему:**
+   ```bash
+   # Варіант 1: Змінити DATABASE_URL в docker-compose.yml
+   # Варіант 2: Додати network alias
+   docker network connect --alias dagi-postgres dagi-network daarion-postgres
+   ```
+
+2. **Перевірити unhealthy контейнери:**
+   ```bash
+   docker logs daarion-city-service --tail 50
+   docker logs dagi-ocr-service --tail 50
+   ```
+
+3. **Перевірити daarion-synapse:**
+   ```bash
+   docker logs daarion-synapse --tail 50
+   ```
+
+### Середній пріоритет
+
+4. **Оновити моніторинг скрипт:**
+   - Фільтрувати Kubernetes трафік (10.42.0.0/16)
+   - Або додати виняток в firewall
+
+5. **Зберегти зміни в Git:**
+   ```bash
+   cd /opt/microdao-daarion
+   git add scripts/
+   git commit -m "chore: update city space service scripts"
+   ```
+
+### Низький пріоритет
+
+6. **Моніторити навантаження CPU:**
+   - PostgreSQL активно працює, це нормально
+   - Якщо load average залишиться високим після виправлення DNS — перевірити інші процеси
+
+---
+
+## 🔍 Детальна інформація
+
+### Контейнери (загалом: 30)
+
+**Працюють нормально:** 25  
+**Unhealthy:** 2  
+**Restarting:** 3
+
+### Мережі Docker
+
+- `dagi-network` — основна мережа для DAGI сервісів
+- `daarion-network` — мережа для DAARION сервісів
+- `docker_default` — Dify сервіси
+- Інші: ocr-service, stt-service, vector-db-service, web-search-service
+
+### Cron jobs
+
+- `*/5 * * * *` — `/opt/microdao-daarion/scripts/monitor-db-stability.sh`
+- `*/15 * * * *` — `/root/monitor_scanning.sh`
+
+---
+
+## 📝 Висновок
+
+**Загальний стан:** 🟡 Потребує уваги
+
+**Основна проблема:** DNS конфігурація для PostgreSQL — контейнери не можуть знайти базу даних через неправильне ім'я хоста.
+
+**Критичність:** Середня — основні сервіси працюють, але 3 контейнери в циклі перезапуску.
+
+**Наступні кроки:**
+1. Виправити `DATABASE_URL` в `daarion-agents-service` та `daarion-auth`
+2. Перевірити логи unhealthy контейнерів
+3. Оновити моніторинг скрипт для фільтрації Kubernetes трафіку
+
+---
+
+**Звіт створено:** 2026-01-08 21:06 UTC  
+**Агентом:** Cursor AI (використовуючи інструкції з INFRASTRUCTURE.md)

SECURITY-REBUILD-REPORT.md

@@ -0,0 +1,204 @@
+# 🔒 SECURITY REBUILD REPORT: daarion-web
+
+**Дата:** 2026-01-09  
+**Версія:** 1.0.0  
+**Статус:** ✅ Готово до deployment  
+**Автор:** Cursor Agent (Security Analysis)
+
+---
+
+## 📋 Executive Summary
+
+Проведено повний аналіз безпеки та hardening контейнера `daarion-web` після двох інцидентів криптомайнінгу.
+
+### Ключові знахідки
+
+| Аспект | Статус | Деталі |
+|--------|--------|--------|
+| Source Code | ✅ ЧИСТИЙ | Немає malicious коду |
+| Dependencies | 🔴→✅ ВИПРАВЛЕНО | Next.js 15.0.3 → 15.5.9 |
+| npm audit | ✅ ПРОЙДЕНО | 0 вразливостей |
+| Dockerfile | ✅ HARDENED | Створено Dockerfile.secure |
+| docker-compose | ✅ HARDENED | Створено docker-compose.web.secure.yml |
+
+---
+
+## 🔍 Розслідування (Root Cause Analysis)
+
+### Виявлена критична вразливість
+
+**Next.js 15.0.3 мала 10 вразливостей:**
+
+| CVE/GHSA | Severity | Тип | Експлуатація |
+|----------|----------|-----|--------------|
+| GHSA-9qr9-h5gf-34mp | 🔴 CRITICAL | **RCE** | Remote Code Execution через React Flight Protocol |
+| GHSA-4342-x723-ch2f | 🔴 HIGH | **SSRF** | Server-Side Request Forgery через Middleware |
+| GHSA-7m27-7ghc-44w9 | 🔴 HIGH | **DoS** | Denial of Service через Server Actions |
+| GHSA-f82v-jwr5-mffw | 🟡 HIGH | Auth Bypass | Authorization Bypass в Middleware |
+| GHSA-qpjv-v59x-3qc4 | 🟡 HIGH | Cache Poison | Race Condition для Cache Poisoning |
+| + 5 інших | 🟡 MEDIUM | Various | Information Exposure, Content Injection |
+
+### Вектор атаки (найбільш вірогідний)
+
+```
+1. Атакуючий сканував exposed порт 3000
+2. Виявив вразливу версію Next.js (15.0.3)
+3. Експлуатував RCE (GHSA-9qr9-h5gf-34mp) через React Flight Protocol
+4. Завантажив та запустив криптомайнер
+5. Malware персистився в running container
+6. При перезапуску → re-exploitation → нові майнери
+```
+
+### Чому різні майнери в різних інцидентах
+
+| Інцидент | Майнери | Пояснення |
+|----------|---------|-----------|
+| #1 (8 січня) | `catcal`, `G4NQXBp` | Перша експлуатація |
+| #2 (9 січня) | `softirq`, `vrarhpb` | Автоматичний re-exploit з новим payload |
+
+**Висновок:** Атакуючий використовував автоматизований інструмент, який завантажував актуальну версію malware при кожній експлуатації.
+
+---
+
+## 🛡️ Hardening Заходи
+
+### 1. Оновлення Dependencies
+
+```bash
+# До
+"next": "15.0.3"  # 10 CRITICAL/HIGH вразливостей
+
+# Після
+"next": "^15.5.9"  # 0 вразливостей
+```
+
+### 2. Dockerfile.secure
+
+Створено `/apps/web/Dockerfile.secure` з:
+
+- ✅ Multi-stage build (ізоляція build-time від runtime)
+- ✅ `npm ci --only=production --ignore-scripts` (блокування postinstall attacks)
+- ✅ Non-root user (nextjs:1001)
+- ✅ Видалення curl/wget/shell (обмеження інструментів атаки)
+- ✅ Restrictive permissions (chmod 500/400)
+- ✅ Health check
+
+### 3. docker-compose.web.secure.yml
+
+Створено з security hardening:
+
+```yaml
+# Ключові налаштування
+restart: "no"                    # До перевірки!
+ports:
+  - "127.0.0.1:3000:3000"       # Тільки localhost
+read_only: true                  # Read-only filesystem
+cap_drop: [ALL]                  # Drop all capabilities
+security_opt:
+  - no-new-privileges:true
+resources:
+  limits:
+    cpus: '1.0'
+    memory: 512M
+user: "1001:1001"
+```
+
+### 4. Security Scan Script
+
+Створено `/scripts/rebuild-daarion-web-secure.sh`:
+
+1. Pre-flight checks
+2. Cleanup old images
+3. npm audit
+4. Build with no-cache
+5. Trivy scan
+6. Test container
+7. Monitoring instructions
+
+---
+
+## 🧪 Результати Тестування
+
+### npm audit
+
+```
+✅ found 0 vulnerabilities
+```
+
+### Trivy scan (pending Docker start)
+
+```bash
+# Команда для запуску
+trivy image --severity HIGH,CRITICAL daarion-web:secure-test
+```
+
+---
+
+## 🚀 Deployment Checklist
+
+### Локальне тестування (NODE2/MacBook)
+
+- [ ] Запустити Docker Desktop
+- [ ] Виконати `./scripts/rebuild-daarion-web-secure.sh`
+- [ ] Дочекатися Trivy scan
+- [ ] Моніторити контейнер 15+ хвилин
+- [ ] Перевірити CPU usage (<10%)
+- [ ] Перевірити процеси (тільки node)
+
+### Production deployment (NODE1/Hetzner)
+
+- [ ] Зробити backup поточного стану
+- [ ] Скопіювати нові файли на NODE1:
+  - `apps/web/Dockerfile.secure`
+  - `apps/web/package.json` (оновлений)
+  - `apps/web/package-lock.json`
+  - `docker-compose.web.secure.yml`
+  - `scripts/rebuild-daarion-web-secure.sh`
+- [ ] Побудувати образ на NODE1
+- [ ] Запустити Trivy scan
+- [ ] Запустити контейнер
+- [ ] Моніторити 30+ хвилин
+- [ ] Після успішної перевірки: `restart: "unless-stopped"`
+
+---
+
+## 📁 Створені файли
+
+| Файл | Призначення |
+|------|-------------|
+| `apps/web/Dockerfile.secure` | Hardened Dockerfile |
+| `docker-compose.web.secure.yml` | Secure docker-compose |
+| `scripts/rebuild-daarion-web-secure.sh` | Deployment script |
+| `SECURITY-REBUILD-REPORT.md` | Цей звіт |
+
+---
+
+## ⚠️ Важливі попередження
+
+### НЕ РОБІТЬ:
+
+1. ❌ Не запускайте старий образ `daarion-web:latest`
+2. ❌ Не використовуйте `restart: unless-stopped` без перевірки
+3. ❌ Не виставляйте порт 3000 на public IP
+4. ❌ Не пропускайте security scanning
+
+### ОБОВ'ЯЗКОВО:
+
+1. ✅ Використовуйте тільки `Dockerfile.secure`
+2. ✅ Запускайте Trivy scan перед кожним deployment
+3. ✅ Bind порт до `127.0.0.1` (доступ через Nginx)
+4. ✅ Моніторте CPU/memory після запуску
+5. ✅ Тримайте Next.js оновленим
+
+---
+
+## 📞 Контакти
+
+**При виникненні проблем:**
+- Hetzner Abuse: https://statement-abuse.hetzner.com
+- Security Team: admin@daarion.city
+
+---
+
+**Останнє оновлення:** 2026-01-09 10:30 UTC  
+**Наступна ревізія:** Після production deployment

apps/web/Dockerfile.secure

@@ -0,0 +1,95 @@
+# DAARION Web Frontend - SECURE Dockerfile
+# Multi-stage build with security hardening
+# Version: 2.0.0 (Post-Incident Hardening)
+# Created: 2026-01-09
+
+# ============================================
+# Stage 1: Dependencies (isolated build)
+# ============================================
+FROM node:20-alpine AS deps
+
+# Security: Remove unnecessary packages
+RUN apk add --no-cache libc6-compat \
+    && rm -rf /var/cache/apk/*
+
+WORKDIR /app
+
+# Copy only package files for caching
+COPY package.json package-lock.json* ./
+
+# Clean install with audit
+RUN npm ci --only=production --ignore-scripts \
+    && npm cache clean --force
+
+# ============================================
+# Stage 2: Builder (compile application)
+# ============================================
+FROM node:20-alpine AS builder
+
+WORKDIR /app
+
+# Copy dependencies from previous stage
+COPY --from=deps /app/node_modules ./node_modules
+
+# Copy source code
+COPY . .
+
+# Build-time environment
+ENV NEXT_TELEMETRY_DISABLED=1
+ENV NODE_ENV=production
+
+# Build the application
+RUN npm run build
+
+# Remove dev dependencies and clean
+RUN npm prune --production \
+    && rm -rf .git .github .next/cache
+
+# ============================================
+# Stage 3: Runner (minimal production image)
+# ============================================
+FROM node:20-alpine AS runner
+
+LABEL maintainer="DAARION Security Team"
+LABEL version="2.0.0-secure"
+LABEL description="Hardened DAARION Web Frontend"
+
+WORKDIR /app
+
+# Environment
+ENV NODE_ENV=production
+ENV NEXT_TELEMETRY_DISABLED=1
+ENV PORT=3000
+ENV HOSTNAME="0.0.0.0"
+
+# Create non-root user with specific UID/GID
+RUN addgroup --system --gid 1001 nodejs \
+    && adduser --system --uid 1001 --ingroup nodejs nextjs
+
+# Security: Remove unnecessary tools
+RUN apk del --purge wget curl \
+    && rm -rf /var/cache/apk/* /tmp/* /var/tmp/* \
+    && rm -f /bin/sh /bin/ash 2>/dev/null || true
+
+# Copy only necessary production files
+COPY --from=builder /app/public ./public
+COPY --from=builder --chown=nextjs:nodejs /app/.next/standalone ./
+COPY --from=builder --chown=nextjs:nodejs /app/.next/static ./.next/static
+
+# Security: Set restrictive permissions
+RUN chmod -R 500 /app \
+    && chmod -R 400 /app/public \
+    && chmod 500 /app/server.js
+
+# Switch to non-root user
+USER nextjs
+
+# Expose port (internal only)
+EXPOSE 3000
+
+# Health check
+HEALTHCHECK --interval=30s --timeout=10s --start-period=10s --retries=3 \
+    CMD node -e "require('http').get('http://localhost:3000/api/health', (r) => process.exit(r.statusCode === 200 ? 0 : 1))" || exit 1
+
+# Run application
+CMD ["node", "server.js"]

apps/web/package-lock.json

@@ -11,7 +11,7 @@
         "class-variance-authority": "^0.7.1",
         "clsx": "^2.1.1",
         "lucide-react": "^0.460.0",
-        "next": "15.0.3",
+        "next": "^15.5.9",
         "react": "^18.3.1",
         "react-dom": "^18.3.1",
         "swr": "^2.3.6",
@@ -23,7 +23,7 @@
         "@types/react-dom": "^18.3.1",
         "autoprefixer": "^10.4.20",
         "eslint": "^9.15.0",
-        "eslint-config-next": "15.0.3",
+        "eslint-config-next": "^15.5.9",
         "postcss": "^8.4.49",
         "tailwindcss": "^3.4.15",
         "typescript": "^5.7.2"
@@ -271,10 +271,20 @@
         "url": "https://github.com/sponsors/nzakas"
       }
     },
+    "node_modules/@img/colour": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/@img/colour/-/colour-1.0.0.tgz",
+      "integrity": "sha512-A5P/LfWGFSl6nsckYtjw9da+19jB8hkJ6ACTGcDfEJ0aE+l2n2El7dsVM7UVHZQ9s2lmYMWlrS21YLy2IR1LUw==",
+      "license": "MIT",
+      "optional": true,
+      "engines": {
+        "node": ">=18"
+      }
+    },
     "node_modules/@img/sharp-darwin-arm64": {
-      "version": "0.33.5",
+      "version": "0.34.5",
-      "resolved": "https://registry.npmjs.org/@img/sharp-darwin-arm64/-/sharp-darwin-arm64-0.33.5.tgz",
+      "resolved": "https://registry.npmjs.org/@img/sharp-darwin-arm64/-/sharp-darwin-arm64-0.34.5.tgz",
-      "integrity": "sha512-UT4p+iz/2H4twwAoLCqfA9UH5pI6DggwKEGuaPy7nCVQ8ZsiY5PIcrRvD1DzuY3qYL07NtIQcWnBSY/heikIFQ==",
+      "integrity": "sha512-imtQ3WMJXbMY4fxb/Ndp6HBTNVtWCUI0WdobyheGf5+ad6xX8VIDO8u2xE4qc/fr08CKG/7dDseFtn6M6g/r3w==",
       "cpu": [
         "arm64"
       ],
@@ -290,13 +300,13 @@
         "url": "https://opencollective.com/libvips"
       },
       "optionalDependencies": {
-        "@img/sharp-libvips-darwin-arm64": "1.0.4"
+        "@img/sharp-libvips-darwin-arm64": "1.2.4"
       }
     },
     "node_modules/@img/sharp-darwin-x64": {
-      "version": "0.33.5",
+      "version": "0.34.5",
-      "resolved": "https://registry.npmjs.org/@img/sharp-darwin-x64/-/sharp-darwin-x64-0.33.5.tgz",
+      "resolved": "https://registry.npmjs.org/@img/sharp-darwin-x64/-/sharp-darwin-x64-0.34.5.tgz",
-      "integrity": "sha512-fyHac4jIc1ANYGRDxtiqelIbdWkIuQaI84Mv45KvGRRxSAa7o7d1ZKAOBaYbnepLC1WqxfpimdeWfvqqSGwR2Q==",
+      "integrity": "sha512-YNEFAF/4KQ/PeW0N+r+aVVsoIY0/qxxikF2SWdp+NRkmMB7y9LBZAVqQ4yhGCm/H3H270OSykqmQMKLBhBJDEw==",
       "cpu": [
         "x64"
       ],
@@ -312,13 +322,13 @@
         "url": "https://opencollective.com/libvips"
       },
       "optionalDependencies": {
-        "@img/sharp-libvips-darwin-x64": "1.0.4"
+        "@img/sharp-libvips-darwin-x64": "1.2.4"
       }
     },
     "node_modules/@img/sharp-libvips-darwin-arm64": {
-      "version": "1.0.4",
+      "version": "1.2.4",
-      "resolved": "https://registry.npmjs.org/@img/sharp-libvips-darwin-arm64/-/sharp-libvips-darwin-arm64-1.0.4.tgz",
+      "resolved": "https://registry.npmjs.org/@img/sharp-libvips-darwin-arm64/-/sharp-libvips-darwin-arm64-1.2.4.tgz",
-      "integrity": "sha512-XblONe153h0O2zuFfTAbQYAX2JhYmDHeWikp1LM9Hul9gVPjFY427k6dFEcOL72O01QxQsWi761svJ/ev9xEDg==",
+      "integrity": "sha512-zqjjo7RatFfFoP0MkQ51jfuFZBnVE2pRiaydKJ1G/rHZvnsrHAOcQALIi9sA5co5xenQdTugCvtb1cuf78Vf4g==",
       "cpu": [
         "arm64"
       ],
@@ -332,9 +342,9 @@
       }
     },
     "node_modules/@img/sharp-libvips-darwin-x64": {
-      "version": "1.0.4",
+      "version": "1.2.4",
-      "resolved": "https://registry.npmjs.org/@img/sharp-libvips-darwin-x64/-/sharp-libvips-darwin-x64-1.0.4.tgz",
+      "resolved": "https://registry.npmjs.org/@img/sharp-libvips-darwin-x64/-/sharp-libvips-darwin-x64-1.2.4.tgz",
-      "integrity": "sha512-xnGR8YuZYfJGmWPvmlunFaWJsb9T/AO2ykoP3Fz/0X5XV2aoYBPkX6xqCQvUTKKiLddarLaxpzNe+b1hjeWHAQ==",
+      "integrity": "sha512-1IOd5xfVhlGwX+zXv2N93k0yMONvUlANylbJw1eTah8K/Jtpi15KC+WSiaX/nBmbm2HxRM1gZ0nSdjSsrZbGKg==",
       "cpu": [
         "x64"
       ],
@@ -348,9 +358,9 @@
       }
     },
     "node_modules/@img/sharp-libvips-linux-arm": {
-      "version": "1.0.5",
+      "version": "1.2.4",
-      "resolved": "https://registry.npmjs.org/@img/sharp-libvips-linux-arm/-/sharp-libvips-linux-arm-1.0.5.tgz",
+      "resolved": "https://registry.npmjs.org/@img/sharp-libvips-linux-arm/-/sharp-libvips-linux-arm-1.2.4.tgz",
-      "integrity": "sha512-gvcC4ACAOPRNATg/ov8/MnbxFDJqf/pDePbBnuBDcjsI8PssmjoKMAz4LtLaVi+OnSb5FK/yIOamqDwGmXW32g==",
+      "integrity": "sha512-bFI7xcKFELdiNCVov8e44Ia4u2byA+l3XtsAj+Q8tfCwO6BQ8iDojYdvoPMqsKDkuoOo+X6HZA0s0q11ANMQ8A==",
       "cpu": [
         "arm"
       ],
@@ -364,9 +374,9 @@
       }
     },
     "node_modules/@img/sharp-libvips-linux-arm64": {
-      "version": "1.0.4",
+      "version": "1.2.4",
-      "resolved": "https://registry.npmjs.org/@img/sharp-libvips-linux-arm64/-/sharp-libvips-linux-arm64-1.0.4.tgz",
+      "resolved": "https://registry.npmjs.org/@img/sharp-libvips-linux-arm64/-/sharp-libvips-linux-arm64-1.2.4.tgz",
-      "integrity": "sha512-9B+taZ8DlyyqzZQnoeIvDVR/2F4EbMepXMc/NdVbkzsJbzkUjhXv/70GQJ7tdLA4YJgNP25zukcxpX2/SueNrA==",
+      "integrity": "sha512-excjX8DfsIcJ10x1Kzr4RcWe1edC9PquDRRPx3YVCvQv+U5p7Yin2s32ftzikXojb1PIFc/9Mt28/y+iRklkrw==",
       "cpu": [
         "arm64"
       ],
@@ -379,10 +389,42 @@
         "url": "https://opencollective.com/libvips"
       }
     },
+    "node_modules/@img/sharp-libvips-linux-ppc64": {
+      "version": "1.2.4",
+      "resolved": "https://registry.npmjs.org/@img/sharp-libvips-linux-ppc64/-/sharp-libvips-linux-ppc64-1.2.4.tgz",
+      "integrity": "sha512-FMuvGijLDYG6lW+b/UvyilUWu5Ayu+3r2d1S8notiGCIyYU/76eig1UfMmkZ7vwgOrzKzlQbFSuQfgm7GYUPpA==",
+      "cpu": [
+        "ppc64"
+      ],
+      "license": "LGPL-3.0-or-later",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "funding": {
+        "url": "https://opencollective.com/libvips"
+      }
+    },
+    "node_modules/@img/sharp-libvips-linux-riscv64": {
+      "version": "1.2.4",
+      "resolved": "https://registry.npmjs.org/@img/sharp-libvips-linux-riscv64/-/sharp-libvips-linux-riscv64-1.2.4.tgz",
+      "integrity": "sha512-oVDbcR4zUC0ce82teubSm+x6ETixtKZBh/qbREIOcI3cULzDyb18Sr/Wcyx7NRQeQzOiHTNbZFF1UwPS2scyGA==",
+      "cpu": [
+        "riscv64"
+      ],
+      "license": "LGPL-3.0-or-later",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "funding": {
+        "url": "https://opencollective.com/libvips"
+      }
+    },
     "node_modules/@img/sharp-libvips-linux-s390x": {
-      "version": "1.0.4",
+      "version": "1.2.4",
-      "resolved": "https://registry.npmjs.org/@img/sharp-libvips-linux-s390x/-/sharp-libvips-linux-s390x-1.0.4.tgz",
+      "resolved": "https://registry.npmjs.org/@img/sharp-libvips-linux-s390x/-/sharp-libvips-linux-s390x-1.2.4.tgz",
-      "integrity": "sha512-u7Wz6ntiSSgGSGcjZ55im6uvTrOxSIS8/dgoVMoiGE9I6JAfU50yH5BoDlYA1tcuGS7g/QNtetJnxA6QEsCVTA==",
+      "integrity": "sha512-qmp9VrzgPgMoGZyPvrQHqk02uyjA0/QrTO26Tqk6l4ZV0MPWIW6LTkqOIov+J1yEu7MbFQaDpwdwJKhbJvuRxQ==",
       "cpu": [
         "s390x"
       ],
@@ -396,9 +438,9 @@
       }
     },
     "node_modules/@img/sharp-libvips-linux-x64": {
-      "version": "1.0.4",
+      "version": "1.2.4",
-      "resolved": "https://registry.npmjs.org/@img/sharp-libvips-linux-x64/-/sharp-libvips-linux-x64-1.0.4.tgz",
+      "resolved": "https://registry.npmjs.org/@img/sharp-libvips-linux-x64/-/sharp-libvips-linux-x64-1.2.4.tgz",
-      "integrity": "sha512-MmWmQ3iPFZr0Iev+BAgVMb3ZyC4KeFc3jFxnNbEPas60e1cIfevbtuyf9nDGIzOaW9PdnDciJm+wFFaTlj5xYw==",
+      "integrity": "sha512-tJxiiLsmHc9Ax1bz3oaOYBURTXGIRDODBqhveVHonrHJ9/+k89qbLl0bcJns+e4t4rvaNBxaEZsFtSfAdquPrw==",
       "cpu": [
         "x64"
       ],
@@ -412,9 +454,9 @@
       }
     },
     "node_modules/@img/sharp-libvips-linuxmusl-arm64": {
-      "version": "1.0.4",
+      "version": "1.2.4",
-      "resolved": "https://registry.npmjs.org/@img/sharp-libvips-linuxmusl-arm64/-/sharp-libvips-linuxmusl-arm64-1.0.4.tgz",
+      "resolved": "https://registry.npmjs.org/@img/sharp-libvips-linuxmusl-arm64/-/sharp-libvips-linuxmusl-arm64-1.2.4.tgz",
-      "integrity": "sha512-9Ti+BbTYDcsbp4wfYib8Ctm1ilkugkA/uscUn6UXK1ldpC1JjiXbLfFZtRlBhjPZ5o1NCLiDbg8fhUPKStHoTA==",
+      "integrity": "sha512-FVQHuwx1IIuNow9QAbYUzJ+En8KcVm9Lk5+uGUQJHaZmMECZmOlix9HnH7n1TRkXMS0pGxIJokIVB9SuqZGGXw==",
       "cpu": [
         "arm64"
       ],
@@ -428,9 +470,9 @@
       }
     },
     "node_modules/@img/sharp-libvips-linuxmusl-x64": {
-      "version": "1.0.4",
+      "version": "1.2.4",
-      "resolved": "https://registry.npmjs.org/@img/sharp-libvips-linuxmusl-x64/-/sharp-libvips-linuxmusl-x64-1.0.4.tgz",
+      "resolved": "https://registry.npmjs.org/@img/sharp-libvips-linuxmusl-x64/-/sharp-libvips-linuxmusl-x64-1.2.4.tgz",
-      "integrity": "sha512-viYN1KX9m+/hGkJtvYYp+CCLgnJXwiQB39damAO7WMdKWlIhmYTfHjwSbQeUK/20vY154mwezd9HflVFM1wVSw==",
+      "integrity": "sha512-+LpyBk7L44ZIXwz/VYfglaX/okxezESc6UxDSoyo2Ks6Jxc4Y7sGjpgU9s4PMgqgjj1gZCylTieNamqA1MF7Dg==",
       "cpu": [
         "x64"
       ],
@@ -444,9 +486,9 @@
       }
     },
     "node_modules/@img/sharp-linux-arm": {
-      "version": "0.33.5",
+      "version": "0.34.5",
-      "resolved": "https://registry.npmjs.org/@img/sharp-linux-arm/-/sharp-linux-arm-0.33.5.tgz",
+      "resolved": "https://registry.npmjs.org/@img/sharp-linux-arm/-/sharp-linux-arm-0.34.5.tgz",
-      "integrity": "sha512-JTS1eldqZbJxjvKaAkxhZmBqPRGmxgu+qFKSInv8moZ2AmT5Yib3EQ1c6gp493HvrvV8QgdOXdyaIBrhvFhBMQ==",
+      "integrity": "sha512-9dLqsvwtg1uuXBGZKsxem9595+ujv0sJ6Vi8wcTANSFpwV/GONat5eCkzQo/1O6zRIkh0m/8+5BjrRr7jDUSZw==",
       "cpu": [
         "arm"
       ],
@@ -462,13 +504,13 @@
         "url": "https://opencollective.com/libvips"
       },
       "optionalDependencies": {
-        "@img/sharp-libvips-linux-arm": "1.0.5"
+        "@img/sharp-libvips-linux-arm": "1.2.4"
       }
     },
     "node_modules/@img/sharp-linux-arm64": {
-      "version": "0.33.5",
+      "version": "0.34.5",
-      "resolved": "https://registry.npmjs.org/@img/sharp-linux-arm64/-/sharp-linux-arm64-0.33.5.tgz",
+      "resolved": "https://registry.npmjs.org/@img/sharp-linux-arm64/-/sharp-linux-arm64-0.34.5.tgz",
-      "integrity": "sha512-JMVv+AMRyGOHtO1RFBiJy/MBsgz0x4AWrT6QoEVVTyh1E39TrCUpTRI7mx9VksGX4awWASxqCYLCV4wBZHAYxA==",
+      "integrity": "sha512-bKQzaJRY/bkPOXyKx5EVup7qkaojECG6NLYswgktOZjaXecSAeCWiZwwiFf3/Y+O1HrauiE3FVsGxFg8c24rZg==",
       "cpu": [
         "arm64"
       ],
@@ -484,13 +526,57 @@
         "url": "https://opencollective.com/libvips"
       },
       "optionalDependencies": {
-        "@img/sharp-libvips-linux-arm64": "1.0.4"
+        "@img/sharp-libvips-linux-arm64": "1.2.4"
+      }
+    },
+    "node_modules/@img/sharp-linux-ppc64": {
+      "version": "0.34.5",
+      "resolved": "https://registry.npmjs.org/@img/sharp-linux-ppc64/-/sharp-linux-ppc64-0.34.5.tgz",
+      "integrity": "sha512-7zznwNaqW6YtsfrGGDA6BRkISKAAE1Jo0QdpNYXNMHu2+0dTrPflTLNkpc8l7MUP5M16ZJcUvysVWWrMefZquA==",
+      "cpu": [
+        "ppc64"
+      ],
+      "license": "Apache-2.0",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": "^18.17.0 || ^20.3.0 || >=21.0.0"
+      },
+      "funding": {
+        "url": "https://opencollective.com/libvips"
+      },
+      "optionalDependencies": {
+        "@img/sharp-libvips-linux-ppc64": "1.2.4"
+      }
+    },
+    "node_modules/@img/sharp-linux-riscv64": {
+      "version": "0.34.5",
+      "resolved": "https://registry.npmjs.org/@img/sharp-linux-riscv64/-/sharp-linux-riscv64-0.34.5.tgz",
+      "integrity": "sha512-51gJuLPTKa7piYPaVs8GmByo7/U7/7TZOq+cnXJIHZKavIRHAP77e3N2HEl3dgiqdD/w0yUfiJnII77PuDDFdw==",
+      "cpu": [
+        "riscv64"
+      ],
+      "license": "Apache-2.0",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": "^18.17.0 || ^20.3.0 || >=21.0.0"
+      },
+      "funding": {
+        "url": "https://opencollective.com/libvips"
+      },
+      "optionalDependencies": {
+        "@img/sharp-libvips-linux-riscv64": "1.2.4"
       }
     },
     "node_modules/@img/sharp-linux-s390x": {
-      "version": "0.33.5",
+      "version": "0.34.5",
-      "resolved": "https://registry.npmjs.org/@img/sharp-linux-s390x/-/sharp-linux-s390x-0.33.5.tgz",
+      "resolved": "https://registry.npmjs.org/@img/sharp-linux-s390x/-/sharp-linux-s390x-0.34.5.tgz",
-      "integrity": "sha512-y/5PCd+mP4CA/sPDKl2961b+C9d+vPAveS33s6Z3zfASk2j5upL6fXVPZi7ztePZ5CuH+1kW8JtvxgbuXHRa4Q==",
+      "integrity": "sha512-nQtCk0PdKfho3eC5MrbQoigJ2gd1CgddUMkabUj+rBevs8tZ2cULOx46E7oyX+04WGfABgIwmMC0VqieTiR4jg==",
       "cpu": [
         "s390x"
       ],
@@ -506,13 +592,13 @@
         "url": "https://opencollective.com/libvips"
       },
       "optionalDependencies": {
-        "@img/sharp-libvips-linux-s390x": "1.0.4"
+        "@img/sharp-libvips-linux-s390x": "1.2.4"
       }
     },
     "node_modules/@img/sharp-linux-x64": {
-      "version": "0.33.5",
+      "version": "0.34.5",
-      "resolved": "https://registry.npmjs.org/@img/sharp-linux-x64/-/sharp-linux-x64-0.33.5.tgz",
+      "resolved": "https://registry.npmjs.org/@img/sharp-linux-x64/-/sharp-linux-x64-0.34.5.tgz",
-      "integrity": "sha512-opC+Ok5pRNAzuvq1AG0ar+1owsu842/Ab+4qvU879ippJBHvyY5n2mxF1izXqkPYlGuP/M556uh53jRLJmzTWA==",
+      "integrity": "sha512-MEzd8HPKxVxVenwAa+JRPwEC7QFjoPWuS5NZnBt6B3pu7EG2Ge0id1oLHZpPJdn3OQK+BQDiw9zStiHBTJQQQQ==",
       "cpu": [
         "x64"
       ],
@@ -528,13 +614,13 @@
         "url": "https://opencollective.com/libvips"
       },
       "optionalDependencies": {
-        "@img/sharp-libvips-linux-x64": "1.0.4"
+        "@img/sharp-libvips-linux-x64": "1.2.4"
       }
     },
     "node_modules/@img/sharp-linuxmusl-arm64": {
-      "version": "0.33.5",
+      "version": "0.34.5",
-      "resolved": "https://registry.npmjs.org/@img/sharp-linuxmusl-arm64/-/sharp-linuxmusl-arm64-0.33.5.tgz",
+      "resolved": "https://registry.npmjs.org/@img/sharp-linuxmusl-arm64/-/sharp-linuxmusl-arm64-0.34.5.tgz",
-      "integrity": "sha512-XrHMZwGQGvJg2V/oRSUfSAfjfPxO+4DkiRh6p2AFjLQztWUuY/o8Mq0eMQVIY7HJ1CDQUJlxGGZRw1a5bqmd1g==",
+      "integrity": "sha512-fprJR6GtRsMt6Kyfq44IsChVZeGN97gTD331weR1ex1c1rypDEABN6Tm2xa1wE6lYb5DdEnk03NZPqA7Id21yg==",
       "cpu": [
         "arm64"
       ],
@@ -550,13 +636,13 @@
         "url": "https://opencollective.com/libvips"
       },
       "optionalDependencies": {
-        "@img/sharp-libvips-linuxmusl-arm64": "1.0.4"
+        "@img/sharp-libvips-linuxmusl-arm64": "1.2.4"
       }
     },
     "node_modules/@img/sharp-linuxmusl-x64": {
-      "version": "0.33.5",
+      "version": "0.34.5",
-      "resolved": "https://registry.npmjs.org/@img/sharp-linuxmusl-x64/-/sharp-linuxmusl-x64-0.33.5.tgz",
+      "resolved": "https://registry.npmjs.org/@img/sharp-linuxmusl-x64/-/sharp-linuxmusl-x64-0.34.5.tgz",
-      "integrity": "sha512-WT+d/cgqKkkKySYmqoZ8y3pxx7lx9vVejxW/W4DOFMYVSkErR+w7mf2u8m/y4+xHe7yY9DAXQMWQhpnMuFfScw==",
+      "integrity": "sha512-Jg8wNT1MUzIvhBFxViqrEhWDGzqymo3sV7z7ZsaWbZNDLXRJZoRGrjulp60YYtV4wfY8VIKcWidjojlLcWrd8Q==",
       "cpu": [
         "x64"
       ],
@@ -572,20 +658,20 @@
         "url": "https://opencollective.com/libvips"
       },
       "optionalDependencies": {
-        "@img/sharp-libvips-linuxmusl-x64": "1.0.4"
+        "@img/sharp-libvips-linuxmusl-x64": "1.2.4"
       }
     },
     "node_modules/@img/sharp-wasm32": {
-      "version": "0.33.5",
+      "version": "0.34.5",
-      "resolved": "https://registry.npmjs.org/@img/sharp-wasm32/-/sharp-wasm32-0.33.5.tgz",
+      "resolved": "https://registry.npmjs.org/@img/sharp-wasm32/-/sharp-wasm32-0.34.5.tgz",
-      "integrity": "sha512-ykUW4LVGaMcU9lu9thv85CbRMAwfeadCJHRsg2GmeRa/cJxsVY9Rbd57JcMxBkKHag5U/x7TSBpScF4U8ElVzg==",
+      "integrity": "sha512-OdWTEiVkY2PHwqkbBI8frFxQQFekHaSSkUIJkwzclWZe64O1X4UlUjqqqLaPbUpMOQk6FBu/HtlGXNblIs0huw==",
       "cpu": [
         "wasm32"
       ],
       "license": "Apache-2.0 AND LGPL-3.0-or-later AND MIT",
       "optional": true,
       "dependencies": {
-        "@emnapi/runtime": "^1.2.0"
+        "@emnapi/runtime": "^1.7.0"
       },
       "engines": {
         "node": "^18.17.0 || ^20.3.0 || >=21.0.0"
@@ -594,10 +680,29 @@
         "url": "https://opencollective.com/libvips"
       }
     },
+    "node_modules/@img/sharp-win32-arm64": {
+      "version": "0.34.5",
+      "resolved": "https://registry.npmjs.org/@img/sharp-win32-arm64/-/sharp-win32-arm64-0.34.5.tgz",
+      "integrity": "sha512-WQ3AgWCWYSb2yt+IG8mnC6Jdk9Whs7O0gxphblsLvdhSpSTtmu69ZG1Gkb6NuvxsNACwiPV6cNSZNzt0KPsw7g==",
+      "cpu": [
+        "arm64"
+      ],
+      "license": "Apache-2.0 AND LGPL-3.0-or-later",
+      "optional": true,
+      "os": [
+        "win32"
+      ],
+      "engines": {
+        "node": "^18.17.0 || ^20.3.0 || >=21.0.0"
+      },
+      "funding": {
+        "url": "https://opencollective.com/libvips"
+      }
+    },
     "node_modules/@img/sharp-win32-ia32": {
-      "version": "0.33.5",
+      "version": "0.34.5",
-      "resolved": "https://registry.npmjs.org/@img/sharp-win32-ia32/-/sharp-win32-ia32-0.33.5.tgz",
+      "resolved": "https://registry.npmjs.org/@img/sharp-win32-ia32/-/sharp-win32-ia32-0.34.5.tgz",
-      "integrity": "sha512-T36PblLaTwuVJ/zw/LaH0PdZkRz5rd3SmMHX8GSmR7vtNSP5Z6bQkExdSK7xGWyxLw4sUknBuugTelgw2faBbQ==",
+      "integrity": "sha512-FV9m/7NmeCmSHDD5j4+4pNI8Cp3aW+JvLoXcTUo0IqyjSfAZJ8dIUmijx1qaJsIiU+Hosw6xM5KijAWRJCSgNg==",
       "cpu": [
         "ia32"
       ],
@@ -614,9 +719,9 @@
       }
     },
     "node_modules/@img/sharp-win32-x64": {
-      "version": "0.33.5",
+      "version": "0.34.5",
-      "resolved": "https://registry.npmjs.org/@img/sharp-win32-x64/-/sharp-win32-x64-0.33.5.tgz",
+      "resolved": "https://registry.npmjs.org/@img/sharp-win32-x64/-/sharp-win32-x64-0.34.5.tgz",
-      "integrity": "sha512-MpY/o8/8kj+EcnxwvrP4aTJSWw/aZ7JIGR4aBeZkZw5B7/Jn+tY9/VNwtcoGmdT7GfggGIU4kygOMSbYnOrAbg==",
+      "integrity": "sha512-+29YMsqY2/9eFEiW93eqWnuLcWcufowXewwSNIT6UwZdUUCrM3oFjMWH/Z6/TMmb4hlFenmfAVbpWeup2jryCw==",
       "cpu": [
         "x64"
       ],
@@ -685,15 +790,15 @@
       }
     },
     "node_modules/@next/env": {
-      "version": "15.0.3",
+      "version": "15.5.9",
-      "resolved": "https://registry.npmjs.org/@next/env/-/env-15.0.3.tgz",
+      "resolved": "https://registry.npmjs.org/@next/env/-/env-15.5.9.tgz",
-      "integrity": "sha512-t9Xy32pjNOvVn2AS+Utt6VmyrshbpfUMhIjFO60gI58deSo/KgLOp31XZ4O+kY/Is8WAGYwA5gR7kOb1eORDBA==",
+      "integrity": "sha512-4GlTZ+EJM7WaW2HEZcyU317tIQDjkQIyENDLxYJfSWlfqguN+dHkZgyQTV/7ykvobU7yEH5gKvreNrH4B6QgIg==",
       "license": "MIT"
     },
     "node_modules/@next/eslint-plugin-next": {
-      "version": "15.0.3",
+      "version": "15.5.9",
-      "resolved": "https://registry.npmjs.org/@next/eslint-plugin-next/-/eslint-plugin-next-15.0.3.tgz",
+      "resolved": "https://registry.npmjs.org/@next/eslint-plugin-next/-/eslint-plugin-next-15.5.9.tgz",
-      "integrity": "sha512-3Ln/nHq2V+v8uIaxCR6YfYo7ceRgZNXfTd3yW1ukTaFbO+/I8jNakrjYWODvG9BuR2v5kgVtH/C8r0i11quOgw==",
+      "integrity": "sha512-kUzXx0iFiXw27cQAViE1yKWnz/nF8JzRmwgMRTMh8qMY90crNsdXJRh2e+R0vBpFR3kk1yvAR7wev7+fCCb79Q==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
@@ -701,9 +806,9 @@
       }
     },
     "node_modules/@next/swc-darwin-arm64": {
-      "version": "15.0.3",
+      "version": "15.5.7",
-      "resolved": "https://registry.npmjs.org/@next/swc-darwin-arm64/-/swc-darwin-arm64-15.0.3.tgz",
+      "resolved": "https://registry.npmjs.org/@next/swc-darwin-arm64/-/swc-darwin-arm64-15.5.7.tgz",
-      "integrity": "sha512-s3Q/NOorCsLYdCKvQlWU+a+GeAd3C8Rb3L1YnetsgwXzhc3UTWrtQpB/3eCjFOdGUj5QmXfRak12uocd1ZiiQw==",
+      "integrity": "sha512-IZwtxCEpI91HVU/rAUOOobWSZv4P2DeTtNaCdHqLcTJU4wdNXgAySvKa/qJCgR5m6KI8UsKDXtO2B31jcaw1Yw==",
       "cpu": [
         "arm64"
       ],
@@ -717,9 +822,9 @@
       }
     },
     "node_modules/@next/swc-darwin-x64": {
-      "version": "15.0.3",
+      "version": "15.5.7",
-      "resolved": "https://registry.npmjs.org/@next/swc-darwin-x64/-/swc-darwin-x64-15.0.3.tgz",
+      "resolved": "https://registry.npmjs.org/@next/swc-darwin-x64/-/swc-darwin-x64-15.5.7.tgz",
-      "integrity": "sha512-Zxl/TwyXVZPCFSf0u2BNj5sE0F2uR6iSKxWpq4Wlk/Sv9Ob6YCKByQTkV2y6BCic+fkabp9190hyrDdPA/dNrw==",
+      "integrity": "sha512-UP6CaDBcqaCBuiq/gfCEJw7sPEoX1aIjZHnBWN9v9qYHQdMKvCKcAVs4OX1vIjeE+tC5EIuwDTVIoXpUes29lg==",
       "cpu": [
         "x64"
       ],
@@ -733,9 +838,9 @@
       }
     },
     "node_modules/@next/swc-linux-arm64-gnu": {
-      "version": "15.0.3",
+      "version": "15.5.7",
-      "resolved": "https://registry.npmjs.org/@next/swc-linux-arm64-gnu/-/swc-linux-arm64-gnu-15.0.3.tgz",
+      "resolved": "https://registry.npmjs.org/@next/swc-linux-arm64-gnu/-/swc-linux-arm64-gnu-15.5.7.tgz",
-      "integrity": "sha512-T5+gg2EwpsY3OoaLxUIofmMb7ohAUlcNZW0fPQ6YAutaWJaxt1Z1h+8zdl4FRIOr5ABAAhXtBcpkZNwUcKI2fw==",
+      "integrity": "sha512-NCslw3GrNIw7OgmRBxHtdWFQYhexoUCq+0oS2ccjyYLtcn1SzGzeM54jpTFonIMUjNbHmpKpziXnpxhSWLcmBA==",
       "cpu": [
         "arm64"
       ],
@@ -749,9 +854,9 @@
       }
     },
     "node_modules/@next/swc-linux-arm64-musl": {
-      "version": "15.0.3",
+      "version": "15.5.7",
-      "resolved": "https://registry.npmjs.org/@next/swc-linux-arm64-musl/-/swc-linux-arm64-musl-15.0.3.tgz",
+      "resolved": "https://registry.npmjs.org/@next/swc-linux-arm64-musl/-/swc-linux-arm64-musl-15.5.7.tgz",
-      "integrity": "sha512-WkAk6R60mwDjH4lG/JBpb2xHl2/0Vj0ZRu1TIzWuOYfQ9tt9NFsIinI1Epma77JVgy81F32X/AeD+B2cBu/YQA==",
+      "integrity": "sha512-nfymt+SE5cvtTrG9u1wdoxBr9bVB7mtKTcj0ltRn6gkP/2Nu1zM5ei8rwP9qKQP0Y//umK+TtkKgNtfboBxRrw==",
       "cpu": [
         "arm64"
       ],
@@ -765,9 +870,9 @@
       }
     },
     "node_modules/@next/swc-linux-x64-gnu": {
-      "version": "15.0.3",
+      "version": "15.5.7",
-      "resolved": "https://registry.npmjs.org/@next/swc-linux-x64-gnu/-/swc-linux-x64-gnu-15.0.3.tgz",
+      "resolved": "https://registry.npmjs.org/@next/swc-linux-x64-gnu/-/swc-linux-x64-gnu-15.5.7.tgz",
-      "integrity": "sha512-gWL/Cta1aPVqIGgDb6nxkqy06DkwJ9gAnKORdHWX1QBbSZZB+biFYPFti8aKIQL7otCE1pjyPaXpFzGeG2OS2w==",
+      "integrity": "sha512-hvXcZvCaaEbCZcVzcY7E1uXN9xWZfFvkNHwbe/n4OkRhFWrs1J1QV+4U1BN06tXLdaS4DazEGXwgqnu/VMcmqw==",
       "cpu": [
         "x64"
       ],
@@ -781,9 +886,9 @@
       }
     },
     "node_modules/@next/swc-linux-x64-musl": {
-      "version": "15.0.3",
+      "version": "15.5.7",
-      "resolved": "https://registry.npmjs.org/@next/swc-linux-x64-musl/-/swc-linux-x64-musl-15.0.3.tgz",
+      "resolved": "https://registry.npmjs.org/@next/swc-linux-x64-musl/-/swc-linux-x64-musl-15.5.7.tgz",
-      "integrity": "sha512-QQEMwFd8r7C0GxQS62Zcdy6GKx999I/rTO2ubdXEe+MlZk9ZiinsrjwoiBL5/57tfyjikgh6GOU2WRQVUej3UA==",
+      "integrity": "sha512-4IUO539b8FmF0odY6/SqANJdgwn1xs1GkPO5doZugwZ3ETF6JUdckk7RGmsfSf7ws8Qb2YB5It33mvNL/0acqA==",
       "cpu": [
         "x64"
       ],
@@ -797,9 +902,9 @@
       }
     },
     "node_modules/@next/swc-win32-arm64-msvc": {
-      "version": "15.0.3",
+      "version": "15.5.7",
-      "resolved": "https://registry.npmjs.org/@next/swc-win32-arm64-msvc/-/swc-win32-arm64-msvc-15.0.3.tgz",
+      "resolved": "https://registry.npmjs.org/@next/swc-win32-arm64-msvc/-/swc-win32-arm64-msvc-15.5.7.tgz",
-      "integrity": "sha512-9TEp47AAd/ms9fPNgtgnT7F3M1Hf7koIYYWCMQ9neOwjbVWJsHZxrFbI3iEDJ8rf1TDGpmHbKxXf2IFpAvheIQ==",
+      "integrity": "sha512-CpJVTkYI3ZajQkC5vajM7/ApKJUOlm6uP4BknM3XKvJ7VXAvCqSjSLmM0LKdYzn6nBJVSjdclx8nYJSa3xlTgQ==",
       "cpu": [
         "arm64"
       ],
@@ -813,9 +918,9 @@
       }
     },
     "node_modules/@next/swc-win32-x64-msvc": {
-      "version": "15.0.3",
+      "version": "15.5.7",
-      "resolved": "https://registry.npmjs.org/@next/swc-win32-x64-msvc/-/swc-win32-x64-msvc-15.0.3.tgz",
+      "resolved": "https://registry.npmjs.org/@next/swc-win32-x64-msvc/-/swc-win32-x64-msvc-15.5.7.tgz",
-      "integrity": "sha512-VNAz+HN4OGgvZs6MOoVfnn41kBzT+M+tB+OK4cww6DNyWS6wKaDpaAm/qLeOUbnMh0oVx1+mg0uoYARF69dJyA==",
+      "integrity": "sha512-gMzgBX164I6DN+9/PGA+9dQiwmTkE4TloBNx8Kv9UiGARsr9Nba7IpcBRA1iTV9vwlYnrE3Uy6I7Aj6qLjQuqw==",
       "cpu": [
         "x64"
       ],
@@ -890,19 +995,13 @@
       "dev": true,
       "license": "MIT"
     },
-    "node_modules/@swc/counter": {
-      "version": "0.1.3",
-      "resolved": "https://registry.npmjs.org/@swc/counter/-/counter-0.1.3.tgz",
-      "integrity": "sha512-e2BR4lsJkkRlKZ/qCHPw9ZaSxc0MVUd7gtbtaB7aMvHeJVYe8sOB8DBZkP2DtISHGSku9sCK6T6cnY0CtXrOCQ==",
-      "license": "Apache-2.0"
-    },
     "node_modules/@swc/helpers": {
-      "version": "0.5.13",
+      "version": "0.5.15",
-      "resolved": "https://registry.npmjs.org/@swc/helpers/-/helpers-0.5.13.tgz",
+      "resolved": "https://registry.npmjs.org/@swc/helpers/-/helpers-0.5.15.tgz",
-      "integrity": "sha512-UoKGxQ3r5kYI9dALKJapMmuK+1zWM/H17Z1+iwnNmzcJRnfFuevZs375TA5rW31pu4BS4NoSy1fRsexDXfWn5w==",
+      "integrity": "sha512-JQ5TuMi45Owi4/BIMAJBoSQoOJu12oOk/gADqlcUL9JEdHB8vyjUSsxqeNXnmXHjYKMi2WcYtezGEEhqUI/E2g==",
       "license": "Apache-2.0",
       "dependencies": {
-        "tslib": "^2.4.0"
+        "tslib": "^2.8.0"
       }
     },
     "node_modules/@tybys/wasm-util": {
@@ -1941,17 +2040,6 @@
         "node": "^6 || ^7 || ^8 || ^9 || ^10 || ^11 || ^12 || >=13.7"
       }
     },
-    "node_modules/busboy": {
-      "version": "1.6.0",
-      "resolved": "https://registry.npmjs.org/busboy/-/busboy-1.6.0.tgz",
-      "integrity": "sha512-8SFQbg/0hQ9xy3UNTB0YEnsNBbWfhf7RtnzpL7TkBiTBRfrQ9Fxcnz7VJsleJpyp6rVLvXiuORqjlHi5q+PYuA==",
-      "dependencies": {
-        "streamsearch": "^1.1.0"
-      },
-      "engines": {
-        "node": ">=10.16.0"
-      }
-    },
     "node_modules/call-bind": {
       "version": "1.0.8",
       "resolved": "https://registry.npmjs.org/call-bind/-/call-bind-1.0.8.tgz",
@@ -2124,25 +2212,11 @@
         "node": ">=6"
       }
     },
-    "node_modules/color": {
-      "version": "4.2.3",
-      "resolved": "https://registry.npmjs.org/color/-/color-4.2.3.tgz",
-      "integrity": "sha512-1rXeuUUiGGrykh+CeBdu5Ie7OJwinCgQY0bc7GCRxy5xVHy+moaqkpL/jqQq0MtQOeYcrqEz4abc5f0KtU7W4A==",
-      "license": "MIT",
-      "optional": true,
-      "dependencies": {
-        "color-convert": "^2.0.1",
-        "color-string": "^1.9.0"
-      },
-      "engines": {
-        "node": ">=12.5.0"
-      }
-    },
     "node_modules/color-convert": {
       "version": "2.0.1",
       "resolved": "https://registry.npmjs.org/color-convert/-/color-convert-2.0.1.tgz",
       "integrity": "sha512-RRECPsj7iu/xb5oKYcsFHSppFNnsj/52OVTRKb4zP5onXwVF3zVmmToNcOfGC+CRDpfK/U584fMg38ZHCaElKQ==",
-      "devOptional": true,
+      "dev": true,
       "license": "MIT",
       "dependencies": {
         "color-name": "~1.1.4"
@@ -2155,20 +2229,9 @@
       "version": "1.1.4",
       "resolved": "https://registry.npmjs.org/color-name/-/color-name-1.1.4.tgz",
       "integrity": "sha512-dOy+3AuW3a2wNbZHIuMZpTcgjGuLU/uBL/ubcZF9OXbDo8ff4O8yVp5Bf0efS8uEoYo5q4Fx7dY9OgQGXgAsQA==",
-      "devOptional": true,
+      "dev": true,
       "license": "MIT"
     },
-    "node_modules/color-string": {
-      "version": "1.9.1",
-      "resolved": "https://registry.npmjs.org/color-string/-/color-string-1.9.1.tgz",
-      "integrity": "sha512-shrVawQFojnZv6xM40anx4CkoDP+fZsw/ZerEMsW/pyzsRbElpsL/DBVW7q3ExxwusdNXI3lXpuhEZkzs8p5Eg==",
-      "license": "MIT",
-      "optional": true,
-      "dependencies": {
-        "color-name": "^1.0.0",
-        "simple-swizzle": "^0.2.2"
-      }
-    },
     "node_modules/commander": {
       "version": "4.1.1",
       "resolved": "https://registry.npmjs.org/commander/-/commander-4.1.1.tgz",
@@ -2679,13 +2742,13 @@
       }
     },
     "node_modules/eslint-config-next": {
-      "version": "15.0.3",
+      "version": "15.5.9",
-      "resolved": "https://registry.npmjs.org/eslint-config-next/-/eslint-config-next-15.0.3.tgz",
+      "resolved": "https://registry.npmjs.org/eslint-config-next/-/eslint-config-next-15.5.9.tgz",
-      "integrity": "sha512-IGP2DdQQrgjcr4mwFPve4DrCqo7CVVez1WoYY47XwKSrYO4hC0Dlb+iJA60i0YfICOzgNADIb8r28BpQ5Zs0wg==",
+      "integrity": "sha512-852JYI3NkFNzW8CqsMhI0K2CDRxTObdZ2jQJj5CtpEaOkYHn13107tHpNuD/h0WRpU4FAbCdUaxQsrfBtNK9Kw==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@next/eslint-plugin-next": "15.0.3",
+        "@next/eslint-plugin-next": "15.5.9",
         "@rushstack/eslint-patch": "^1.10.3",
         "@typescript-eslint/eslint-plugin": "^5.4.2 || ^6.0.0 || ^7.0.0 || ^8.0.0",
         "@typescript-eslint/parser": "^5.4.2 || ^6.0.0 || ^7.0.0 || ^8.0.0",
@@ -2693,7 +2756,7 @@
         "eslint-import-resolver-typescript": "^3.5.2",
         "eslint-plugin-import": "^2.31.0",
         "eslint-plugin-jsx-a11y": "^6.10.0",
-        "eslint-plugin-react": "^7.35.0",
+        "eslint-plugin-react": "^7.37.0",
         "eslint-plugin-react-hooks": "^5.0.0"
       },
       "peerDependencies": {
@@ -3561,13 +3624,6 @@
         "url": "https://github.com/sponsors/ljharb"
       }
     },
-    "node_modules/is-arrayish": {
-      "version": "0.3.4",
-      "resolved": "https://registry.npmjs.org/is-arrayish/-/is-arrayish-0.3.4.tgz",
-      "integrity": "sha512-m6UrgzFVUYawGBh1dUsWR5M2Clqic9RVXC/9f8ceNlv2IcO9j9J/z8UoCLPqtsPBFNzEpfR3xftohbfqDx8EQA==",
-      "license": "MIT",
-      "optional": true
-    },
     "node_modules/is-async-function": {
       "version": "2.1.1",
       "resolved": "https://registry.npmjs.org/is-async-function/-/is-async-function-2.1.1.tgz",
@@ -4302,15 +4358,13 @@
       "license": "MIT"
     },
     "node_modules/next": {
-      "version": "15.0.3",
+      "version": "15.5.9",
-      "resolved": "https://registry.npmjs.org/next/-/next-15.0.3.tgz",
+      "resolved": "https://registry.npmjs.org/next/-/next-15.5.9.tgz",
-      "integrity": "sha512-ontCbCRKJUIoivAdGB34yCaOcPgYXr9AAkV/IwqFfWWTXEPUgLYkSkqBhIk9KK7gGmgjc64B+RdoeIDM13Irnw==",
+      "integrity": "sha512-agNLK89seZEtC5zUHwtut0+tNrc0Xw4FT/Dg+B/VLEo9pAcS9rtTKpek3V6kVcVwsB2YlqMaHdfZL4eLEVYuCg==",
       "license": "MIT",
       "dependencies": {
-        "@next/env": "15.0.3",
+        "@next/env": "15.5.9",
-        "@swc/counter": "0.1.3",
+        "@swc/helpers": "0.5.15",
-        "@swc/helpers": "0.5.13",
-        "busboy": "1.6.0",
         "caniuse-lite": "^1.0.30001579",
         "postcss": "8.4.31",
         "styled-jsx": "5.1.6"
@@ -4322,22 +4376,22 @@
         "node": "^18.18.0 || ^19.8.0 || >= 20.0.0"
       },
       "optionalDependencies": {
-        "@next/swc-darwin-arm64": "15.0.3",
+        "@next/swc-darwin-arm64": "15.5.7",
-        "@next/swc-darwin-x64": "15.0.3",
+        "@next/swc-darwin-x64": "15.5.7",
-        "@next/swc-linux-arm64-gnu": "15.0.3",
+        "@next/swc-linux-arm64-gnu": "15.5.7",
-        "@next/swc-linux-arm64-musl": "15.0.3",
+        "@next/swc-linux-arm64-musl": "15.5.7",
-        "@next/swc-linux-x64-gnu": "15.0.3",
+        "@next/swc-linux-x64-gnu": "15.5.7",
-        "@next/swc-linux-x64-musl": "15.0.3",
+        "@next/swc-linux-x64-musl": "15.5.7",
-        "@next/swc-win32-arm64-msvc": "15.0.3",
+        "@next/swc-win32-arm64-msvc": "15.5.7",
-        "@next/swc-win32-x64-msvc": "15.0.3",
+        "@next/swc-win32-x64-msvc": "15.5.7",
-        "sharp": "^0.33.5"
+        "sharp": "^0.34.3"
       },
       "peerDependencies": {
         "@opentelemetry/api": "^1.1.0",
-        "@playwright/test": "^1.41.2",
+        "@playwright/test": "^1.51.1",
         "babel-plugin-react-compiler": "*",
-        "react": "^18.2.0 || 19.0.0-rc-66855b96-20241106",
+        "react": "^18.2.0 || 19.0.0-rc-de68d2f4-20241204 || ^19.0.0",
-        "react-dom": "^18.2.0 || 19.0.0-rc-66855b96-20241106",
+        "react-dom": "^18.2.0 || 19.0.0-rc-de68d2f4-20241204 || ^19.0.0",
         "sass": "^1.3.0"
       },
       "peerDependenciesMeta": {
@@ -5218,16 +5272,16 @@
       }
     },
     "node_modules/sharp": {
-      "version": "0.33.5",
+      "version": "0.34.5",
-      "resolved": "https://registry.npmjs.org/sharp/-/sharp-0.33.5.tgz",
+      "resolved": "https://registry.npmjs.org/sharp/-/sharp-0.34.5.tgz",
-      "integrity": "sha512-haPVm1EkS9pgvHrQ/F3Xy+hgcuMV0Wm9vfIBSiwZ05k+xgb0PkBQpGsAA/oWdDobNaZTH5ppvHtzCFbnSEwHVw==",
+      "integrity": "sha512-Ou9I5Ft9WNcCbXrU9cMgPBcCK8LiwLqcbywW3t4oDV37n1pzpuNLsYiAV8eODnjbtQlSDwZ2cUEeQz4E54Hltg==",
       "hasInstallScript": true,
       "license": "Apache-2.0",
       "optional": true,
       "dependencies": {
-        "color": "^4.2.3",
+        "@img/colour": "^1.0.0",
-        "detect-libc": "^2.0.3",
+        "detect-libc": "^2.1.2",
-        "semver": "^7.6.3"
+        "semver": "^7.7.3"
       },
       "engines": {
         "node": "^18.17.0 || ^20.3.0 || >=21.0.0"
@@ -5236,25 +5290,30 @@
         "url": "https://opencollective.com/libvips"
       },
       "optionalDependencies": {
-        "@img/sharp-darwin-arm64": "0.33.5",
+        "@img/sharp-darwin-arm64": "0.34.5",
-        "@img/sharp-darwin-x64": "0.33.5",
+        "@img/sharp-darwin-x64": "0.34.5",
-        "@img/sharp-libvips-darwin-arm64": "1.0.4",
+        "@img/sharp-libvips-darwin-arm64": "1.2.4",
-        "@img/sharp-libvips-darwin-x64": "1.0.4",
+        "@img/sharp-libvips-darwin-x64": "1.2.4",
-        "@img/sharp-libvips-linux-arm": "1.0.5",
+        "@img/sharp-libvips-linux-arm": "1.2.4",
-        "@img/sharp-libvips-linux-arm64": "1.0.4",
+        "@img/sharp-libvips-linux-arm64": "1.2.4",
-        "@img/sharp-libvips-linux-s390x": "1.0.4",
+        "@img/sharp-libvips-linux-ppc64": "1.2.4",
-        "@img/sharp-libvips-linux-x64": "1.0.4",
+        "@img/sharp-libvips-linux-riscv64": "1.2.4",
-        "@img/sharp-libvips-linuxmusl-arm64": "1.0.4",
+        "@img/sharp-libvips-linux-s390x": "1.2.4",
-        "@img/sharp-libvips-linuxmusl-x64": "1.0.4",
+        "@img/sharp-libvips-linux-x64": "1.2.4",
-        "@img/sharp-linux-arm": "0.33.5",
+        "@img/sharp-libvips-linuxmusl-arm64": "1.2.4",
-        "@img/sharp-linux-arm64": "0.33.5",
+        "@img/sharp-libvips-linuxmusl-x64": "1.2.4",
-        "@img/sharp-linux-s390x": "0.33.5",
+        "@img/sharp-linux-arm": "0.34.5",
-        "@img/sharp-linux-x64": "0.33.5",
+        "@img/sharp-linux-arm64": "0.34.5",
-        "@img/sharp-linuxmusl-arm64": "0.33.5",
+        "@img/sharp-linux-ppc64": "0.34.5",
-        "@img/sharp-linuxmusl-x64": "0.33.5",
+        "@img/sharp-linux-riscv64": "0.34.5",
-        "@img/sharp-wasm32": "0.33.5",
+        "@img/sharp-linux-s390x": "0.34.5",
-        "@img/sharp-win32-ia32": "0.33.5",
+        "@img/sharp-linux-x64": "0.34.5",
-        "@img/sharp-win32-x64": "0.33.5"
+        "@img/sharp-linuxmusl-arm64": "0.34.5",
+        "@img/sharp-linuxmusl-x64": "0.34.5",
+        "@img/sharp-wasm32": "0.34.5",
+        "@img/sharp-win32-arm64": "0.34.5",
+        "@img/sharp-win32-ia32": "0.34.5",
+        "@img/sharp-win32-x64": "0.34.5"
       }
     },
     "node_modules/shebang-command": {
@@ -5356,16 +5415,6 @@
         "url": "https://github.com/sponsors/ljharb"
       }
     },
-    "node_modules/simple-swizzle": {
-      "version": "0.2.4",
-      "resolved": "https://registry.npmjs.org/simple-swizzle/-/simple-swizzle-0.2.4.tgz",
-      "integrity": "sha512-nAu1WFPQSMNr2Zn9PGSZK9AGn4t/y97lEm+MXTtUDwfP0ksAIX4nO+6ruD9Jwut4C49SB1Ws+fbXsm/yScWOHw==",
-      "license": "MIT",
-      "optional": true,
-      "dependencies": {
-        "is-arrayish": "^0.3.1"
-      }
-    },
     "node_modules/source-map-js": {
       "version": "1.2.1",
       "resolved": "https://registry.npmjs.org/source-map-js/-/source-map-js-1.2.1.tgz",
@@ -5396,14 +5445,6 @@
         "node": ">= 0.4"
       }
     },
-    "node_modules/streamsearch": {
-      "version": "1.1.0",
-      "resolved": "https://registry.npmjs.org/streamsearch/-/streamsearch-1.1.0.tgz",
-      "integrity": "sha512-Mcc5wHehp9aXz1ax6bZUyY5afg9u2rv5cqQI3mRrYkGC8rW2hM02jWuwjtL++LS5qinSyhj2QfLyNsuc+VsExg==",
-      "engines": {
-        "node": ">=10.0.0"
-      }
-    },
     "node_modules/string.prototype.includes": {
       "version": "2.0.1",
       "resolved": "https://registry.npmjs.org/string.prototype.includes/-/string.prototype.includes-2.0.1.tgz",

apps/web/package.json

@@ -12,7 +12,7 @@
     "class-variance-authority": "^0.7.1",
     "clsx": "^2.1.1",
     "lucide-react": "^0.460.0",
-    "next": "15.0.3",
+    "next": "^15.5.9",
     "react": "^18.3.1",
     "react-dom": "^18.3.1",
     "swr": "^2.3.6",
@@ -24,7 +24,7 @@
     "@types/react-dom": "^18.3.1",
     "autoprefixer": "^10.4.20",
     "eslint": "^9.15.0",
-    "eslint-config-next": "15.0.3",
+    "eslint-config-next": "^15.5.9",
     "postcss": "^8.4.49",
     "tailwindcss": "^3.4.15",
     "typescript": "^5.7.2"

docker-compose.web.secure.yml

@@ -0,0 +1,121 @@
+# DAARION Web Frontend - SECURE Docker Compose
+# Hardened configuration post-security incident
+# Version: 2.0.0
+# Created: 2026-01-09
+
+version: '3.8'
+
+services:
+  web:
+    build:
+      context: ./apps/web
+      dockerfile: Dockerfile.secure
+      # Prevent cache from potentially compromised layers
+      no_cache: true
+    container_name: daarion-web
+    
+    # ⚠️ SECURITY: Changed from "unless-stopped" to "no"
+    # Only enable after security verification
+    restart: "no"
+    
+    # Port mapping - internal only via reverse proxy
+    ports:
+      - "127.0.0.1:3000:3000"  # Bind to localhost only!
+    
+    environment:
+      - NODE_ENV=production
+      - INTERNAL_API_URL=http://daarion-city-service:7001
+      - CITY_API_BASE_URL=http://daarion-city-service:7001
+      - AUTH_API_URL=http://daarion-auth:8080
+      - NEXT_PUBLIC_API_BASE_URL=
+      - NEXT_PUBLIC_CITY_API_BASE_URL=
+    
+    # ============================================
+    # SECURITY HARDENING
+    # ============================================
+    
+    # Read-only root filesystem
+    read_only: true
+    
+    # Temporary filesystems for Next.js cache
+    tmpfs:
+      - /tmp:size=64M,mode=1777
+      - /app/.next/cache:size=128M,mode=1777
+    
+    # Drop all Linux capabilities
+    cap_drop:
+      - ALL
+    
+    # Add only necessary capabilities (none needed for Next.js)
+    # cap_add:
+    #   - NET_BIND_SERVICE  # Only if binding to port < 1024
+    
+    # Security options
+    security_opt:
+      - no-new-privileges:true
+    
+    # Resource limits to prevent crypto mining
+    deploy:
+      resources:
+        limits:
+          cpus: '1.0'
+          memory: 512M
+        reservations:
+          cpus: '0.25'
+          memory: 128M
+    
+    # Disable privileged mode
+    privileged: false
+    
+    # User namespace
+    user: "1001:1001"
+    
+    # Network configuration
+    networks:
+      - dagi-network
+    
+    # Health check
+    healthcheck:
+      test: ["CMD", "node", "-e", "require('http').get('http://localhost:3000', (r) => process.exit(r.statusCode < 400 ? 0 : 1))"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+      start_period: 15s
+    
+    # Logging configuration
+    logging:
+      driver: "json-file"
+      options:
+        max-size: "10m"
+        max-file: "3"
+    
+    # Labels for monitoring
+    labels:
+      - "security.hardened=true"
+      - "security.incident=post-recovery"
+      - "security.scan-required=true"
+
+networks:
+  dagi-network:
+    external: true
+
+# ============================================
+# DEPLOYMENT NOTES
+# ============================================
+# 
+# 1. Build with no-cache:
+#    docker compose -f docker-compose.web.secure.yml build --no-cache
+#
+# 2. Scan image before deployment:
+#    trivy image daarion-web:latest
+#
+# 3. Test locally first:
+#    docker compose -f docker-compose.web.secure.yml up -d
+#    docker logs -f daarion-web
+#
+# 4. Monitor for 15+ minutes:
+#    docker stats daarion-web
+#    docker exec daarion-web ps aux
+#
+# 5. After verification, change restart to "unless-stopped"
+# ============================================

scripts/deploy-daarion-web-node1.sh

@@ -0,0 +1,175 @@
+#!/bin/bash
+# ============================================
+# DAARION Web - NODE1 Production Deployment
+# Version: 1.0.0
+# Created: 2026-01-09
+# Purpose: Deploy secure daarion-web to NODE1
+# ============================================
+
+set -e
+
+# Colors
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+BLUE='\033[0;34m'
+NC='\033[0m'
+
+# Configuration
+NODE1_IP="144.76.224.179"
+NODE1_USER="root"
+PROJECT_DIR="/opt/microdao-daarion"
+LOCAL_DIR="/Users/apple/github-projects/microdao-daarion"
+IMAGE_NAME="daarion-web"
+IMAGE_TAG="secure-$(date +%Y%m%d)"
+
+echo -e "${BLUE}============================================${NC}"
+echo -e "${BLUE}  DAARION Web - NODE1 Production Deployment${NC}"
+echo -e "${BLUE}============================================${NC}"
+echo ""
+echo -e "${YELLOW}⚠️  TARGET: ${NODE1_USER}@${NODE1_IP}${NC}"
+echo ""
+
+# ============================================
+# Step 1: Pre-deployment checks
+# ============================================
+echo -e "${YELLOW}[1/6] Pre-deployment checks...${NC}"
+
+# Check SSH connectivity
+if ! ssh -o ConnectTimeout=5 ${NODE1_USER}@${NODE1_IP} "echo 'SSH OK'" 2>/dev/null; then
+    echo -e "${RED}ERROR: Cannot connect to NODE1 via SSH${NC}"
+    exit 1
+fi
+
+echo -e "${GREEN}✓ SSH connection OK${NC}"
+
+# ============================================
+# Step 2: Sync updated files to NODE1
+# ============================================
+echo -e "${YELLOW}[2/6] Syncing files to NODE1...${NC}"
+
+# Sync web app directory
+rsync -avz --delete \
+    "${LOCAL_DIR}/apps/web/" \
+    "${NODE1_USER}@${NODE1_IP}:${PROJECT_DIR}/apps/web/" \
+    --exclude 'node_modules' \
+    --exclude '.next'
+
+# Sync docker-compose
+scp "${LOCAL_DIR}/docker-compose.web.secure.yml" \
+    "${NODE1_USER}@${NODE1_IP}:${PROJECT_DIR}/"
+
+# Sync scripts
+scp "${LOCAL_DIR}/scripts/rebuild-daarion-web-secure.sh" \
+    "${NODE1_USER}@${NODE1_IP}:${PROJECT_DIR}/scripts/"
+
+echo -e "${GREEN}✓ Files synced${NC}"
+
+# ============================================
+# Step 3: Install dependencies on NODE1
+# ============================================
+echo -e "${YELLOW}[3/6] Installing dependencies on NODE1...${NC}"
+
+ssh ${NODE1_USER}@${NODE1_IP} << 'ENDSSH'
+cd /opt/microdao-daarion/apps/web
+npm ci --only=production --ignore-scripts 2>/dev/null || npm install --only=production --ignore-scripts
+npm audit || true
+ENDSSH
+
+echo -e "${GREEN}✓ Dependencies installed${NC}"
+
+# ============================================
+# Step 4: Build secure image on NODE1
+# ============================================
+echo -e "${YELLOW}[4/6] Building secure Docker image on NODE1...${NC}"
+
+ssh ${NODE1_USER}@${NODE1_IP} << ENDSSH
+cd /opt/microdao-daarion
+
+# Stop old container
+docker stop daarion-web 2>/dev/null || true
+docker rm daarion-web 2>/dev/null || true
+
+# Remove old images (CRITICAL for security)
+docker images | grep daarion-web | awk '{print \$3}' | xargs -r docker rmi -f 2>/dev/null || true
+
+# Clear build cache
+docker builder prune -f 2>/dev/null || true
+
+# Build new secure image
+docker build \
+    --no-cache \
+    --pull \
+    -t ${IMAGE_NAME}:${IMAGE_TAG} \
+    -t ${IMAGE_NAME}:latest \
+    -f apps/web/Dockerfile.secure \
+    apps/web/
+ENDSSH
+
+echo -e "${GREEN}✓ Image built on NODE1${NC}"
+
+# ============================================
+# Step 5: Security scan on NODE1
+# ============================================
+echo -e "${YELLOW}[5/6] Running security scan on NODE1...${NC}"
+
+ssh ${NODE1_USER}@${NODE1_IP} << ENDSSH
+# Install Trivy if not present
+if ! command -v trivy &> /dev/null; then
+    echo "Installing Trivy..."
+    curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
+fi
+
+# Run security scan
+trivy image --severity HIGH,CRITICAL ${IMAGE_NAME}:${IMAGE_TAG}
+ENDSSH
+
+echo -e "${GREEN}✓ Security scan completed${NC}"
+
+# ============================================
+# Step 6: Deploy container
+# ============================================
+echo -e "${YELLOW}[6/6] Deploying secure container...${NC}"
+
+ssh ${NODE1_USER}@${NODE1_IP} << 'ENDSSH'
+cd /opt/microdao-daarion
+
+# Create network if not exists
+docker network create dagi-network 2>/dev/null || true
+
+# Deploy with secure compose file
+docker compose -f docker-compose.web.secure.yml up -d
+
+# Wait for startup
+sleep 10
+
+# Check status
+docker ps | grep daarion-web
+docker logs --tail 20 daarion-web
+ENDSSH
+
+echo -e "${GREEN}✓ Container deployed${NC}"
+
+# ============================================
+# Summary
+# ============================================
+echo ""
+echo -e "${BLUE}============================================${NC}"
+echo -e "${GREEN}  DEPLOYMENT COMPLETED${NC}"
+echo -e "${BLUE}============================================${NC}"
+echo ""
+echo -e "Image: ${IMAGE_NAME}:${IMAGE_TAG}"
+echo -e "Node: ${NODE1_IP}"
+echo ""
+echo -e "${YELLOW}MONITORING COMMANDS:${NC}"
+echo "  ssh ${NODE1_USER}@${NODE1_IP} docker logs -f daarion-web"
+echo "  ssh ${NODE1_USER}@${NODE1_IP} docker stats daarion-web"
+echo "  ssh ${NODE1_USER}@${NODE1_IP} 'docker exec daarion-web ps aux'"
+echo ""
+echo -e "${RED}⚠️  MONITOR FOR 30+ MINUTES BEFORE ENABLING AUTO-RESTART!${NC}"
+echo ""
+echo "To enable auto-restart after verification:"
+echo "  ssh ${NODE1_USER}@${NODE1_IP}"
+echo "  vim /opt/microdao-daarion/docker-compose.web.secure.yml"
+echo "  # Change: restart: \"no\" → restart: \"unless-stopped\""
+echo "  docker compose -f docker-compose.web.secure.yml up -d"

scripts/rebuild-daarion-web-secure.sh

@@ -0,0 +1,201 @@
+#!/bin/bash
+# ============================================
+# DAARION Web - Secure Rebuild Script
+# Version: 1.0.0
+# Created: 2026-01-09
+# Purpose: Rebuild daarion-web with security hardening
+# ============================================
+
+set -e
+
+# Colors
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+BLUE='\033[0;34m'
+NC='\033[0m' # No Color
+
+# Configuration
+PROJECT_DIR="/Users/apple/github-projects/microdao-daarion"
+WEB_DIR="${PROJECT_DIR}/apps/web"
+IMAGE_NAME="daarion-web"
+IMAGE_TAG="secure-$(date +%Y%m%d-%H%M%S)"
+COMPOSE_FILE="${PROJECT_DIR}/docker-compose.web.secure.yml"
+
+echo -e "${BLUE}============================================${NC}"
+echo -e "${BLUE}  DAARION Web - Secure Rebuild Script${NC}"
+echo -e "${BLUE}============================================${NC}"
+echo ""
+
+# ============================================
+# Step 1: Pre-flight checks
+# ============================================
+echo -e "${YELLOW}[1/7] Pre-flight checks...${NC}"
+
+# Check Docker
+if ! command -v docker &> /dev/null; then
+    echo -e "${RED}ERROR: Docker is not installed${NC}"
+    exit 1
+fi
+
+# Check Trivy
+if ! command -v trivy &> /dev/null; then
+    echo -e "${YELLOW}WARNING: Trivy not found. Installing...${NC}"
+    brew install trivy 2>/dev/null || {
+        echo -e "${YELLOW}Installing Trivy via script...${NC}"
+        curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
+    }
+fi
+
+echo -e "${GREEN}✓ Pre-flight checks passed${NC}"
+
+# ============================================
+# Step 2: Clean old images and containers
+# ============================================
+echo -e "${YELLOW}[2/7] Cleaning old images and containers...${NC}"
+
+# Stop and remove existing container
+docker stop ${IMAGE_NAME} 2>/dev/null || true
+docker rm ${IMAGE_NAME} 2>/dev/null || true
+
+# Remove old images (keep none to prevent cache poisoning)
+docker images | grep ${IMAGE_NAME} | awk '{print $3}' | xargs -r docker rmi -f 2>/dev/null || true
+
+# Clear build cache
+docker builder prune -f 2>/dev/null || true
+
+echo -e "${GREEN}✓ Cleanup completed${NC}"
+
+# ============================================
+# Step 3: Audit npm dependencies
+# ============================================
+echo -e "${YELLOW}[3/7] Auditing npm dependencies...${NC}"
+
+cd "${WEB_DIR}"
+
+# Run npm audit
+echo "Running npm audit..."
+npm audit --audit-level=high 2>&1 || {
+    echo -e "${YELLOW}WARNING: npm audit found issues. Review above.${NC}"
+    read -p "Continue anyway? (y/N) " -n 1 -r
+    echo
+    if [[ ! $REPLY =~ ^[Yy]$ ]]; then
+        echo -e "${RED}Aborted by user${NC}"
+        exit 1
+    fi
+}
+
+echo -e "${GREEN}✓ npm audit completed${NC}"
+
+# ============================================
+# Step 4: Build secure image
+# ============================================
+echo -e "${YELLOW}[4/7] Building secure Docker image...${NC}"
+
+cd "${PROJECT_DIR}"
+
+# Build with no-cache to prevent layer poisoning
+docker build \
+    --no-cache \
+    --pull \
+    -t ${IMAGE_NAME}:${IMAGE_TAG} \
+    -t ${IMAGE_NAME}:latest \
+    -f "${WEB_DIR}/Dockerfile.secure" \
+    "${WEB_DIR}"
+
+echo -e "${GREEN}✓ Image built: ${IMAGE_NAME}:${IMAGE_TAG}${NC}"
+
+# ============================================
+# Step 5: Security scanning with Trivy
+# ============================================
+echo -e "${YELLOW}[5/7] Running Trivy security scan...${NC}"
+
+echo "Scanning for vulnerabilities..."
+trivy image --severity HIGH,CRITICAL ${IMAGE_NAME}:${IMAGE_TAG}
+
+SCAN_EXIT=$?
+if [ $SCAN_EXIT -ne 0 ]; then
+    echo -e "${RED}WARNING: Trivy found HIGH/CRITICAL vulnerabilities!${NC}"
+    read -p "Continue deployment? (y/N) " -n 1 -r
+    echo
+    if [[ ! $REPLY =~ ^[Yy]$ ]]; then
+        echo -e "${RED}Aborted by user${NC}"
+        exit 1
+    fi
+fi
+
+# Full scan report
+echo "Generating full scan report..."
+trivy image --format json -o "${PROJECT_DIR}/logs/trivy-scan-${IMAGE_TAG}.json" ${IMAGE_NAME}:${IMAGE_TAG}
+
+echo -e "${GREEN}✓ Security scan completed${NC}"
+echo -e "   Report: ${PROJECT_DIR}/logs/trivy-scan-${IMAGE_TAG}.json"
+
+# ============================================
+# Step 6: Test container locally
+# ============================================
+echo -e "${YELLOW}[6/7] Testing container locally...${NC}"
+
+# Start container
+docker compose -f "${COMPOSE_FILE}" up -d
+
+echo "Waiting for container to start..."
+sleep 10
+
+# Check container is running
+if ! docker ps | grep -q ${IMAGE_NAME}; then
+    echo -e "${RED}ERROR: Container failed to start${NC}"
+    docker logs ${IMAGE_NAME}
+    exit 1
+fi
+
+# Check health
+echo "Checking container health..."
+for i in {1..5}; do
+    HEALTH=$(docker inspect --format='{{.State.Health.Status}}' ${IMAGE_NAME} 2>/dev/null || echo "unknown")
+    echo "  Health status: $HEALTH"
+    if [ "$HEALTH" == "healthy" ]; then
+        break
+    fi
+    sleep 5
+done
+
+# Check for suspicious processes
+echo "Checking for suspicious processes..."
+docker exec ${IMAGE_NAME} ps aux 2>/dev/null || echo "(ps not available - expected in hardened container)"
+
+# Check CPU usage (should be low)
+echo "Monitoring CPU usage for 30 seconds..."
+for i in {1..6}; do
+    docker stats --no-stream --format "{{.Name}}: CPU {{.CPUPerc}}, MEM {{.MemUsage}}" ${IMAGE_NAME}
+    sleep 5
+done
+
+echo -e "${GREEN}✓ Container test passed${NC}"
+
+# ============================================
+# Step 7: Summary
+# ============================================
+echo ""
+echo -e "${BLUE}============================================${NC}"
+echo -e "${GREEN}  BUILD COMPLETED SUCCESSFULLY${NC}"
+echo -e "${BLUE}============================================${NC}"
+echo ""
+echo -e "Image: ${IMAGE_NAME}:${IMAGE_TAG}"
+echo -e "Container: ${IMAGE_NAME}"
+echo -e "Status: Running"
+echo ""
+echo -e "${YELLOW}NEXT STEPS:${NC}"
+echo "1. Monitor container for 15+ minutes:"
+echo "   docker logs -f ${IMAGE_NAME}"
+echo "   docker stats ${IMAGE_NAME}"
+echo ""
+echo "2. If stable, deploy to production:"
+echo "   - Copy image to NODE1: docker save ${IMAGE_NAME}:${IMAGE_TAG} | ssh root@144.76.224.179 docker load"
+echo "   - Or rebuild on NODE1 using Dockerfile.secure"
+echo ""
+echo "3. Enable auto-restart after verification:"
+echo "   - Edit docker-compose.web.secure.yml"
+echo "   - Change restart: \"no\" to restart: \"unless-stopped\""
+echo ""
+echo -e "${RED}⚠️  DO NOT deploy to production without 15+ min monitoring!${NC}"