chore(docker): unify Bun base to 1-slim, fix Debian user creation, add deploy context check

- Docker: use oven/bun:1-slim everywhere (webapp, admin, hocuspocus); drop alpine
- Webapp/admin: apt instead of apk; groupadd/useradd for non-root (Debian has no addgroup/adduser)
- CI deploy: verify packages/email-templates and Dockerfile COPY before build
- .cursor/rules/bun-monorepo.mdc: document single base image and node_modules pitfall

Made-with: Cursor

Author: HMarzban

.cursor/rules/bun-monorepo.mdc

@@ -37,6 +37,11 @@ bun run --filter '*' build
 - Node >= 24.11.0
 - Bun >= 1.3.7
 
+## Docker base image (single source of truth)
+
+- All Dockerfiles use **one tag**: `oven/bun:1-slim` (latest Bun 1.x, floating; no hardcoded patch version).
+- Same tag everywhere: do not mix `1-alpine` / `1-slim` or add a patch (e.g. `1.3.9-slim`); use `1-slim` so rebuilds get the latest 1.x automatically.
+
 ## Docker (multi-stage builds)
 
 - **Do not copy `node_modules` between stages.** Bun uses symlinks into a virtual store; copied `node_modules` in another stage break (e.g. `require('next-pwa/cache')` → MODULE_NOT_FOUND). Any stage that runs `next build`, extension builds, or loads config that requires() deps must run `bun install --frozen-lockfile` in that stage and copy only `package.json`, `bun.lock`, and workspace tree.

.github/workflows/prod.docs.plus.yml

@@ -243,6 +243,18 @@ jobs:
           echo "DEPLOY_TAG=${{ env.DEPLOY_TAG }}" >> "${{ env.ENV_FILE }}"
           echo "✅ Environment ready"
 
+      - name: 📂 Verify build context (monorepo root)
+        run: |
+          if [ ! -d packages/email-templates ]; then
+            echo "::error::packages/email-templates missing. Build context must be repo root (context: .). Check checkout and that this commit includes the workspace."
+            exit 1
+          fi
+          grep -q 'email-templates' packages/hocuspocus.server/docker/Dockerfile.bun && grep -q 'email-templates' packages/webapp/docker/Dockerfile.bun || {
+            echo "::error::Dockerfiles must COPY packages/email-templates. Merge the commit that adds @docs.plus/email-templates to prod Dockerfiles."
+            exit 1
+          }
+          echo "✅ Build context OK (repo root, email-templates present)"
+
       - name: 🏗️ Build Docker Images
         env:
           DOCKER_BUILDKIT: 1
@@ -254,7 +266,7 @@ jobs:
           source ${{ env.ENV_FILE }}
           set +a
 
-          # Build with parallel execution
+          # Build with parallel execution (must run from repo root so context: . includes packages/)
           docker compose -f ${{ env.COMPOSE_FILE }} \
             --env-file ${{ env.ENV_FILE }} \
             build --parallel

packages/admin-dashboard/docker/Dockerfile.bun

@@ -13,9 +13,12 @@
 # -----------------------------------------------------------------------------
 # Stage 1: Dependencies
 # -----------------------------------------------------------------------------
-FROM oven/bun:1-alpine AS deps
+# Use latest Bun 1.x (floating tag); same tag across all Dockerfiles for cohesion
+FROM oven/bun:1-slim AS deps
 
-RUN apk add --no-cache libc6-compat
+RUN rm -rf /var/lib/apt/lists/* && \
+    apt-get update && apt-get install -y --no-install-recommends ca-certificates && \
+    rm -rf /var/lib/apt/lists/*
 
 WORKDIR /app
 
@@ -28,9 +31,11 @@ RUN bun install --frozen-lockfile
 # -----------------------------------------------------------------------------
 # Stage 2: Build
 # -----------------------------------------------------------------------------
-FROM oven/bun:1-alpine AS builder
+FROM oven/bun:1-slim AS builder
 
-RUN apk add --no-cache libc6-compat nodejs
+RUN rm -rf /var/lib/apt/lists/* && \
+    apt-get update && apt-get install -y --no-install-recommends ca-certificates nodejs && \
+    rm -rf /var/lib/apt/lists/*
 
 WORKDIR /app
 
@@ -59,9 +64,11 @@ RUN bun run build:ci
 # -----------------------------------------------------------------------------
 # Stage 3: Runner (Production)
 # -----------------------------------------------------------------------------
-FROM oven/bun:1-alpine AS runner
+FROM oven/bun:1-slim AS runner
 
-RUN apk add --no-cache libc6-compat
+RUN rm -rf /var/lib/apt/lists/* && \
+    apt-get update && apt-get install -y --no-install-recommends ca-certificates && \
+    rm -rf /var/lib/apt/lists/*
 
 WORKDIR /app
 
@@ -70,9 +77,9 @@ ENV NODE_ENV=production \
     PORT=3100 \
     HOSTNAME="0.0.0.0"
 
-# Create non-root user for security
-RUN addgroup --system --gid 1001 nodejs && \
-    adduser --system --uid 1001 nextjs
+# Create non-root user for security (Debian slim: groupadd/useradd)
+RUN groupadd -r -g 1001 nodejs && \
+    useradd -r -u 1001 -g nodejs nextjs
 
 # Copy standalone build output
 # Next.js standalone creates: .next/standalone/app/server.js (monorepo structure)

packages/hocuspocus.server/docker/Dockerfile.bun

@@ -6,6 +6,7 @@
 # -----------------------------------------------------------------------------
 # Stage 1: Base - Install dependencies (monorepo layout)
 # -----------------------------------------------------------------------------
+# Use latest Bun 1.x (floating tag); same tag across all Dockerfiles for cohesion
 FROM oven/bun:1-slim AS base
 WORKDIR /app
 

packages/webapp/docker/Dockerfile.bun

@@ -13,17 +13,18 @@
 # ============================================================================
 # Stage 1: Base - Common setup
 # ============================================================================
-FROM oven/bun:1-alpine AS base
+# Use latest Bun 1.x (floating tag); same tag across all Dockerfiles for cohesion
+FROM oven/bun:1-slim AS base
 
-# Install system dependencies
-# Note: Build tools (python3, make, g++) kept for potential native dependencies
-# Most dependencies are pure JS, but some packages may have optional native modules
-RUN apk add --no-cache \
-    libc6-compat \
+# Install system dependencies (Debian slim; build tools for potential native deps)
+RUN rm -rf /var/lib/apt/lists/* && \
+    apt-get update && apt-get install -y --no-install-recommends \
+    ca-certificates \
     python3 \
     make \
     g++ \
-    nodejs
+    nodejs \
+    && rm -rf /var/lib/apt/lists/*
 
 WORKDIR /app
 
@@ -156,9 +157,9 @@ ENV NODE_ENV=production \
     PORT=3000 \
     HOSTNAME="0.0.0.0"
 
-# Create non-root user
-RUN addgroup --system --gid 1001 nodejs && \
-    adduser --system --uid 1001 nextjs
+# Create non-root user (Debian slim: groupadd/useradd)
+RUN groupadd -r -g 1001 nodejs && \
+    useradd -r -u 1001 -g nodejs nextjs
 
 # Copy standalone build output to root (Next.js standalone expects to run from its own root)
 # Standalone already includes server.js, node_modules, and minimal dependencies