690418:1638 Refactor Infra gitea

README.md

@@ -3,27 +3,30 @@
 > **Laem Chabang Port Phase 3 - Document Management System**
 > ระบบบริหารจัดการเอกสารโครงการแบบครบวงจร สำหรับโครงการก่อสร้างท่าเรือแหลมฉบังระยะที่ 3
 
-[![Version](https://img.shields.io/badge/version-1.8.7-blue.svg)](./CHANGELOG.md)
+[![Version](https://img.shields.io/badge/version-1.8.9-blue.svg)](./CHANGELOG.md)
 [![License](https://img.shields.io/badge/license-Internal-red.svg)]()
 [![Status](https://img.shields.io/badge/status-UAT%20Ready-brightgreen.svg)]()
 [![Docs](https://img.shields.io/badge/docs-10%2F10%20Gaps%20Closed-success.svg)](./specs/00-Overview/README.md)
 
 ---
 
-## 📈 Current Status (As of 2026-04-14)
+## 📈 Current Status (As of 2026-04-18)
 
-**Version 1.8.7 — ADR-021 Integration Complete, Production Ready (22 ADRs)**
+**Version 1.8.9 — Infrastructure Hardening Complete (27 findings → 0)**
 
-| Area                   | Status                   | หมายเหตุ                                           |
-| ---------------------- | ------------------------ | -------------------------------------------------- |
-| 🔧 **Backend**         | ✅ Production Ready      | NestJS 11, Express v5, 0 Vulnerabilities           |
-| 🎨 **Frontend**        | ✅ 100% Complete         | Next.js 16.2.0, React 19.2.4, ESLint 9             |
-| 💾 **Database**        | ✅ Schema v1.8.0 Stable  | MariaDB 11.8, No-migration Policy                  |
-| 📘 **Documentation**   | ✅ **10/10 Gaps Closed** | Product Vision → Release Policy                    |
-| 🤖 **AI Migration**    | 🔄 Pre-migration Setup   | n8n + Ollama (ADR-017/018)                         |
-| 🔄 **Workflow Engine** | ✅ ADR-021 Integrated    | Transmittals & Circulation with Integrated Context |
-| 🧪 **Testing**         | 🔄 UAT Preparation       | E2E + Acceptance Criteria ready                    |
-| 🚀 **Deployment**      | 📋 Pending Go-Live Gate  | Blue-Green on QNAP Container Station               |
+> v1.8.7 (ADR-021 Integration) + v1.8.8 (Workflow Attachments) shipped Apr 14; v1.8.9 (Compose stack hardening) shipped Apr 18.
+
+| Area                   | Status                   | หมายเหตุ                                                           |
+| ---------------------- | ------------------------ | ------------------------------------------------------------------ |
+| 🔧 **Backend**         | ✅ Production Ready      | NestJS 11, Express v5, 0 Vulnerabilities                           |
+| 🎨 **Frontend**        | ✅ 100% Complete         | Next.js 16.2.0, React 19.2.4, ESLint 9                             |
+| 💾 **Database**        | ✅ Schema v1.8.0 Stable  | MariaDB 11.8, No-migration Policy                                  |
+| 📘 **Documentation**   | ✅ **10/10 Gaps Closed** | Product Vision → Release Policy                                    |
+| 🤖 **AI Migration**    | 🔄 Pre-migration Setup   | n8n + Ollama (ADR-017/018)                                         |
+| 🔄 **Workflow Engine** | ✅ ADR-021 Integrated    | Transmittals & Circulation with Integrated Context                 |
+| 🧪 **Testing**         | 🔄 UAT Preparation       | E2E + Acceptance Criteria ready                                    |
+| 🚀 **Deployment**      | 📋 Pending Go-Live Gate  | Blue-Green on QNAP Container Station                               |
+| 🔒 **Infrastructure**  | ✅ Hardened (v1.8.9)     | Compose stacks audited; secrets, auth, container hardening applied |
 
 ---
 
@@ -627,13 +630,14 @@ pnpm test:e2e         # Playwright E2E
 
 ### Security Features
 
-- ✅ **JWT Authentication** - Access & Refresh Tokens
+- ✅ **JWT Authentication** - Access & Refresh Tokens (separate `AUTH_SECRET`)
 - ✅ **RBAC 4-Level** - Global, Organization, Project, Contract
 - ✅ **Rate Limiting** - ป้องกัน Brute-force
-- ✅ **Virus Scanning** - ClamAV สำหรับไฟล์ที่อัปโหลด
+- ✅ **Virus Scanning** - ClamAV สำหรับไฟล์ที่อัปโหลด (mandatory)
 - ✅ **Input Validation** - ป้องกัน SQL Injection, XSS, CSRF
 - ✅ **Idempotency** - ป้องกันการทำรายการซ้ำ
 - ✅ **Audit Logging** - บันทึกการกระทำทั้งหมด
+- ✅ **Container Hardening (v1.8.9)** - `read_only`, `cap_drop: [ALL]`, `no-new-privileges`, non-root `user:`, pinned image tags, MongoDB + Registry auth
 
 ### Security Best Practices
 
@@ -765,6 +769,17 @@ This project is **Internal Use Only** - ลิขสิทธิ์เป็น
 
 ## 🗺️ Roadmap
 
+### ✅ Version 1.8.9 (Apr 2026) — Infrastructure Hardening
+
+**Docker Compose stacks fully hardened — 27 findings across 4 phases:**
+
+- ✅ **Phase 1 (C1–C6 + H6):** Secrets extracted to `env_file`; JWT_SECRET/AUTH_SECRET split; Redis `--requirepass`; Elasticsearch internal-only; MariaDB root/app user split; ClamAV service added; filename typo fixed
+- ✅ **Phase 2 (H1–H5, H7):** n8n docker-socket-proxy (read-only); ASUSTOR cAdvisor port fix; QNAP exporters expose-only; all `:latest` tags pinned to verified semver
+- ✅ **Phase 3 (M1–M9):** Healthchecks + resource limits on all services; backend/frontend `read_only` + `cap_drop: [ALL]` + non-root `user`; MongoDB `--auth --keyFile`; Registry htpasswd auth; phpMyAdmin via NPM only
+- ✅ **Phase 4 (L1–L5 + S1–S4):** Removed `stdin_open`/`tty` from production services; trimmed legacy comments; shared `x-base.yml` anchors; per-stack `.env.example`; secret-manager roadmap (Swarm / Infisical / SOPS)
+
+**New files:** `specs/04-Infrastructure-OPS/04-00-docker-compose/README.md`, `SECURITY-MIGRATION-v1.8.6.md`, `x-base.yml`, 9 per-stack `.env.example` files.
+
 ### ✅ Version 1.8.7 (Apr 2026) — ADR-021 Integration Complete
 
 - ✅ ADR-021 (Integrated Workflow Context) — Transmittals & Circulation workflow integration