fix: production deployment blockers and security gaps

backend/Dockerfile

@@ -23,7 +23,7 @@ USER appuser
 EXPOSE 8000
 
 # Production Command: Run Alembic migrations, then start Gunicorn with Uvicorn workers
-# -w 4: Use 4 worker processes (adjust based on CPU cores)
+# -w ${GUNICORN_WORKERS:-2}: Worker count (default 2; set GUNICORN_WORKERS env var to tune)
 # -k uvicorn.workers.UvicornWorker: Use async workers
 # --bind 0.0.0.0:8000: Listen on all interfaces
-CMD ["sh", "-c", "cd /app/backend && alembic upgrade head && cd /app && gunicorn -w 4 -k uvicorn.workers.UvicornWorker backend.app:app --bind 0.0.0.0:8000"]
+CMD ["sh", "-c", "cd /app/backend && alembic upgrade head && cd /app && gunicorn -w ${GUNICORN_WORKERS:-2} -k uvicorn.workers.UvicornWorker backend.app:app --bind 0.0.0.0:8000"]

backend/alembic.ini

@@ -84,7 +84,9 @@ path_separator = os
 # database URL.  This is consumed by the user-maintained env.py script only.
 # other means of configuring database URLs may be customized within the env.py
 # file.
-sqlalchemy.url = driver://user:pass@localhost/dbname
+# database URL is set at runtime by migrations/env.py from the DATABASE_URL env var.
+# Do NOT set it here; the value below is intentionally blank.
+sqlalchemy.url =
 
 
 [post_write_hooks]

backend/routes/posts.py

@@ -105,12 +105,15 @@
     publish_limiter = None
 
 try:
-    from middleware.clerk_auth import get_current_user
+    from middleware.clerk_auth import get_current_user, require_auth
 except ImportError:
     logger.error("clerk_auth_import_failed", detail="Authentication middleware unavailable - all authenticated endpoints will reject requests")
     async def get_current_user():
         """Fallback that rejects all requests when auth middleware is unavailable."""
         raise HTTPException(status_code=503, detail="Authentication service unavailable")
+    async def require_auth():
+        """Fallback that rejects all requests when auth middleware is unavailable."""
+        raise HTTPException(status_code=503, detail="Authentication service unavailable")
 
 from services.db import get_database
 from repositories.posts import PostRepository
@@ -157,11 +160,11 @@ class BatchGenerateRequest(BaseModel):
 @router.post("/generate-preview")
 async def generate_preview(
     req: GenerateRequest,
-    current_user: dict = Depends(get_current_user)
+    current_user: dict = Depends(require_auth)
 ):
     """Generate an AI post preview from context.
 
-    Rate limited to 10 requests per hour per user to prevent abuse.
+    Requires authentication. Rate limited to 10 requests per hour per user to prevent abuse.
 
     Supports multiple AI providers with tier enforcement:
     - Free tier: Always routes to Groq (fast, free)
@@ -172,12 +175,8 @@ async def generate_preview(
         if not generate_post_with_ai:
             raise HTTPException(status_code=503, detail="AI service not available")
 
-    # Use authenticated user_id if available, otherwise fall back to request body
-    user_id = None
-    if current_user and current_user.get("user_id"):
-        user_id = current_user["user_id"]
-    elif req.user_id:
-        user_id = req.user_id
+    # Use the authenticated user's ID only — req.user_id is ignored to prevent impersonation
+    user_id = current_user["user_id"]
 
     # Rate limiting check (10 requests/hour for AI generation)
     if RATE_LIMITING_ENABLED and post_generation_limiter and user_id:

render.yaml

@@ -216,9 +216,11 @@ services:
       - key: NEXT_PUBLIC_API_URL
         sync: false
 
-      # Clerk Authentication (public key)
+      # Clerk Authentication
       - key: NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY
         sync: false
+      - key: CLERK_SECRET_KEY
+        sync: false
 
       # OAuth Redirect URI
       - key: NEXT_PUBLIC_REDIRECT_URI

services/ai_service.py

@@ -70,7 +70,7 @@
 OPENAI_API_KEY = os.getenv('OPENAI_API_KEY', '')
 ANTHROPIC_API_KEY = os.getenv('ANTHROPIC_API_KEY', '')
 MISTRAL_API_KEY = os.getenv('MISTRAL_API_KEY', '')
-GITHUB_USERNAME = os.getenv('GITHUB_USERNAME', 'cliff-de-tech')
+GITHUB_USERNAME = os.getenv('GITHUB_USERNAME', '')
 
 # Model configurations
 GROQ_MODEL = "llama-3.3-70b-versatile"

services/encryption.py

@@ -51,7 +51,8 @@
 # SECURITY: Determine environment mode
 # - "production" = strict mode, encryption required
 # - "development" or unset = permissive mode for local dev
-ENV = os.getenv('ENV', 'development').lower()
+# Check both ENV and ENVIRONMENT (render.yaml/docker-compose set ENVIRONMENT=production)
+ENV = os.getenv('ENV', os.getenv('ENVIRONMENT', 'development')).lower()
 IS_PRODUCTION = ENV == 'production'
 
 # Load encryption key from environment

web/next.config.js

@@ -2,6 +2,9 @@
 const nextConfig = {
   reactStrictMode: true,
 
+  // Required for Docker standalone deployment (copies server.js + minimal deps)
+  output: 'standalone',
+
   // Enable gzip compression
   compress: true,
 
@@ -42,6 +45,7 @@ const nextConfig = {
           { key: 'X-Content-Type-Options', value: 'nosniff' },
           { key: 'Referrer-Policy', value: 'origin-when-cross-origin' },
           { key: 'Permissions-Policy', value: 'camera=(), microphone=(), geolocation=()' },
+          { key: 'Strict-Transport-Security', value: 'max-age=63072000; includeSubDomains; preload' },
           { 
             key: 'Content-Security-Policy', 
             value: "default-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline' https://cdn.clerk.io https://*.clerk.accounts.dev; style-src 'self' 'unsafe-inline'; img-src 'self' data: https://images.unsplash.com https://media.licdn.com https://img.clerk.com; connect-src 'self' https://*.clerk.accounts.dev https://api.clerk.io " + (process.env.NEXT_PUBLIC_API_URL || 'http://localhost:8000') + "; font-src 'self'; frame-src 'self' https://*.clerk.accounts.dev;"