fix: fresh clone + filtered pnpm install in frontend stage to cut peak RSS

Root cause: COPY --from=stage1 /build /build in Stage 2 imports ~2 GB of
node_modules (3817 packages). OS page-caches the unpacked tree; webpack then
traverses the full module graph on top → combined RSS exceeds builder cgroup
limit → OOMKilled (exit 137) even with a separate build stage.

Fix: Stage 2 does a fresh git clone and installs only the frontend package's
dependency tree (pnpm --filter "./apps/frontend..."). This skips NestJS,
Prisma, bcrypt, Bull, and other server-only packages, producing a much smaller
node_modules → lower OS page-cache pressure → next build fits in RAM.

Also adds swcMinify: false to force Terser (pure JS, V8-heap-bounded) over the
native SWC binary, which adds RSS outside the V8 heap limit.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

Dockerfile

@@ -3,33 +3,33 @@
 #
 # Three-stage build to beat the HF Space builder memory limit:
 #
-#   Stage 1 (postiz-builder):  clone, patch, install deps,
-#                               build backend + workers + cron.
-#   Stage 2 (postiz-frontend): copy tree from Stage 1, build ONLY the
-#                               Next.js frontend in a clean process.
-#                               Stage 1's processes are dead → their RSS
-#                               is fully freed before `next build` starts.
-#   Stage 3 (runtime):         copy server build from Stage 1,
-#                               overlay frontend .next from Stage 2.
+#   Stage 1 (postiz-builder):   clone → patch → full install →
+#                                build backend + workers + cron
+#   Stage 2 (postiz-frontend):  fresh clone → patch → FILTERED install
+#                                (frontend dep tree only, skips NestJS/
+#                                Prisma/bcrypt/etc.) → build Next.js
+#   Stage 3 (runtime):          COPY server build from Stage 1
+#                                overlay .next from Stage 2
 #
-# Why three stages (not two):
-#   Three NestJS builds (backend+workers+cron) leave ~1-2 GB of residual
-#   RSS in the same container even after each `pnpm run build:*` exits,
-#   because the OS hasn't reclaimed all pages. `next build` alone needs
-#   ~3-4 GB RSS (V8 heap + SWC + native addons). Together they exceed
-#   the HF builder cgroup limit → OOMKilled (exit 137).
-#   Splitting frontend into its own stage gives it a clean address space.
+# Why fresh clone in Stage 2 (not COPY from Stage 1):
+#   COPY --from=stage1 /build /build copies ~2 GB of node_modules (3817
+#   packages). BuildKit decompresses that as a layer; the OS page-caches it.
+#   Then next build loads its own module graph on top. Combined RSS exceeds
+#   the builder cgroup limit → exit 137 OOMKilled.
+#   A filtered pnpm install in a fresh Stage 2 pulls only the frontend
+#   package's npm dependency tree — maybe 30-50% of the full install —
+#   so peak RSS stays within limits.
 #
 # Container layout at runtime:
-#   - nginx (port 5000, internal)        — Postiz frontend + backend + uploads
-#   - PM2 → 4 Postiz procs (backend/frontend/workers/cron)
+#   - nginx (port 5000, internal)         — Postiz frontend + backend + uploads
+#   - PM2 → 4 Postiz procs (backend / frontend / workers / cron)
 #   - postgres (port 5432, internal)
 #   - redis    (port 6379, internal)
-#   - postiz-sync.py loop                — backup DB + uploads to HF Dataset
+#   - postiz-sync.py loop                 — backup DB + uploads to HF Dataset
 #   - health-server.js (port 7860, public) — dashboard + reverse proxy
 # ============================================================================
 
-# ── Stage 1: Clone, patch, install deps, build server apps ───────────────────
+# ── Stage 1: Clone, patch, full install, build server apps ───────────────────
 FROM node:22.20-alpine AS postiz-builder
 
 WORKDIR /build
@@ -49,22 +49,25 @@ RUN npm install -g pnpm@10.6.1
 # Pinned to v2.11.3 — last release before Temporal became a hard requirement.
 RUN git clone --depth=1 --branch v2.11.3 https://github.com/gitroomhq/postiz-app.git .
 
-# Patch Next.js config:
-#   1. basePath/assetPrefix=/app  → Postiz UI mounts at /app; dashboard owns /
-#   2. productionBrowserSourceMaps: false  → saves ~500 MB RSS during emit
-#   3. Sentry sourcemap plugin: disable: true  → saves another ~300 MB
-#   4. experimental.cpus=1 + workerThreads=false  → single-thread webpack;
-#      no parallel worker copies of the module graph in memory
-RUN sed -i "s|const nextConfig = {|const nextConfig = {\n  basePath: '/app',\n  assetPrefix: '/app',|" apps/frontend/next.config.js \
+# Patch Next.js config (applied here so Stage 2's fresh clone also patches).
+# Stage 2 re-applies the same sed commands on its own clone.
+#   1. basePath/assetPrefix=/app  → Postiz UI at /app; dashboard owns /
+#   2. productionBrowserSourceMaps: false  → shaves ~500 MB RSS during emit
+#   3. Sentry sourcemap plugin: disable: true  → saves ~300 MB
+#   4. swcMinify: false  → forces Terser (pure JS, V8-heap-bounded) instead
+#      of the native SWC binary that adds RSS outside the V8 heap limit
+#   5. experimental.cpus=1 + workerThreads=false  → single-thread webpack;
+#      no parallel worker copies of the module graph eating extra RAM
+RUN sed -i "s|const nextConfig = {|const nextConfig = {\n  basePath: '/app',\n  assetPrefix: '/app',\n  swcMinify: false,|" apps/frontend/next.config.js \
     && sed -i "s|productionBrowserSourceMaps: true|productionBrowserSourceMaps: false|" apps/frontend/next.config.js \
     && sed -i "s|disable: false,|disable: true,|" apps/frontend/next.config.js \
     && sed -i "s|experimental: {|experimental: {\n    cpus: 1,\n    workerThreads: false,|" apps/frontend/next.config.js \
     && grep -q "basePath: '/app'" apps/frontend/next.config.js \
     && grep -q "productionBrowserSourceMaps: false" apps/frontend/next.config.js \
+    && grep -q "swcMinify: false" apps/frontend/next.config.js \
     && grep -q "cpus: 1" apps/frontend/next.config.js \
     || (echo "PATCH FAILED — next.config.js shape changed upstream"; exit 1)
 
-# Sentry env stubs — keep transitive Sentry imports from doing network calls.
 ENV SENTRY_DSN="" \
     SENTRY_AUTH_TOKEN="" \
     SENTRY_ORG="" \
@@ -73,44 +76,56 @@ ENV SENTRY_DSN="" \
     NEXT_TELEMETRY_DISABLED=1 \
     NEXT_PRIVATE_SKIP_SIZE_MINIMIZATION=true
 
-# Install all deps (shared pnpm virtual store for all workspace packages).
+# Full install — backend, workers, cron all need the complete dep tree.
 RUN pnpm install --frozen-lockfile=false
 
-# Build server-side apps sequentially at 3 GB heap each.
-# Frontend is intentionally excluded — built in its own stage below.
+# Build server-side apps only. Frontend is built in its own isolated stage.
 RUN NODE_OPTIONS="--max-old-space-size=3072" pnpm run build:backend
 RUN NODE_OPTIONS="--max-old-space-size=3072" pnpm run build:workers
 RUN NODE_OPTIONS="--max-old-space-size=3072" pnpm run build:cron
 
-# Clean up dev artefacts before Stage 3 copies this tree into the runtime image.
+# Remove dev artefacts before Stage 3 copies this tree into the runtime image.
 RUN find . -name ".git" -type d -prune -exec rm -rf {} + 2>/dev/null || true \
  && rm -rf .github reports Jenkins .devcontainer 2>/dev/null || true
 
 
-# ── Stage 2: Build Next.js frontend in isolation ──────────────────────────────
+# ── Stage 2: Build Next.js frontend with minimal dep tree ────────────────────
 FROM node:22.20-alpine AS postiz-frontend
 
 WORKDIR /build
 
-# pnpm must be present to run workspace scripts.
+RUN apk add --no-cache git bash
 RUN npm install -g pnpm@10.6.1
 
-# Copy the full build tree from Stage 1:
-#   - patched apps/frontend/next.config.js
-#   - node_modules (pnpm virtual store, all symlinks intact within the tree)
-#   - already-built server apps (needed for any cross-package type references)
-# Stage 1's processes are dead here → its RSS is freed by the OS.
-# next build therefore starts with a clean address space.
-COPY --from=postiz-builder /build /build
-
-ENV NEXT_TELEMETRY_DISABLED=1 \
-    NEXT_PRIVATE_SKIP_SIZE_MINIMIZATION=true \
-    SENTRY_DSN="" \
+# Fresh clone — gives a clean slate with no Stage 1 memory residue.
+RUN git clone --depth=1 --branch v2.11.3 https://github.com/gitroomhq/postiz-app.git .
+
+# Apply the same patches as Stage 1.
+RUN sed -i "s|const nextConfig = {|const nextConfig = {\n  basePath: '/app',\n  assetPrefix: '/app',\n  swcMinify: false,|" apps/frontend/next.config.js \
+    && sed -i "s|productionBrowserSourceMaps: true|productionBrowserSourceMaps: false|" apps/frontend/next.config.js \
+    && sed -i "s|disable: false,|disable: true,|" apps/frontend/next.config.js \
+    && sed -i "s|experimental: {|experimental: {\n    cpus: 1,\n    workerThreads: false,|" apps/frontend/next.config.js \
+    && grep -q "basePath: '/app'" apps/frontend/next.config.js \
+    && grep -q "swcMinify: false" apps/frontend/next.config.js \
+    && grep -q "cpus: 1" apps/frontend/next.config.js \
+    || (echo "PATCH FAILED — next.config.js shape changed upstream"; exit 1)
+
+ENV SENTRY_DSN="" \
     SENTRY_AUTH_TOKEN="" \
     SENTRY_ORG="" \
     SENTRY_PROJECT="" \
-    NEXT_PUBLIC_SENTRY_DSN=""
+    NEXT_PUBLIC_SENTRY_DSN="" \
+    NEXT_TELEMETRY_DISABLED=1 \
+    NEXT_PRIVATE_SKIP_SIZE_MINIMIZATION=true
+
+# Filtered install — pulls only packages in the frontend's dependency tree.
+# Skips NestJS, Prisma, bcrypt, Bull, and other server-only packages.
+# Results in a much smaller node_modules → less OS page cache pressure
+# → lower peak RSS during next build.
+RUN pnpm install --filter "./apps/frontend..." --frozen-lockfile=false
 
+# Build Next.js frontend in isolation.
+# Stage 1's processes are dead; Stage 2 starts with a clean address space.
 RUN NODE_OPTIONS="--max-old-space-size=3072" pnpm run build:frontend
 
 
@@ -119,8 +134,6 @@ FROM node:22.20-alpine
 
 WORKDIR /app
 
-# System deps — same set as upstream's Dockerfile.dev (bash, nginx, py3-pip)
-# plus postgres + redis + extras we need.
 RUN apk add --no-cache \
     bash \
     curl \
@@ -140,41 +153,33 @@ RUN adduser -D -g 'www' www \
     && mkdir -p /var/lib/nginx /var/log/nginx \
     && chown -R www:www /var/lib/nginx
 
-# pnpm + pm2 to run Postiz processes the same way upstream does
 RUN npm install -g pnpm@10.6.1 pm2
 
-# Python deps for HF Dataset sync
 RUN pip install --no-cache-dir --break-system-packages \
     huggingface_hub \
     PyYAML
 
-# Copy server-side build (backend + workers + cron + node_modules, cleaned).
+# Copy server build (backend + workers + cron + full node_modules, cleaned).
 COPY --from=postiz-builder /build /app
 
-# Overlay the compiled Next.js frontend from its isolated build stage.
+# Overlay the compiled Next.js frontend from the isolated build stage.
+# This overwrites the empty apps/frontend/.next placeholder in the tree above.
 COPY --from=postiz-frontend /build/apps/frontend/.next /app/apps/frontend/.next
 
 # Use upstream's nginx.conf — routes /api→3000, /uploads→fs, /→4200.
-# health-server strips /app before forwarding, so nginx sees expected paths.
 COPY --from=postiz-builder /build/var/docker/nginx.conf /etc/nginx/nginx.conf
 
-# Health-server lives outside /app so its node_modules don't collide with
-# Postiz's pnpm workspaces.
+# Health-server outside /app to avoid pnpm workspace collisions.
 RUN mkdir -p /opt/healthsrv && cd /opt/healthsrv && \
     npm init -y >/dev/null && \
     npm install --no-save --no-audit --no-fund express@4 cors morgan
 
-# Postgres/Redis/uploads dirs — all under /postiz so postiz-sync.py can
-# include them in the backup tarball.
 RUN mkdir -p /var/run/postgresql /postiz/pgdata /postiz/redis /postiz/uploads /postiz/.secrets \
     && chown -R postgres:postgres /var/run/postgresql /postiz/pgdata \
     && chmod 700 /postiz/pgdata
 
-# Symlink /uploads → /postiz/uploads so nginx's `alias /uploads/` picks up
-# media stored in the persisted tree.
 RUN ln -sf /postiz/uploads /uploads
 
-# Copy orchestration files
 COPY start.sh /opt/start.sh
 COPY health-server.js /opt/healthsrv/health-server.js
 COPY postiz-sync.py /opt/postiz-sync.py