fix: 12-point production audit — bugs, security, perf, reliability

start.sh:
- BACKUP_DATASET_NAME/SYNC_INTERVAL defaulted before export — empty string
was passed to deerflow-sync.py causing invalid repo name (bug)
- Export FRONTEND_PORT and BACKEND_PORT so health-server.js and child
processes receive correct values from environment
- openssl JWT generation now has Python fallback — openssl CLI not
guaranteed in python:3.12-slim-bookworm slim image
- Remove dead os.environ["CORS_ORIGINS"] in Python heredoc — Python
subprocess env never propagates back to parent bash (dead code)
- Graceful shutdown uses explicit PID list instead of $(jobs -p) which
is unreliable in bash subshells
- Truncate log files on startup to prevent unbounded disk growth

health-server.js:
- sync "error" status now renders as "off" (red) not "neutral" (grey)
- Dashboard response includes Cache-Control: no-store header

nginx.conf:
- gzip compression enabled for JSON/HTML/JS — large research reports
can be 60-80% smaller over the wire
- server_tokens off — stop leaking nginx version in error responses

Dockerfile:
- Replace jq (unused) with openssl (explicit, needed for JWT generation)
- HEALTHCHECK start-period 60s → 120s — restore + backend + frontend
can legitimately take up to 2 min; 60s caused premature unhealthy marks

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Dockerfile

@@ -47,7 +47,7 @@ ARG NODE_MAJOR=22
 
 # Layer 1: nginx + base tools (rarely changes — stays cached)
 RUN apt-get update && apt-get install -y --no-install-recommends \
-    curl ca-certificates gnupg nginx jq \
+    curl ca-certificates gnupg nginx openssl \
     && rm -rf /var/lib/apt/lists/*
 
 # Layer 2: Node.js (separate layer — apt network stall doesn't force pip re-run)
@@ -114,8 +114,8 @@ WORKDIR /app
 
 EXPOSE 7860
 
-# 60s start period — no compilation, just config generation + service startup
-HEALTHCHECK --interval=30s --timeout=10s --start-period=60s \
+# 120s start period — restore + backend + frontend startup can take up to 2 min
+HEALTHCHECK --interval=30s --timeout=10s --start-period=120s \
     CMD curl -fsS http://localhost:7860/health || exit 1
 
 CMD ["/app/start.sh"]

health-server.js

@@ -95,6 +95,7 @@ function renderDashboard({ backendUp, frontendUp, uptimeHuman, sync, keepalive }
   const appOnline   = backendUp && frontendUp;
   const syncStatus  = String(sync?.status || "unknown");
   const syncTone    = ["success","restored","synced","configured"].includes(syncStatus) ? "ok"
+                    : syncStatus === "error"    ? "off"
                     : syncStatus === "disabled" ? "warn" : "neutral";
   const kaOk        = keepalive?.configured === true;
   const kaTone      = kaOk ? "ok" : process.env.CLOUDFLARE_WORKERS_TOKEN ? "warn" : "neutral";
@@ -255,7 +256,7 @@ const server = http.createServer(async (req, res) => {
       probe(NGINX_HOST, NGINX_PORT, "/health"),
       tcpProbe(NGINX_HOST, FRONTEND_PORT),
     ]);
-    res.writeHead(200, { "Content-Type": "text/html; charset=utf-8" });
+    res.writeHead(200, { "Content-Type": "text/html; charset=utf-8", "Cache-Control": "no-store" });
     return res.end(renderDashboard({
       backendUp, frontendUp,
       uptimeHuman: formatUptime(Date.now() - startTime),

nginx.conf

@@ -21,6 +21,17 @@ http {
     tcp_nopush     on;
     tcp_nodelay    on;
     keepalive_timeout 65;
+    server_tokens  off;
+
+    # Gzip — compresses API JSON, HTML, JS (big win for research reports)
+    gzip              on;
+    gzip_vary         on;
+    gzip_proxied      any;
+    gzip_comp_level   5;
+    gzip_min_length   1024;
+    gzip_types        text/plain text/css text/xml text/javascript
+                      application/json application/javascript application/xml
+                      application/x-javascript image/svg+xml;
 
     # ── DeerFlow on HF Spaces ─────────────────────────────────────
     server {

start.sh

@@ -17,12 +17,16 @@ SYNC_INTERVAL="${SYNC_INTERVAL:-600}"
 BACKEND_READY_TIMEOUT="${BACKEND_READY_TIMEOUT:-120}"
 FRONTEND_READY_TIMEOUT="${FRONTEND_READY_TIMEOUT:-120}"
 
+# Apply defaults before exporting so downstream tools never see empty strings
+export BACKUP_DATASET_NAME="${BACKUP_DATASET_NAME:-huggingflow-backup}"
+export SYNC_INTERVAL="${SYNC_INTERVAL:-600}"
+
 # Export shell vars so inline Python scripts can read them via os.environ
-export DATA_DIR CONFIG_PATH BACKUP_DATASET_NAME SYNC_INTERVAL
+export DATA_DIR CONFIG_PATH
 export DEER_FLOW_HOME="$DATA_DIR"
 export DEER_FLOW_CONFIG_PATH="$CONFIG_PATH"
 export DEER_FLOW_SKILLS_PATH="/app/skills"
-export NGINX_PORT PUBLIC_PORT
+export NGINX_PORT PUBLIC_PORT FRONTEND_PORT BACKEND_PORT
 
 echo ""
 echo "  ╔══════════════════════════════════════════╗"
@@ -69,7 +73,8 @@ if [ -z "${AUTH_JWT_SECRET:-}" ]; then
     AUTH_JWT_SECRET=$(cat "$AUTH_JWT_SECRET_FILE")
     echo "AUTH_JWT_SECRET loaded from disk."
   else
-    AUTH_JWT_SECRET=$(openssl rand -base64 48 | tr -d '\n')
+    AUTH_JWT_SECRET=$(openssl rand -base64 48 2>/dev/null | tr -d '\n' || \
+                   python3 -c "import secrets; print(secrets.token_urlsafe(64))")
     printf '%s' "$AUTH_JWT_SECRET" > "$AUTH_JWT_SECRET_FILE"
     chmod 600 "$AUTH_JWT_SECRET_FILE"
     echo "AUTH_JWT_SECRET generated and saved to disk."
@@ -298,15 +303,6 @@ base["skills"]["path"] = "/app/skills"
 base.setdefault("agents_api", {})
 base["agents_api"]["enabled"] = True
 
-# CORS: allow HF Space URL + localhost
-space_host = os.environ.get("SPACE_HOST", "")
-cors_origins = ["http://localhost:3000", "http://localhost:7860"]
-if space_host:
-    cors_origins.append(f"https://{space_host}")
-
-# Set via env (picked up by gateway config loader)
-os.environ["CORS_ORIGINS"] = ",".join(cors_origins)
-
 config_path.parent.mkdir(parents=True, exist_ok=True)
 config_path.write_text(yaml.safe_dump(base, sort_keys=False, allow_unicode=True))
 config_path.chmod(0o600)
@@ -353,15 +349,21 @@ graceful_shutdown() {
     echo "Saving state to HF Dataset..."
     python3 "$APP_DIR/deerflow-sync.py" sync-once || echo "Warning: shutdown sync failed."
   fi
-  # Stop nginx daemon (nginx -s quit = graceful drain)
   nginx -s quit 2>/dev/null || true
-  # Stop background shell jobs (health-server, backend, frontend, sync loop)
-  kill $(jobs -p) 2>/dev/null || true
-  sleep 2
+  # Kill tracked PIDs explicitly — more reliable than $(jobs -p) in bash
+  for pid in "${FRONTEND_PID:-}" "${HEALTH_PID:-}" "${BACKEND_PID:-}"; do
+    [ -n "$pid" ] && kill "$pid" 2>/dev/null || true
+  done
+  sleep 3
   exit 0
 }
 trap graceful_shutdown SIGTERM SIGINT
 
+# ── Truncate logs on startup (prevent unbounded growth) ──────────
+for _log in health-server backend frontend; do
+  : > "$DATA_DIR/logs/$_log.log" 2>/dev/null || true
+done
+
 # ── Start health-server (public port 7860) ────────────────────────
 echo "Starting health-server on port $PUBLIC_PORT..."
 node "$APP_DIR/health-server.js" 2>&1 | tee -a "$DATA_DIR/logs/health-server.log" &