refacto: Changing some docker images to hardened non-root ones + README update

Dockerfile

@@ -1,29 +1,39 @@
-FROM node:20-alpine
-
-# Create non-root user/group before switching context
-RUN addgroup -S appgroup && adduser -S appuser -G appgroup
+# ── Stage 1: install production dependencies ──────────────────────────────────
+# node:20-alpine is used only for npm ci; it never ships to production.
+FROM node:20-alpine AS deps
 
 WORKDIR /app
 
-# Install dependencies first for better layer caching
-COPY package.json package-lock.json ./
-RUN npm ci --omit=dev
+# package-lock.json* — the wildcard makes the COPY succeed even if the lock
+# file is absent, so the image can be built from a clean checkout without any
+# local Node installation.
+COPY package.json package-lock.json* ./
+RUN if [ -f package-lock.json ]; then npm ci --omit=dev; else npm install --omit=dev; fi
+
+# ── Stage 2: hardened, minimal runtime ────────────────────────────────────────
+# gcr.io/distroless/nodejs20-debian12:nonroot contains only the Node runtime.
+# No shell, no package manager, no OS utilities → drastically reduced attack
+# surface and near-zero CVEs from OS packages.  Runs as uid 65532 (nonroot).
+FROM gcr.io/distroless/nodejs20-debian12:nonroot
+
+WORKDIR /app
+
+COPY --from=deps /app/node_modules ./node_modules
 
 # Copy application source
 COPY server ./server
 COPY public ./public
 COPY config ./config
 
-# Drop to non-root user
-USER appuser
-
 ENV NODE_ENV=production
 ENV PORT=8080
 
 EXPOSE 8080
 
-# Health-check: lightweight wget is available in node:alpine
+# Health-check: no wget/curl in distroless — use the bundled Node binary
+# directly via exec form (no shell needed).
 HEALTHCHECK --interval=15s --timeout=5s --start-period=30s --retries=3 \
-  CMD wget -qO- http://localhost:8080/api/config > /dev/null || exit 1
+  CMD ["/nodejs/bin/node", "server/healthcheck.js"]
 
-CMD ["node", "server/index.js"]
+# The distroless ENTRYPOINT is already /nodejs/bin/node; CMD is the argument.
+CMD ["server/index.js"]