fix: use COPY --chmod instead of RUN chmod in frontend Dockerfile (#214)

The nginx-unprivileged base image runs as non-root, so RUN chmod
on / fails with 'Operation not permitted'. Use COPY --chmod=755
to set the executable bit at build time instead.

.env.example

@@ -12,6 +12,9 @@ PGID=1000
 PORT=3000
 CORS_ORIGINS=http://localhost:4174
 LOG_LEVEL=info
+# Levels: debug, info, warn, error, silent
+# Controls: backend Fastify logging, frontend nginx access logs (Docker),
+#           and frontend browser console (via build-time injection)
 
 # Rate limit: max requests per minute per IP (default: 100)
 # Increase for development/testing environments

backend/package.json

@@ -1,6 +1,6 @@
 {
   "name": "medassist-ng-backend",
-  "version": "1.10.3",
+  "version": "1.11.1",
   "private": true,
   "type": "module",
   "scripts": {

docker-compose.yml

@@ -35,6 +35,8 @@ services:
   frontend:
     image: ghcr.io/danielvolz/medassist-ng-frontend:latest
     container_name: medassist-ng-frontend
+    env_file:
+      - .env
     environment:
       - BACKEND_URL=backend:3000
     ports:

frontend/Dockerfile

@@ -41,6 +41,9 @@ RUN sed -i 's|include /etc/nginx/conf.d/\*.conf;|include /tmp/default.conf;|' /e
 # nginx-unprivileged automatically substitutes env vars in .template files
 COPY nginx.conf /etc/nginx/templates/default.conf.template
 
+# Copy entrypoint wrapper (translates LOG_LEVEL → nginx access log control)
+COPY --chmod=755 nginx-entrypoint.sh /nginx-entrypoint.sh
+
 # Copy built static files with correct ownership (nginx user = uid 101)
 COPY --from=builder --chown=101:101 /app/dist /usr/share/nginx/html
 
@@ -50,5 +53,6 @@ EXPOSE 8080
 # Already runs as non-root (nginx user, uid 101)
 USER nginx
 
-# Start nginx (entrypoint processes templates automatically)
+# Use wrapper entrypoint that maps LOG_LEVEL to nginx config
+ENTRYPOINT ["/nginx-entrypoint.sh"]
 CMD ["nginx", "-g", "daemon off;"]

frontend/nginx-entrypoint.sh

@@ -0,0 +1,21 @@
+#!/bin/sh
+# =============================================================================
+# Frontend entrypoint wrapper
+# Translates LOG_LEVEL into nginx access log control before
+# delegating to the standard nginx-unprivileged entrypoint.
+#
+# LOG_LEVEL=debug|info  → access logs enabled  (default)
+# LOG_LEVEL=warn|error|fatal|silent → access logs suppressed
+# =============================================================================
+
+case "${LOG_LEVEL:-info}" in
+  warn|error|fatal|silent)
+    export NGINX_ACCESS_LOG="off"
+    ;;
+  *)
+    export NGINX_ACCESS_LOG="/dev/stdout"
+    ;;
+esac
+
+# Delegate to the original nginx-unprivileged entrypoint
+exec /docker-entrypoint.sh "$@"

frontend/nginx.conf

@@ -6,6 +6,9 @@ server {
     root /usr/share/nginx/html;
     index index.html;
 
+    # Access log control (suppressed when LOG_LEVEL is warn or higher)
+    access_log ${NGINX_ACCESS_LOG};
+
     # Security headers
     add_header X-Frame-Options "SAMEORIGIN" always;
     add_header X-Content-Type-Options "nosniff" always;

frontend/package.json

@@ -1,7 +1,7 @@
 {
   "name": "medassist-ng-frontend",
   "private": true,
-  "version": "1.10.3",
+  "version": "1.11.1",
   "type": "module",
   "scripts": {
     "dev": "vite",