fix: SQLite readonly error in Docker container

- Add entrypoint script that ensures /data is owned by node user
  before dropping privileges with su-exec
- Remove USER node from Dockerfile (entrypoint handles it)
- Change client depends_on to service_healthy so nginx waits for
  the server to pass its healthcheck before starting

web/docker-compose.yml

@@ -27,7 +27,7 @@ services:
       - inventory-network
     depends_on:
       server:
-        condition: service_started
+        condition: service_healthy
     restart: unless-stopped
 
 networks:

web/server/Dockerfile

@@ -2,7 +2,8 @@
 FROM node:18-alpine
 
 # Build tools needed for better-sqlite3 native compilation
-RUN apk add --no-cache python3 make g++
+# su-exec for dropping privileges in entrypoint
+RUN apk add --no-cache python3 make g++ su-exec
 
 WORKDIR /app
 
@@ -15,16 +16,18 @@ RUN apk del python3 make g++
 
 COPY . .
 
-# Create data directory for SQLite with proper ownership
-RUN mkdir -p /data && chown node:node /data
+# Create data directory for SQLite
+RUN mkdir -p /data
 VOLUME /data
 
-# Run as non-root user for security
-USER node
+# Entrypoint fixes /data permissions then drops to node user
+COPY docker-entrypoint.sh /usr/local/bin/
+RUN chmod +x /usr/local/bin/docker-entrypoint.sh
 
 EXPOSE 3001
 
 HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
   CMD node -e "require('http').get('http://localhost:3001/api/health',r=>{process.exit(r.statusCode===200?0:1)}).on('error',()=>process.exit(1))"
 
+ENTRYPOINT ["docker-entrypoint.sh"]
 CMD ["node", "server.js"]

web/server/docker-entrypoint.sh

@@ -0,0 +1,9 @@
+#!/bin/sh
+set -e
+
+# Ensure data directory exists and is writable by the node user
+mkdir -p /data
+chown node:node /data
+
+# Drop privileges and exec the CMD
+exec su-exec node "$@"