ci: improve reproducibility and add dependency audit gate

Use lockfile-driven installs in Docker paths and add high-severity npm audit checks in CI while documenting local CORS policy for compose-based development.

Made-with: Cursor

.github/workflows/ci.yml

@@ -0,0 +1,56 @@
+name: CI
+
+on:
+  push:
+    branches:
+      - main
+      - "feature/**"
+  pull_request:
+  workflow_dispatch:
+  schedule:
+    - cron: "0 5 * * *"
+
+jobs:
+  test:
+    name: Test
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Node
+        uses: actions/setup-node@v4
+        with:
+          node-version: "20"
+          cache: "npm"
+          cache-dependency-path: |
+            solver-api/package-lock.json
+            gui-ts/package-lock.json
+
+      - name: Install solver-api deps
+        run: npm ci
+        working-directory: solver-api
+
+      - name: Install gui deps
+        run: npm ci
+        working-directory: gui-ts
+
+      - name: Audit production dependencies (high+)
+        run: |
+          npm audit --omit=dev --audit-level=high
+          cd ../gui-ts && npm audit --omit=dev --audit-level=high
+        working-directory: solver-api
+
+      - name: Run full test suite
+        run: make test
+
+  solver-sanitize:
+    name: Solver sanitize
+    runs-on: ubuntu-latest
+    if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch'
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Run ASan/UBSan regression
+        run: make test-solver-sanitize

Dockerfile

@@ -1,12 +1,12 @@
 FROM node:20-alpine AS api-deps
 WORKDIR /app/solver-api
 COPY solver-api/package.json solver-api/package-lock.json* ./
-RUN npm install
+RUN npm ci
 
 FROM node:20-alpine AS gui-deps
 WORKDIR /app/gui-ts
 COPY gui-ts/package.json gui-ts/package-lock.json* ./
-RUN npm install
+RUN npm ci
 
 FROM alpine:3.20 AS solver-build
 RUN apk add --no-cache build-base

docker-compose.yml

@@ -7,6 +7,8 @@ services:
     working_dir: /app
     ports:
       - "4400:4400"
+    environment:
+      - CORS_ORIGINS=http://localhost:5173
     volumes:
       - ./solver-api/src:/app/src
       - ./data:/data

gui-ts/Dockerfile

@@ -3,7 +3,7 @@ FROM node:20-alpine
 WORKDIR /app
 
 COPY package.json package-lock.json* ./
-RUN npm install
+RUN npm ci
 
 COPY . .
 

solver-api/Dockerfile

@@ -5,7 +5,7 @@ WORKDIR /app
 RUN apk add --no-cache build-base
 
 COPY package.json package-lock.json* ./
-RUN npm install
+RUN npm ci
 
 COPY src ./src