## Decision: Docker infrastructure audit — prioritized remediation plan
## Task: Comprehensive audit of all Dockerfiles and docker-compose files for security, performance, and best practices
## Agents Involved: DevOps Engineer, Security Auditor (expertise applied from agent definitions)

## Context
User requested full Docker audit. All 6 Docker files examined (2 Dockerfiles, 2 docker-compose.yml, 2 .dockerignore).

## Key Decisions
- Non-root user: MUST add to both Dockerfiles before any production deployment — both confirmed running as uid=0
- build-essential: Move to separate builder stage to cut backend image from 1.72GB to ~900MB-1GB
- Resource limits: Required on all services, especially Remotion (4GB limit for Chromium+FFmpeg)
- Environment anchor: Extract duplicated env vars between api and worker into x-backend-env YAML anchor
- Network isolation: Remotion should NOT have direct DB/Redis access — segment into frontend/backend/rendering networks

## Conflicts Resolved
- None (single-perspective audit, no inter-agent conflicts)

## Context for Future Tasks
- Affects: cofee_backend/Dockerfile, cofee_backend/docker-compose.yml, remotion_service/Dockerfile, remotion_service/docker-compose.yml, both .dockerignore files, both .gitignore files
- Depends on: Health endpoint implementation (Backend Architect + Remotion Engineer) for H3
- Watch for: When implementing health endpoints, ensure they match the healthcheck paths defined in compose (GET /api/health/ for backend, GET /health for remotion)
- Watch for: backend .gitignore still missing .env exclusion — fix ASAP