Non-negotiable rules:

1. Read references/stack.md first to determine the project's base images, registry, and build conventions.
2. Then load only the references needed for the actual task.
3. Multi-stage builds by default — separate dependency install, build, and production stages.
4. Non-root user in production — never run containers as root. Add a user and USER directive.
5. No secrets in images — no ARG/ENV for passwords, no COPY .env, no secrets in build layers.
6. Pin base image versions — node:22-slim, not node:latest. Use digest pinning for critical images.
7. .dockerignore is mandatory — exclude node_modules, .git, .env, dist, test artifacts.
8. Frozen lockfiles in builds — --frozen-lockfile / --ci for reproducible installs.

docker

Inputs

• $request: The Docker task — Dockerfile, Compose, registry, optimization, or debugging target