Fix Docker volume permissions for /data (SQLite)

Add su-exec to runner stage, run entrypoint as root to chown /data,
then drop to nextjs user for migrations and app start. Fixes permission
denied errors when Docker volume is mounted as root.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Dockerfile

@@ -34,7 +34,7 @@ RUN npm run build
 FROM node:22-alpine AS runner
 WORKDIR /app
 
-RUN apk add --no-cache python3 make g++
+RUN apk add --no-cache python3 make g++ su-exec
 
 ENV NODE_ENV=production
 ENV NEXT_TELEMETRY_DISABLED=1
@@ -66,8 +66,7 @@ RUN chmod +x docker-entrypoint.sh
 # Data directory for SQLite — must be a volume
 RUN mkdir -p /data && chown nextjs:nodejs /data
 
-USER nextjs
+# Entrypoint runs as root, fixes /data permissions, then drops to nextjs via su-exec
-
 EXPOSE 3000
 
 ENTRYPOINT ["./docker-entrypoint.sh"]

docker-entrypoint.sh

@@ -1,11 +1,14 @@
 #!/bin/sh
 set -e
 
-# Run Prisma migrations on every startup (idempotent)
+# Fix /data permissions — Docker volumes are mounted as root by default
+chown -R nextjs:nodejs /data
+
+# Run Prisma migrations as nextjs user
 echo "Running database migrations..."
 DATABASE_URL="${DATABASE_URL:-file:/data/leadflow.db}" \
-  node node_modules/prisma/build/index.js migrate deploy \
+  su-exec nextjs node node_modules/prisma/build/index.js migrate deploy \
   --schema ./prisma/schema.prisma 2>&1 || echo "Migration warning (may already be up to date)"
 
 echo "Starting LeadFlow..."
-exec node server.js
+exec su-exec nextjs node server.js