Make the deployed images actually run

Two production-only failures the CI scan didn't catch:

Backend: the running container was crashing with `Cannot find module
'/app/dist/main'`. nest build was emitting `dist/src/main.js` instead
of `dist/main.js` because tsconfig.json had no rootDir, so tsc inferred
it as `.` and preserved the src/ subdirectory in the output. Set
`rootDir: "./src"` to flatten the output. Also exclude prisma/ from
tsconfig.build.json so prisma/seed.ts (a ts-node script that lives
outside src/) doesn't trip the rootDir check during builds.

Frontend: containers came up but were marked unhealthy because the
deployment's healthcheck targeted port 80 — which nginx-unprivileged
can't bind. Add a HEALTHCHECK directive to the image pointing at 8080
so any orchestrator inherits a working default. Compose-level
overrides still need to be updated independently.

Also clean up build-artifact gitignore patterns: *.tsbuildinfo and
compiled prisma/seed.* (a stale tsc invocation against the old
build config emitted them locally; they shouldn't ever be committed).

Bump backend and frontend to 0.1.3 — the broken 0.1.2 images are now
occupying those tags in Harbor.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

.gitignore

@@ -4,6 +4,12 @@ node_modules/
 # Build output
 dist/
 build/
+**/*.tsbuildinfo
+
+# Compiled Prisma seed (seed.ts is run via ts-node, not compiled)
+**/prisma/seed.js
+**/prisma/seed.js.map
+**/prisma/seed.d.ts
 
 # Environment variables (all paths)
 **/.env

tehriehlbudget-backend/package.json

@@ -1,6 +1,6 @@
 {
   "name": "tehriehlbudget-backend",
-  "version": "0.1.2",
+  "version": "0.1.3",
   "description": "",
   "author": "",
   "private": true,

tehriehlbudget-backend/tsconfig.build.json

@@ -1,4 +1,4 @@
 {
   "extends": "./tsconfig.json",
-  "exclude": ["node_modules", "test", "dist", "**/*spec.ts"]
+  "exclude": ["node_modules", "test", "dist", "prisma", "**/*spec.ts"]
 }

tehriehlbudget-backend/tsconfig.json

@@ -13,6 +13,7 @@
     "target": "ES2023",
     "sourceMap": true,
     "outDir": "./dist",
+    "rootDir": "./src",
     "baseUrl": "./",
     "incremental": true,
     "skipLibCheck": true,

tehriehlbudget-frontend/Dockerfile

@@ -31,3 +31,8 @@ COPY --chown=nginx:nginx tehriehlbudget-frontend/docker-entrypoint.sh  /docker-e
 RUN chmod +x /docker-entrypoint.d/40-render-config.sh
 USER nginx
 EXPOSE 8080
+# nginx-unprivileged can't bind privileged ports; the image listens on 8080,
+# so a healthcheck targeting :80 will always fail. Bake in a sensible default
+# that any orchestrator (compose, k8s, Portainer) inherits unless overridden.
+HEALTHCHECK --interval=30s --timeout=5s --start-period=10s --retries=3 \
+  CMD wget -qO /dev/null http://127.0.0.1:8080/ || exit 1

tehriehlbudget-frontend/package.json

@@ -1,7 +1,7 @@
 {
   "name": "tehriehlbudget-frontend",
   "private": true,
-  "version": "0.1.2",
+  "version": "0.1.3",
   "type": "module",
   "scripts": {
     "dev": "vite",