Environment Setup
Drop Environment Configuration
Last updated: 2026-02-13
Source: src/drop-app/package.json, next.config.ts, Dockerfile, docker-compose.yml, fly.toml
Technology Stack
| Layer | Technology | Version | Source |
|---|---|---|---|
| Runtime | Node.js | 22 (Alpine) | Dockerfile:2 |
| Framework | Next.js | 16.1.6 | package.json:14 |
| UI | React | 19.2.3 | package.json:15-16 |
| Database (MVP) | SQLite via better-sqlite3 | ^12.6.2 | package.json:6 |
| Database (Prod) | PostgreSQL via pg | ^8.18.0 | package.json:12 |
| Auth | JWT via jose | ^6.1.3 | package.json:8 |
| Password hashing | bcryptjs | ^3.0.3 | package.json:5 |
| Styling | Tailwind CSS | ^4 | package.json:33 |
| UI Components | Radix UI | ^1.4.3 | package.json:13 |
| Icons | Lucide React | ^0.563.0 | package.json:9 |
| Theme | next-themes | ^0.4.6 | package.json:10 |
| Toasts | Sonner | ^2.0.7 | package.json:17 |
Dev Dependencies
| Tool | Version | Purpose | Source |
|---|---|---|---|
| Vitest | ^4.0.18 | Unit/integration testing | package.json:36 |
| Playwright | ^1.58.2 | E2E testing | package.json:21 |
| TypeScript | ^5 | Type checking | package.json:35 |
| ESLint | ^9 | Linting | package.json:29 |
| shadcn | ^3.8.4 | UI component generation | package.json:32 |
NPM Scripts
Source: src/drop-app/package.json:5-12
| Script | Command | Description |
|---|---|---|
dev |
next dev |
Start development server (port 3000) |
build |
next build |
Build for production (standalone output) |
start |
next start |
Start production server |
lint |
eslint |
Run ESLint |
test |
vitest run |
Run unit/integration tests (single run) |
test:watch |
vitest |
Run tests in watch mode |
Next.js Configuration
Source: src/drop-app/next.config.ts:1-49
| Setting | Value | Purpose |
|---|---|---|
output |
"standalone" |
Self-contained server for Docker (next.config.ts:4) |
devIndicators |
false |
Disable dev indicators (next.config.ts:5) |
Security Headers
All responses include these headers (configured in next.config.ts:6-58):
| Header | Value (Production) | Value (Development) | Purpose |
|---|---|---|---|
| Content-Security-Policy | default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; font-src 'self'; img-src 'self' data: blob:; connect-src 'self'; frame-ancestors 'none' |
default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; font-src 'self'; img-src 'self' data: blob:; connect-src 'self'; frame-ancestors 'none' |
XSS and injection protection |
| X-Frame-Options | DENY |
DENY |
Clickjacking prevention |
| X-Content-Type-Options | nosniff |
nosniff |
MIME sniffing prevention |
| Referrer-Policy | strict-origin-when-cross-origin |
strict-origin-when-cross-origin |
Referrer leakage prevention |
| Permissions-Policy | camera=(self), microphone=(), geolocation=(self) |
camera=(self), microphone=(), geolocation=(self) |
Feature restriction |
| Strict-Transport-Security | max-age=63072000; includeSubDomains; preload |
max-age=63072000; includeSubDomains; preload |
Force HTTPS |
Note: CSP is stricter in production (no unsafe-eval for scripts). Development mode allows unsafe-inline and unsafe-eval for HMR (Hot Module Replacement) to work.
Environment Modes
Development
NODE_ENV=development(default)- Demo user seeded automatically
- Login page shows demo credentials hint
- In-memory rate limiting fallback
- SQLite database at
./drop.db(project root)
Production
NODE_ENV=production- Demo seed data disabled
JWT_SECRETrequired (fatal error if missing)- Cookies set with
secure: true - SQLite at
/app/data/drop.dbor PostgreSQL viaDATABASE_URL
Test
NODE_ENV=test(set intests/setup.ts:1)- In-memory databases for isolation
- Mocked Next.js modules (server, headers)
Port Mapping
| Service | Internal Port | External Port | Protocol |
|---|---|---|---|
| Drop App | 3000 | 3000 | HTTP |
| PostgreSQL (prod) | 5432 | 5432 | TCP |
Docker Image Details
Base: node:22-alpine
User: nextjs (UID 1001)
Working dir: /app
Exposed port: 3000
Entrypoint: node server.js
Build context: src/drop-app/
Image contents (runner stage):
/app/public/-- Static assets/app/.next/standalone/-- Next.js standalone server/app/.next/static/-- Static build output/app/data/-- SQLite data directory (volume mount)