refactor(deploy): trim docker images via pnpm deploy --legacy

Use pnpm deploy to flatten each package's runtime subset into /deploy,
then copy ONLY that into the runtime stage. Catalog + workspace:*
specifiers previously forced full-workspace resolution into every
image's node_modules — unnecessary for either runtime.

Results (arm64, same smoke tests pass):
- broker:   3.26GB → 341MB  (-90%, drops all devDeps incl. drizzle-kit)
- migrate:  3.27GB → 653MB  (-80%, keeps drizzle-kit which IS runtime)

Broker /health confirms GIT_SHA build-arg still propagates (gitSha:
"30bc24f" in smoke test). Migrate still reads drizzle.config.ts and
attempts the connection correctly.

--legacy flag needed because pnpm 10 defaults to inject-workspace-
packages mode which the monorepo doesn't opt into; legacy is safe here.
--ignore-scripts on deploy skips the root postinstall (sherif lint:ws)
which has nothing to do with runtime.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

apps/broker/Dockerfile

@@ -15,10 +15,14 @@ RUN apt-get update && apt-get install -y --no-install-recommends curl ca-certifi
 # Copy full workspace (pnpm needs lockfile + all package.jsons to resolve workspace:* and catalog:)
 COPY . .
 
-# Install all workspace deps (broker needs @turbostarter/db + @turbostarter/shared and their transitive deps)
+# Install all workspace deps, then flatten broker's prod subset into /deploy.
-RUN pnpm install --frozen-lockfile --ignore-scripts
+# pnpm deploy: resolves workspace:* to real copies, drops catalog: references,
+# drops devDependencies (--prod), produces a self-contained runtime directory
+# with only what this one package + its transitive prod deps need.
+RUN pnpm install --frozen-lockfile --ignore-scripts && \
+    pnpm deploy --legacy --prod --ignore-scripts --filter=@claudemesh/broker /deploy
 
-# Stage 2: minimal Bun runtime
+# Stage 2: minimal Bun runtime — copy only the flat /deploy subset
 FROM oven/bun:1.2-slim AS runtime
 WORKDIR /app
 
@@ -29,13 +33,7 @@ ENV GIT_SHA=$GIT_SHA
 ENV NODE_ENV=production
 ENV BROKER_PORT=7900
 
-# Copy workspace root metadata + node_modules + only the packages the broker needs
+COPY --from=deps --chown=bun:bun /deploy /app
-COPY --from=deps --chown=bun:bun /app/package.json /app/pnpm-workspace.yaml /app/pnpm-lock.yaml /app/.npmrc ./
-COPY --from=deps --chown=bun:bun /app/node_modules ./node_modules
-COPY --from=deps --chown=bun:bun /app/apps/broker ./apps/broker
-COPY --from=deps --chown=bun:bun /app/packages/db ./packages/db
-COPY --from=deps --chown=bun:bun /app/packages/shared ./packages/shared
-COPY --from=deps --chown=bun:bun /app/tooling/typescript ./tooling/typescript
 
 EXPOSE 7900
 
@@ -44,4 +42,4 @@ HEALTHCHECK --interval=15s --timeout=5s --start-period=10s --retries=3 \
 
 # Non-root user (oven/bun image ships with 'bun' uid 1000)
 USER bun
-CMD ["bun", "apps/broker/src/index.ts"]
+CMD ["bun", "src/index.ts"]

packages/db/Dockerfile

@@ -5,7 +5,7 @@
 #
 # Build from repo root:  docker build -f packages/db/Dockerfile -t claudemesh-migrate .
 
-# Stage 1: resolve pnpm workspace + install deps (Bun base + standalone pnpm)
+# Stage 1: resolve pnpm workspace + flatten db's subset to /deploy via pnpm deploy
 FROM oven/bun:1.2 AS deps
 WORKDIR /app
 
@@ -17,25 +17,20 @@ RUN apt-get update && apt-get install -y --no-install-recommends curl ca-certifi
 # pnpm needs full workspace context to resolve workspace:* and catalog: specifiers
 COPY . .
 
-# drizzle-kit is a devDependency → install the full dep graph (NOT --prod).
+# Install full workspace, then flatten the db package's deploy subset.
-# Filter to db + its transitive deps only → ~20x smaller install than the whole workspace.
+# Keeps devDependencies (--no `--prod`) because drizzle-kit IS the runtime here.
-RUN pnpm install --frozen-lockfile --ignore-scripts --filter "@turbostarter/db..."
+RUN pnpm install --frozen-lockfile --ignore-scripts && \
+    pnpm deploy --legacy --ignore-scripts --filter=@turbostarter/db /deploy
 
-# Stage 2: minimal Bun runtime (executes drizzle-kit CLI + TS config)
+# Stage 2: minimal Bun runtime — copy only /deploy
 FROM oven/bun:1.2-slim AS runtime
 WORKDIR /app
 
 ENV NODE_ENV=production
 
-# Copy workspace metadata, the db package (schema + migrations + config), shared (transitive)
+COPY --from=deps --chown=bun:bun /deploy /app
-COPY --from=deps --chown=bun:bun /app/package.json /app/pnpm-workspace.yaml /app/pnpm-lock.yaml /app/.npmrc ./
-COPY --from=deps --chown=bun:bun /app/node_modules ./node_modules
-COPY --from=deps --chown=bun:bun /app/packages/db ./packages/db
-COPY --from=deps --chown=bun:bun /app/packages/shared ./packages/shared
-COPY --from=deps --chown=bun:bun /app/tooling/typescript ./tooling/typescript
 
 USER bun
-WORKDIR /app/packages/db
 
 # drizzle-kit reads DATABASE_URL from env via ./src/env.ts, runs pending migrations,
 # exits 0 on success / non-zero on failure. No long-running process.