---
phase: 01-cleanup-fixes
plan: 02
type: execute
wave: 1
depends_on: []
files_modified:
  - Dockerfile
  - server/plugins/rate-limit.ts
  - server/api/contact.post.ts
autonomous: true
requirements:
  - FIX-02
  - FIX-03
  - DEPLOY-01
must_haves:
  truths:
    - "Dockerfile uses pnpm install --frozen-lockfile, not npm"
    - "Rapid POST requests to /api/contact are rejected with 429 after the limit"
    - "Docker build succeeds with pnpm"
  artifacts:
    - path: "Dockerfile"
      provides: "pnpm-based Docker build"
      contains: "pnpm install --frozen-lockfile"
    - path: "server/plugins/rate-limit.ts"
      provides: "In-memory rate limiting for contact API"
      contains: "429"
  key_links:
    - from: "server/plugins/rate-limit.ts"
      to: "/api/contact"
      via: "Nitro request hook filtering on path"
      pattern: "/api/contact"
---

<objective>
Migrate Dockerfile from npm to pnpm and add rate limiting to the contact API endpoint.

Purpose: Fix build reproducibility (pnpm lockfile used in Docker) and protect against email flooding via unthrottled contact form submissions.
Output: Working Dockerfile with pnpm, rate-limited contact endpoint.
</objective>

<execution_context>
@$HOME/.claude/get-shit-done/workflows/execute-plan.md
@$HOME/.claude/get-shit-done/templates/summary.md
</execution_context>

<context>
@.planning/ROADMAP.md
@.planning/STATE.md
@.planning/research/PITFALLS.md
@.planning/research/STACK.md
</context>

<tasks>

<task type="auto">
  <name>Task 1: Migrate Dockerfile to pnpm</name>
  <read_first>Dockerfile, package.json</read_first>
  <files>Dockerfile</files>
  <action>
Replace the entire Dockerfile with:

```dockerfile
# Stage 1: Build
FROM node:22-alpine AS builder
WORKDIR /app

# Install pnpm via corepack
RUN corepack enable && corepack prepare pnpm@latest --activate

# Copy manifests first for layer caching
COPY package.json pnpm-lock.yaml ./

# Install all dependencies (including devDeps needed for build)
RUN pnpm install --frozen-lockfile

# Copy source and build
COPY . .
RUN pnpm build

# Stage 2: Runtime
FROM node:22-alpine AS runner
WORKDIR /app
ENV NODE_ENV=production
ENV HOST=0.0.0.0
ENV PORT=3000

# Nuxt SSR bundles all server deps into .output/server/
COPY --from=builder /app/.output /app/.output

EXPOSE 3000
CMD ["node", "/app/.output/server/index.mjs"]
```

Key changes from original:
- `corepack enable` + `corepack prepare pnpm@latest --activate` instead of relying on npm
- `COPY package.json pnpm-lock.yaml ./` instead of `COPY package*.json ./`
- `pnpm install --frozen-lockfile` instead of `npm ci`
- `pnpm build` instead of `npm run build`
- Explicit ENV vars for NODE_ENV, HOST, PORT in runtime stage
  </action>
  <verify>
    <automated>bash -c "grep -q 'pnpm install --frozen-lockfile' Dockerfile && grep -q 'corepack enable' Dockerfile && grep -q 'pnpm build' Dockerfile && ! grep -q 'npm' Dockerfile && echo 'Dockerfile OK' || echo 'FAIL'"</automated>
  </verify>
  <acceptance_criteria>
- `grep 'pnpm install --frozen-lockfile' Dockerfile` returns a match
- `grep 'corepack enable' Dockerfile` returns a match
- `grep 'pnpm build' Dockerfile` returns a match
- `grep 'npm' Dockerfile` returns zero matches
- `grep 'pnpm-lock.yaml' Dockerfile` returns a match
  </acceptance_criteria>
  <done>Dockerfile uses pnpm exclusively with frozen lockfile for reproducible builds</done>
</task>

<task type="auto">
  <name>Task 2: Add rate limiting to contact API</name>
  <read_first>server/api/contact.post.ts</read_first>
  <files>server/plugins/rate-limit.ts</files>
  <action>
Create `server/plugins/rate-limit.ts` as a Nitro server plugin implementing in-memory IP-based rate limiting for the contact endpoint.

```typescript
// server/plugins/rate-limit.ts
const ipMap = new Map<string, { count: number; reset: number }>()

// Clean stale entries every 5 minutes to prevent memory leak
setInterval(() => {
  const now = Date.now()
  for (const [ip, entry] of ipMap) {
    if (entry.reset < now) ipMap.delete(ip)
  }
}, 5 * 60 * 1000)

export default defineNitroPlugin((nitro) => {
  nitro.hooks.hook('request', (event) => {
    // Only rate-limit the contact POST endpoint
    if (event.method !== 'POST' || !event.path.startsWith('/api/contact')) return

    const ip = getRequestIP(event, { xForwardedFor: true }) ?? 'unknown'
    const now = Date.now()
    const window = 60_000 // 1 minute window
    const limit = 3 // max 3 requests per minute per IP

    const entry = ipMap.get(ip)
    if (!entry || entry.reset < now) {
      ipMap.set(ip, { count: 1, reset: now + window })
      return
    }

    entry.count++
    if (entry.count > limit) {
      throw createError({ statusCode: 429, message: 'Too many requests. Please try again later.' })
    }
  })
})
```

This uses Nitro's built-in `getRequestIP` and `createError` helpers (auto-imported in server context). The rate limit is 3 requests per IP per 60-second window. The 4th+ request within the window gets a 429 response.

The plugin hooks into ALL requests but filters to only `/api/contact` POST. No changes needed to `contact.post.ts` itself.
  </action>
  <verify>
    <automated>bash -c "test -f server/plugins/rate-limit.ts && grep -q '429' server/plugins/rate-limit.ts && grep -q '/api/contact' server/plugins/rate-limit.ts && echo 'rate-limit OK' || echo 'FAIL'"</automated>
  </verify>
  <acceptance_criteria>
- `server/plugins/rate-limit.ts` exists
- File contains `statusCode: 429`
- File contains check for `/api/contact`
- File contains `getRequestIP`
- File contains `Map<string, { count: number; reset: number }>`
- Rate limit is 3 requests per 60-second window
  </acceptance_criteria>
  <done>Contact API rate-limited to 3 POST requests per IP per minute, 429 returned on excess</done>
</task>

</tasks>

<threat_model>
## Trust Boundaries

| Boundary | Description |
|----------|-------------|
| Client -> /api/contact | Untrusted POST from internet, potential spam/abuse |
| Docker build -> production | Build must use same lockfile as dev to prevent supply chain drift |

## STRIDE Threat Register

| Threat ID | Category | Component | Disposition | Mitigation Plan |
|-----------|----------|-----------|-------------|-----------------|
| T-01-03 | Denial of Service | /api/contact | mitigate | In-memory rate limit: 3 req/min/IP via Nitro plugin, returns 429 on excess |
| T-01-04 | Elevation of Privilege | Dockerfile npm vs pnpm | mitigate | Use pnpm --frozen-lockfile to ensure exact dependency resolution matches dev |
| T-01-05 | Tampering | Rate limit bypass via IP spoofing | accept | X-Forwarded-For can be spoofed but acceptable risk for a portfolio contact form; reverse proxy (Docker/Cloudflare) controls the header |
</threat_model>

<verification>
- `grep 'pnpm install --frozen-lockfile' Dockerfile` succeeds
- `grep -c 'npm' Dockerfile` returns 0
- `server/plugins/rate-limit.ts` exists with 429 response
- Rate limit targets `/api/contact` POST only
</verification>

<success_criteria>
Dockerfile builds with pnpm, contact API rejects rapid submissions with 429.
</success_criteria>

<output>
After completion, create `.planning/phases/01-cleanup-fixes/01-02-SUMMARY.md`
</output>