webhook returns 200 even when a trigger rule isn't satisfied, which would let
the app's res.ok check falsely report success if the secret drifted. Set
trigger-rule-mismatch-http-response-code: 403 so unauthorized triggers are
clearly rejected.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The NAS container was crash-looping: npx pulled Prisma 7.8.0 (which rejects
url in the datasource), and the alpine + non-root + standalone setup couldn't
detect openssl or write the migration engine. Switch to the FMB-proven runtime
(node:20-bookworm-slim + openssl, run as root, full node_modules, next start)
so the local pinned Prisma 5.22 CLI runs and migrations apply cleanly.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
npx prisma was downloading Prisma CLI v7.8.0 which dropped the
url = env("DATABASE_URL") schema syntax. Use the project's own
installed Prisma CLI from node_modules instead, copied from the
builder stage.