Fix Prisma database connection in API

[platzhersh]

The Prisma query engine binaries were being cached in /root/.cache/ during the build, but the app runs as appuser who cannot access that directory. This caused a Permission denied error at runtime.

Fix by:

• Creating appuser earlier in the Dockerfile
• Setting PRISMA_BINARY_CACHE_DIR to /home/appuser/.cache/prisma-python
• Ensuring ownership of the cache directory is granted to appuser

Summary by CodeRabbit

Release Notes

This release contains infrastructure and containerization improvements with no end-user visible changes.

• Chores
  • Improved container image security and build efficiency through enhanced configuration and caching optimizations.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

The Dockerfile is refactored to establish non-root user and group (appuser/appgroup with UID/GID 1000) early in the build process. A Prisma binary cache directory environment variable is introduced, and user creation is consolidated with unified ownership adjustments across the application directory, cache directory, and Prisma site-packages binaries.

Changes

Cohort / File(s)	Summary
Non-root user setup and Prisma caching api/Dockerfile	Introduces non-root user (appuser) and group (appgroup) with UID/GID 1000; adds PRISMA_BINARY_CACHE_DIR environment variable pointing to /home/appuser/.cache/prisma-python; consolidates user creation and chown operations; adjusts ownership for /app, Prisma cache directory, and site-packages binaries to appuser:appgroup

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• open-cis#22: Both PRs modify api/Dockerfile to ensure Prisma binaries in site-packages are accessible to a non-root appuser through ownership and permission changes.
• open-cis#21: Both PRs modify api/Dockerfile to add a non-root appuser/appgroup and adjust ownership so the container runs as a non-root user.

Poem

🐰 A user born of nonroot grace,
With cache for Prisma's special place,
Permissions sorted, all in line,
The Docker image now runs just fine!
Consolidated steps, clean and bright,
Security dreams take their flight ✨

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Fix Prisma database connection in API' accurately describes the main objective of the PR, which addresses a Prisma permission issue by restructuring the Dockerfile and ensuring proper cache directory ownership.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch claude/fix-prisma-connection-fqdx1

---

📜 Recent review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between c18287d and 8819f3d.

📒 Files selected for processing (1)

• api/Dockerfile

🧰 Additional context used

🧠 Learnings (1)

📚 Learning: 2026-01-02T20:46:00.330Z

Learnt from: CR
Repo: platzhersh/open-cis PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-01-02T20:46:00.330Z
Learning: Copy .env.example to .env locally and configure environment variables: DATABASE_URL for Prisma app database connection, EHRBASE_URL for EHRBase REST API endpoint, CORS_ORIGINS for allowed origins JSON array, and VITE_API_URL for frontend API base URL

Applied to files:

• api/Dockerfile

🔇 Additional comments (3)

api/Dockerfile (3)

10-12: LGTM! User creation positioned correctly.

Creating the non-root user before dependency installation is the correct approach to ensure proper ownership of cached Prisma binaries. The use of explicit UID/GID 1000 and --create-home flag are good practices.

---

14-15: LGTM! Cache directory correctly configured.

Setting PRISMA_BINARY_CACHE_DIR before prisma generate (line 27) ensures the query engine binaries are cached to a location accessible by appuser at runtime. This directly addresses the permission denied issue described in the PR objectives.

---

29-32: Consider explicitly creating the Prisma cache directory before prisma generate to ensure the binary cache location is available. While the subsequent chown operations won't fail if paths don't exist, it's a best practice to ensure the directory is created first per Prisma Python documentation:

 # Set Prisma binary cache to a location accessible by appuser
 ENV PRISMA_BINARY_CACHE_DIR=/home/appuser/.cache/prisma-python

+# Create cache directory before generating Prisma client
+RUN mkdir -p "$PRISMA_BINARY_CACHE_DIR"
+
 # Generate Prisma client (binaries will be cached in PRISMA_BINARY_CACHE_DIR)
 RUN prisma generate

This ensures the cache directory exists and is owned by root before the subsequent chown operation at line 31.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}