fix(security): remove unused dependencies from Docker runner stage

- Remove corepack/pnpm from runner (not needed at runtime)
- Remove curl (K8s uses native httpGet probes)
- Update migration-runner to use global prisma CLI instead of pnpm

This eliminates the tar vulnerability from pnpm's bundled node_modules
and reduces the overall attack surface of the production image.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

apps/web/Dockerfile

@@ -77,12 +77,7 @@ RUN jq -r '.devDependencies.prisma' packages/database/package.json > /prisma_ver
 #
 FROM base AS runner
 
-RUN npm install --ignore-scripts -g corepack@latest && \
-    corepack enable
-
-RUN apk add --no-cache curl \
-    # && addgroup --system --gid 1001 nodejs \
-    && addgroup -S nextjs \
+RUN addgroup -S nextjs \
     && adduser -S -u 1001 -G nextjs nextjs
 
 WORKDIR /home/nextjs
@@ -143,10 +138,8 @@ EXPOSE 3000
 ENV HOSTNAME="0.0.0.0"
 USER nextjs
 
-# Prepare pnpm as the nextjs user to ensure it's available at runtime
 # Prepare volumes for uploads and SAML connections
-RUN corepack prepare pnpm@10.28.2 --activate && \
-    mkdir -p /home/nextjs/apps/web/uploads/ && \
+RUN mkdir -p /home/nextjs/apps/web/uploads/ && \
     mkdir -p /home/nextjs/apps/web/saml-connection
 
 VOLUME /home/nextjs/apps/web/uploads/

packages/database/src/scripts/migration-runner.ts

@@ -170,7 +170,7 @@ const runSingleMigration = async (migration: MigrationScript, index: number): Pr
 
       // Run Prisma migrate
       // throws when migrate deploy fails
-      await execAsync(`pnpm prisma migrate deploy --schema="${PRISMA_SCHEMA_PATH}"`);
+      await execAsync(`prisma migrate deploy --schema="${PRISMA_SCHEMA_PATH}"`);
       logger.info(`Successfully applied schema migration: ${migration.name}`);
     } catch (err) {
       logger.error(err, `Schema migration ${migration.name} failed`);