fix: pin all sharp platform binaries so npm ci works on any host

The previous attempts (--include=optional, then a separate npm install
fallback) failed because npm ci runs sharp's install script DURING
installation — and that script crashes ("Please add node-gyp to your
dependencies") before the next Dockerfile step gets to run.

Real fix: pin every sharp platform binary as an optionalDependency in
package.json. npm now records URL+hash for all of them in the lock
file regardless of which OS generated the lock. On any build host,
npm ci picks the matching binary via the os/cpu/libc filters in those
packages and silently skips the rest.

Pinned binaries (sharp 0.34.5):
- @img/sharp-linuxmusl-x64   (Alpine x64 — our VPS)
- @img/sharp-linuxmusl-arm64 (Alpine arm64)
- @img/sharp-linux-x64       (glibc x64)
- @img/sharp-linux-arm64     (glibc arm64)
- @img/sharp-darwin-arm64    (Apple Silicon dev)
- @img/sharp-darwin-x64      (Intel Mac dev)

Side benefit: simplifies the Dockerfile. Drops the secondary
`npm install --no-save --cpu=x64 --os=linux --libc=musl sharp` step
and the vips-dev system package (no source compilation needed when
the prebuilt binary is guaranteed present). The runner stage still
needs `vips` runtime, that stays.

Dockerfile

@@ -6,27 +6,18 @@
 # ── Stage 1: Install dependencies ──
 FROM node:22-alpine AS deps
 # libc6-compat: glibc shim for prebuilt native binaries (Prisma engines)
-# vips-dev: required for sharp on Alpine — image processing native lib
-RUN apk add --no-cache libc6-compat vips-dev
+RUN apk add --no-cache libc6-compat
 WORKDIR /app
 
 COPY package.json package-lock.json ./
 
-# Strict, reproducible install for everything that's in the lock file.
+# Sharp's per-platform binaries (@img/sharp-linuxmusl-x64, etc.) are pinned
+# as optionalDependencies in package.json, so the lock file records every
+# supported platform. `npm ci` then picks the matching one for the build
+# host (Alpine x64) and skips the rest — no source compilation needed,
+# no extra Dockerfile gymnastics.
 RUN npm ci --include=optional --no-audit --no-fund
 
-# Sharp 0.34 ships a separate binary per (os, libc, cpu) tuple as
-# optionalDependencies. The lock file was generated on the developer
-# machine (e.g. macOS arm64), so it only records THAT platform's binary.
-# `npm ci` is strict and refuses to install platform deps not recorded
-# in the lock — which means the Alpine (linuxmusl-x64) binary is missing,
-# sharp falls back to building from source, and the build fails with
-# "Please add node-gyp to your dependencies".
-#
-# Fix: explicitly fetch the Alpine binary after npm ci. --no-save keeps
-# package.json/lock untouched (no churn back to the dev machine).
-RUN npm install --no-save --include=optional --cpu=x64 --os=linux --libc=musl sharp
-
 # ── Stage 2: Build the application ──
 FROM node:22-alpine AS builder
 WORKDIR /app

package-lock.json

@@ -51,6 +51,14 @@
         "prisma": "^7.5.0",
         "tailwindcss": "^4",
         "typescript": "^5"
+      },
+      "optionalDependencies": {
+        "@img/sharp-darwin-arm64": "0.34.5",
+        "@img/sharp-darwin-x64": "0.34.5",
+        "@img/sharp-linux-arm64": "0.34.5",
+        "@img/sharp-linux-x64": "0.34.5",
+        "@img/sharp-linuxmusl-arm64": "0.34.5",
+        "@img/sharp-linuxmusl-x64": "0.34.5"
       }
     },
     "node_modules/@ai-sdk/gateway": {

package.json

@@ -52,5 +52,13 @@
     "prisma": "^7.5.0",
     "tailwindcss": "^4",
     "typescript": "^5"
+  },
+  "optionalDependencies": {
+    "@img/sharp-linuxmusl-x64": "0.34.5",
+    "@img/sharp-linuxmusl-arm64": "0.34.5",
+    "@img/sharp-linux-x64": "0.34.5",
+    "@img/sharp-linux-arm64": "0.34.5",
+    "@img/sharp-darwin-arm64": "0.34.5",
+    "@img/sharp-darwin-x64": "0.34.5"
   }
 }