docs: mark SEC_REVIEW F19 as fixed in 96eaa10

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

doc/SEC_REVIEW.md

@@ -644,6 +644,63 @@
   it into the published image. Test fixtures and `bin/console` are
   also available to any future LFI / arbitrary-file-read primitive.
 - **Severity: 2**
+- **Status:** Fixed in `96eaa10`. `api/.dockerignore` and
+  `ui/.dockerignore` now apply to both build contexts and explicitly
+  exclude:
+
+  - `.env` / `.env.*` — the central F19 concern. Compose loads `.env`
+    from the repo root (outside both build contexts), so nothing here
+    is needed at runtime; blocking the pattern outright keeps any
+    future stray secret file from shipping in the image.
+  - `tests/` — fixtures and integration scaffolding that doubles as
+    LFI surface area.
+  - Dev-tooling caches and configs: `.phpunit.cache/`,
+    `.phpunit.result.cache`, `.phpstan.cache/`, `.php-cs-fixer.cache`,
+    `.php-cs-fixer.dist.php`, `phpstan.neon`, `phpunit.xml`.
+  - VCS / editor noise: `.git`, `.gitignore`, `.gitattributes`,
+    `.idea/`, `.vscode/`, `*.swp`, `*~`, `.DS_Store`.
+  - `CHANGELOG.md`, `Dockerfile`, `.dockerignore`, `.claude/`.
+  - `vendor/` (both subprojects) and `node_modules/` (ui) — the
+    multi-stage builds install clean copies in the `deps`/`assets`
+    stages and pull them in via `COPY --from=...`. Excluding the
+    host copies also fixes a subtle bug: in
+    `api/Dockerfile:30-31` and `ui/Dockerfile:36-37`, the
+    `COPY --from=deps /app/vendor ./vendor` line is followed
+    immediately by `COPY . ./`, which would have clobbered the
+    deps-stage vendor with whatever the host had (typically a
+    `composer install`-with-dev tree).
+
+  Things that ARE needed at runtime stay in the context: `src/`,
+  `public/`, `config/`, `docker/`, `composer.json`, `composer.lock`;
+  api also keeps `db/migrations/`, `db/seeds/`, `bin/console`, and
+  `openapi.php`; ui also keeps `resources/` (Twig views are loaded
+  at runtime, and `resources/css|js/` are consumed by the assets
+  stage). The ui `package.json`, `package-lock.json`,
+  `tailwind.config.js`, and `postcss.config.js` are kept because the
+  assets stage references them by name — `.dockerignore` applies to
+  every stage that shares the same context, so excluding them would
+  break `npx tailwindcss` / `npx esbuild`. They are tiny and
+  non-sensitive.
+
+  `bin/console` (api) is intentionally retained — `entrypoint.sh`
+  invokes `php bin/console auth:bootstrap-service-token` on every
+  api start, and `phinx migrate` plus the seeders run from the
+  `migrate` mode. Removing them would break startup; the LFI-surface
+  concern is mitigated by F18 (image runs as uid 1000, source tree
+  is root-owned and read-only to the runtime user) and tracked
+  further by F20.
+
+  Verification: rebuilt both images; confirmed the excluded paths
+  (tests, dev caches, `.dockerignore`, `Dockerfile`, `.git`, ui
+  `node_modules`) are absent from `/app/` in the final images and
+  the runtime-required paths (`src`, `public`, `config`,
+  `db/migrations`, `db/seeds`, `bin/console`, `vendor`, `docker`,
+  `openapi.php`, ui `resources/views`, ui
+  `public/assets/{app.css,app.js,logo.svg}`) are present. api
+  phpunit is 429/430 — the lone failure is the timing-sensitive
+  `BlocklistPerfTest::test50kEntriesUnder500Ms` perf-budget
+  assertion (628 ms vs 500 ms budget), unrelated to this change. ui
+  phpunit is 134/134.
 
 ### F20 — Application source is writable by the process serving requests
 - **Files:** `api/Dockerfile:36-38`, `ui/Dockerfile:42`