feat: Add uv Docker, Postgres, and company linking

Introduces uv-based Docker workflow with non-root runtime, cached installs, and uv-run for web and Celery. Updates docker-compose to Postgres + Redis, loads .env, and removes source bind mount for reproducible builds.

Switches settings to use Postgres when env is present with SQLite fallback; broadens allowed hosts for containerized development. Adds psycopg2-binary and updates sample env for Redis in Docker.

Adds company scoping to external data models and links sessions during ingestion; provides management commands to seed a Jumbo company/users and sync external chat data into the dashboard.

Includes .dockerignore, TypeScript config and typings, and minor template/docs tweaks.

Requires database migration.

Dockerfile

@@ -1,43 +1,58 @@
 # Dockerfile
 
-FROM python:3.13-slim
+# Use a Python image with uv pre-installed
+FROM ghcr.io/astral-sh/uv:python3.13-bookworm-slim
+
+# Setup a non-root user
+RUN groupadd --system --gid 999 nonroot \
+  && useradd --system --gid 999 --uid 999 --create-home nonroot
 
 # Set environment variables
-
-ENV PYTHONDONTWRITEBYTECODE 1
-ENV PYTHONUNBUFFERED 1
+ENV PYTHONDONTWRITEBYTECODE=1
+ENV PYTHONUNBUFFERED=1
 ENV DJANGO_SETTINGS_MODULE=dashboard_project.settings
 
-# Set work directory
-
+# Change the working directory to the `app` directory
 WORKDIR /app
 
-# Install UV for Python package management
+# Enable bytecode compilation
+ENV UV_COMPILE_BYTECODE=1
 
-RUN pip install uv
+# Copy from the cache instead of linking since it's a mounted volume
+ENV UV_LINK_MODE=copy
 
-# Copy project files
+# Install dependencies (separate layer for caching)
+RUN --mount=type=cache,target=/root/.cache/uv \
+  --mount=type=bind,source=uv.lock,target=uv.lock \
+  --mount=type=bind,source=pyproject.toml,target=pyproject.toml \
+  uv sync --frozen --no-install-project --no-dev
 
-COPY pyproject.toml .
-COPY uv.lock .
-COPY . .
+# Copy the project into the image
+COPY . /app
 
-# Install dependencies
+# Sync the project (install the project itself)
+RUN --mount=type=cache,target=/root/.cache/uv \
+  uv sync --frozen --no-dev
 
-RUN uv pip install -e .
+# Place executables in the environment at the front of the path
+ENV PATH="/app/.venv/bin:$PATH"
 
 # Change to the Django project directory
-
 WORKDIR /app/dashboard_project
 
-# Collect static files
+# Collect static files (runs as root)
+RUN uv run manage.py collectstatic --noinput
 
-RUN python manage.py collectstatic --noinput
+# Fix ownership of dashboard_project directory for nonroot user
+# This ensures db.sqlite3 and any files created during runtime are writable
+RUN chown -R nonroot:nonroot /app/dashboard_project && \
+  chmod 775 /app/dashboard_project
 
 # Change back to the app directory
-
 WORKDIR /app
 
-# Run gunicorn
+# Use the non-root user to run our application
+USER nonroot
 
-CMD ["gunicorn", "dashboard_project.wsgi:application", "--bind", "0.0.0.0:8000"]
+# Run gunicorn via uv run to ensure it's in the environment
+CMD ["uv", "run", "gunicorn", "dashboard_project.wsgi:application", "--bind", "0.0.0.0:8000", "--chdir", "dashboard_project"]