Summary
Drafted for visibility per the pacing note on #590 — happy to leave this in draft until you have time.
The Docker final stage copies /app/publish from the build stage but doesn't normalize permissions on /app/wwwroot/*. Depending on the build host's umask and the source files' modes, the non-root runtime user (listenarr) can hit EACCES reading individual static assets — typically manifests itself as 403/404 on a subset of bundled FE files (e.g., a single chunk fails to load and the SPA boots into a blank screen).
Fix: add a single Dockerfile step right after COPY --from=build /app/publish . that walks /app/wwwroot and sets directories to 755 and files to 644. Matches the conventional mode for served static content and is no-op on most build hosts.
# Normalize frontend asset permissions so the non-root runtime user can read static files.
RUN find /app/wwwroot -type d -exec chmod 755 {} \; \
&& find /app/wwwroot -type f -exec chmod 644 {} \;Test plan
- Image builds clean on linux/amd64
- Verified on a downstream deploy: a previously-403'd
assets/*.jschunk now serves correctly under the listenarr user without root override.
🤖 Generated with Claude Code
Automated Canary build