fix: use && instead of ; in Dockerfile to fail on frontend build errors

[paychex-inder]

The Dockerfile was using ; to chain commands in the RUN statement, which meant that if npm run frontend failed, the Docker build would still succeed (because the exit code would be from the last command, npm cache clean).

This caused N1 to deploy a broken image where /app/client/dist/index.html was missing because the frontend build had failed silently.

This fix changes ; to && so that build failures properly fail the Docker build.

Root cause of the frontend failure:
The vite build was failing with: "AudioPaths" is not exported by "../packages/client/dist/index.es.js"

This PR ensures such failures are caught at build time.

[github-actions]

Checkmarx One – Scan Summary & Details – 2e6165e3-e428-4f52-bc14-82b2a5e9ce46

New Issues (395)

Checkmarx found the following issues in this Pull Request

#	Severity	Issue	Source File / Package	Checkmarx Insight
1		CVE-2025-68665	Npm-@langchain/core-0.3.79	details Recommended version: 0.3.80 Description: LangChain is a framework for building LLM-powered applications. In @langchain/core versions prior to 0.3.80 and 1.x prior to 1.1.8, and langchain v... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
2		Stored_XSS	/api/server/index.js: 64	details The method Lambda embeds untrusted data in generated output with send, at line 163 of /api/server/index.js. This untrusted data is embedded into ... Attack Vector
3		Stored_XSS	/api/server/experimental.js: 228	details The method Lambda embeds untrusted data in generated output with send, at line 328 of /api/server/experimental.js. This untrusted data is embedde... Attack Vector
4		Absolute_Path_Traversal	/api/server/services/Files/Audio/STTService.js: 332	details Method processSpeechToText at line 332 of /api/server/services/Files/Audio/STTService.js gets dynamic data from the path element. This element’s ... Attack Vector
5		Absolute_Path_Traversal	/api/server/routes/files/images.js: 56	details Method Lambda at line 56 of /api/server/routes/files/images.js gets dynamic data from the path element. This element’s value then flows through t... Attack Vector
6		Absolute_Path_Traversal	/api/server/routes/files/files.js: 401	details Method Lambda at line 401 of /api/server/routes/files/files.js gets dynamic data from the path element. This element’s value then flows through t... Attack Vector
7		Absolute_Path_Traversal	/api/server/routes/files/files.js: 410	details Method Lambda at line 410 of /api/server/routes/files/files.js gets dynamic data from the path element. This element’s value then flows through t... Attack Vector
8		Absolute_Path_Traversal	/api/server/routes/files/avatar.js: 17	details Method Lambda at line 17 of /api/server/routes/files/avatar.js gets dynamic data from the path element. This element’s value then flows through t... Attack Vector
9		Absolute_Path_Traversal	/api/server/controllers/assistants/v1.js: 310	details Method Cx0d758712 at line 310 of /api/server/controllers/assistants/v1.js gets dynamic data from the path element. This element’s value then flow... Attack Vector
10		Absolute_Path_Traversal	/api/server/controllers/agents/v1.js: 608	details Method Cxbbcc721e at line 608 of /api/server/controllers/agents/v1.js gets dynamic data from the path element. This element’s value then flows th... Attack Vector
11		Absolute_Path_Traversal	/api/server/services/Files/Audio/STTService.js: 349	details Method processSpeechToText at line 349 of /api/server/services/Files/Audio/STTService.js gets dynamic data from the path element. This element’s ... Attack Vector
12		Absolute_Path_Traversal	/api/server/controllers/agents/v1.js: 660	details Method Cxbbcc721e at line 660 of /api/server/controllers/agents/v1.js gets dynamic data from the path element. This element’s value then flows th... Attack Vector
13		Absolute_Path_Traversal	/api/server/routes/files/avatar.js: 41	details Method Lambda at line 41 of /api/server/routes/files/avatar.js gets dynamic data from the path element. This element’s value then flows through t... Attack Vector
14		Absolute_Path_Traversal	/api/server/controllers/assistants/v1.js: 368	details Method Cx0d758712 at line 368 of /api/server/controllers/assistants/v1.js gets dynamic data from the path element. This element’s value then flow... Attack Vector
15		Absolute_Path_Traversal	/api/server/services/Files/Audio/STTService.js: 376	details Method speechToText at line 376 of /api/server/services/Files/Audio/STTService.js gets dynamic data from the req element. This element’s value th... Attack Vector
16		Absolute_Path_Traversal	/api/server/services/Files/Audio/STTService.js: 376	details Method speechToText at line 376 of /api/server/services/Files/Audio/STTService.js gets dynamic data from the req element. This element’s value th... Attack Vector
17		CVE-2025-66414	Npm-@modelcontextprotocol/sdk-1.21.0	details Recommended version: 1.26.0 Description: MCP TypeScript SDK is the official TypeScript SDK for Model Context Protocol servers and clients. Prior to 1.24.0, The Model Context Protocol (MCP)... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
18		CVE-2026-0621	Npm-@modelcontextprotocol/sdk-1.21.0	details Recommended version: 1.26.0 Description: Anthropic's MCP TypeScript SDK versions through 1.25.1 contain a Regular Expression Denial-of-Service (ReDoS) vulnerability in the "UriTemplate" cl... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
19		CVE-2026-22036	Npm-undici-7.16.0	details Recommended version: 7.18.2 Description: Undici is an HTTP/1.1 client for Node.js. In Undici versions prior to 6.23.0 and 7.x prior to 7.18.2, the number of links in the decompression chai... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
20		CVE-2026-25128	Npm-fast-xml-parser-4.4.1	details Recommended version: 5.3.4 Description: fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. In... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
21		CVE-2026-25128	Npm-fast-xml-parser-5.0.9	details Recommended version: 5.3.4 Description: fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. In... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
22		CVE-2026-25128	Npm-fast-xml-parser-5.2.5	details Recommended version: 5.3.4 Description: fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. In... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
23		CVE-2026-25536	Npm-@modelcontextprotocol/sdk-1.21.0	details Recommended version: 1.26.0 Description: MCP TypeScript SDK is the official TypeScript SDK for Model Context Protocol servers and clients. From version 1.10.0 through 1.25.3, cross-client ... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
24		CVE-2026-25639	Npm-axios-1.12.1	details Recommended version: 1.13.5 Description: Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.13.5, the mergeConfig function in axios crashes with a TypeError when ... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
25		Cxdca8e59f-8bfe	Npm-inflight-1.0.6	details Description: In NPM `inflight` there is a Memory Leak because some resources are not freed correctly after being used. It appears to affect all versions, as the... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
26		JWT_No_Signature_Verification	/api/strategies/appleStrategy.test.js: 84	details The JWT is not properly verified at the decode in 84 at the file /api/strategies/appleStrategy.test.js. Attack Vector
27		JWT_No_Signature_Verification	/api/strategies/appleStrategy.js: 19	details The JWT is not properly verified at the decode in 19 at the file /api/strategies/appleStrategy.js. Attack Vector
28		Prototype_Pollution	/api/server/routes/mcp.js: 420	details An unsafe object assignment occurred in /api/server/routes/mcp.js at line 433. Assigning external properties without validation may allow object ... Attack Vector
29		Prototype_Pollution	/api/server/services/Runs/StreamRunManager.js: 602	details An unsafe object assignment occurred in /api/server/services/Runs/StreamRunManager.js at line 343. Assigning external properties without validati... Attack Vector
30		Prototype_Pollution	/api/server/services/Runs/StreamRunManager.js: 407	details An unsafe object assignment occurred in /api/server/services/Runs/StreamRunManager.js at line 343. Assigning external properties without validati... Attack Vector
31		Reflected_XSS	/api/server/routes/prompts.js: 244	details The method Cxfa01cb0c embeds untrusted data in generated output with send, at line 280 of /api/server/routes/prompts.js. This untrusted data is e... Attack Vector
32		Reflected_XSS	/api/server/routes/config.js: 87	details The method Lambda embeds untrusted data in generated output with send, at line 194 of /api/server/routes/config.js. This untrusted data is embedd... Attack Vector
33		Reflected_XSS	/api/server/routes/prompts.js: 456	details The method Cxaf637b56 embeds untrusted data in generated output with send, at line 460 of /api/server/routes/prompts.js. This untrusted data is e... Attack Vector
34		Reflected_XSS	/api/server/controllers/AuthController.js: 63	details The method Cx6776623a embeds untrusted data in generated output with send, at line 137 of /api/server/controllers/AuthController.js. This untrust... Attack Vector
35		Reflected_XSS	/api/server/controllers/UserController.js: 115	details The method Cx94e49a40 embeds untrusted data in generated output with send, at line 123 of /api/server/controllers/UserController.js. This untrust... Attack Vector
36		Reflected_XSS	/api/server/controllers/AuthController.js: 63	details The method Cx6776623a embeds untrusted data in generated output with send, at line 111 of /api/server/controllers/AuthController.js. This untrust... Attack Vector
37		Reflected_XSS	/api/server/routes/keys.js: 30	details The method Lambda embeds untrusted data in generated output with send, at line 32 of /api/server/routes/keys.js. This untrusted data is embedded ... Attack Vector
38		Reflected_XSS	/api/server/routes/prompts.js: 295	details The method Cx011dc025 embeds untrusted data in generated output with send, at line 312 of /api/server/routes/prompts.js. This untrusted data is e... Attack Vector
39		Reflected_XSS	/api/server/routes/keys.js: 31	details The method Lambda embeds untrusted data in generated output with send, at line 32 of /api/server/routes/keys.js. This untrusted data is embedded ... Attack Vector
40		Reflected_XSS	/api/server/routes/prompts.js: 296	details The method Cx011dc025 embeds untrusted data in generated output with send, at line 312 of /api/server/routes/prompts.js. This untrusted data is e... Attack Vector
41		Reflected_XSS	/api/server/routes/prompts.js: 160	details The method Lambda embeds untrusted data in generated output with send, at line 215 of /api/server/routes/prompts.js. This untrusted data is embed... Attack Vector
42		Reflected_XSS	/api/server/routes/prompts.js: 455	details The method Cxaf637b56 embeds untrusted data in generated output with send, at line 460 of /api/server/routes/prompts.js. This untrusted data is e... Attack Vector
43		Reflected_XSS	/api/server/routes/prompts.js: 160	details The method Lambda embeds untrusted data in generated output with send, at line 229 of /api/server/routes/prompts.js. This untrusted data is embed... Attack Vector
44		Reflected_XSS	/api/server/routes/roles.js: 59	details The method Lambda embeds untrusted data in generated output with send, at line 86 of /api/server/routes/roles.js. This untrusted data is embedded... Attack Vector
45		Reflected_XSS	/api/server/controllers/auth/LogoutController.js: 8	details The method Cxf2fd7c1a embeds untrusted data in generated output with send, at line 38 of /api/server/controllers/auth/LogoutController.js. This u... Attack Vector
46		Reflected_XSS	/api/server/routes/prompts.js: 81	details The method Lambda embeds untrusted data in generated output with send, at line 90 of /api/server/routes/prompts.js. This untrusted data is embedd... Attack Vector
47		Reflected_XSS	/api/server/routes/prompts.js: 475	details The method Cxb85e2db2 embeds untrusted data in generated output with send, at line 478 of /api/server/routes/prompts.js. This untrusted data is e... Attack Vector
48		Reflected_XSS	/api/server/routes/prompts.js: 409	details The method Lambda embeds untrusted data in generated output with send, at line 428 of /api/server/routes/prompts.js. This untrusted data is embed... Attack Vector
49		Reflected_XSS	/api/server/routes/prompts.js: 400	details The method Lambda embeds untrusted data in generated output with send, at line 402 of /api/server/routes/prompts.js. This untrusted data is embed... Attack Vector
50		Reflected_XSS	/api/server/routes/share.js: 58	details The method Lambda embeds untrusted data in generated output with send, at line 71 of /api/server/routes/share.js. This untrusted data is embedded... Attack Vector
51		Reflected_XSS	/api/server/routes/prompts.js: 408	details The method Lambda embeds untrusted data in generated output with send, at line 437 of /api/server/routes/prompts.js. This untrusted data is embed... Attack Vector
52		Reflected_XSS	/api/server/routes/prompts.js: 383	details The method Lambda embeds untrusted data in generated output with send, at line 385 of /api/server/routes/prompts.js. This untrusted data is embed... Attack Vector
53		Reflected_XSS	/api/server/controllers/AuthController.js: 63	details The method Cx6776623a embeds untrusted data in generated output with send, at line 94 of /api/server/controllers/AuthController.js. This untruste... Attack Vector
54		Reflected_XSS	/api/server/routes/prompts.js: 342	details The method Cx0e3424e3 embeds untrusted data in generated output with send, at line 358 of /api/server/routes/prompts.js. This untrusted data is e... Attack Vector
55		Reflected_XSS	/api/server/routes/prompts.js: 349	details The method Cx0e3424e3 embeds untrusted data in generated output with send, at line 358 of /api/server/routes/prompts.js. This untrusted data is e... Attack Vector
56		Reflected_XSS	/api/server/controllers/AuthController.js: 20	details The method Cxc178e465 embeds untrusted data in generated output with send, at line 22 of /api/server/controllers/AuthController.js. This untruste... Attack Vector
57		Reflected_XSS	/api/server/routes/prompts.js: 349	details The method Cx0e3424e3 embeds untrusted data in generated output with send, at line 351 of /api/server/routes/prompts.js. This untrusted data is e... Attack Vector
58		Reflected_XSS	/api/server/routes/__tests__/mcp.spec.js: 1365	details The method Lambda embeds untrusted data in generated output with location, at line 1368 of /api/server/routes/__tests__/mcp.spec.js. This un... Attack Vector
59		Reflected_XSS	/api/server/routes/__tests__/mcp.spec.js: 1413	details The method Lambda embeds untrusted data in generated output with location, at line 1415 of /api/server/routes/__tests__/mcp.spec.js. This un... Attack Vector
60		Reflected_XSS	/api/server/routes/__tests__/mcp.spec.js: 594	details The method Lambda embeds untrusted data in generated output with location, at line 600 of /api/server/routes/__tests__/mcp.spec.js. This unt... Attack Vector
61		Reflected_XSS	/api/server/routes/share.js: 53	details The method Lambda embeds untrusted data in generated output with send, at line 71 of /api/server/routes/share.js. This untrusted data is embedded... Attack Vector
62		Reflected_XSS	/api/server/routes/share.js: 56	details The method Lambda embeds untrusted data in generated output with send, at line 71 of /api/server/routes/share.js. This untrusted data is embedded... Attack Vector
63		Reflected_XSS	/api/server/routes/share.js: 54	details The method Lambda embeds untrusted data in generated output with send, at line 71 of /api/server/routes/share.js. This untrusted data is embedded... Attack Vector
64		Reflected_XSS	/api/server/routes/share.js: 51	details The method Lambda embeds untrusted data in generated output with send, at line 71 of /api/server/routes/share.js. This untrusted data is embedded... Attack Vector
65		Reflected_XSS	/api/server/routes/share.js: 62	details The method Lambda embeds untrusted data in generated output with send, at line 71 of /api/server/routes/share.js. This untrusted data is embedded... Attack Vector
66		Reflected_XSS	/api/server/routes/files/files.js: 41	details The method Lambda embeds untrusted data in generated output with send, at line 54 of /api/server/routes/files/files.js. This untrusted data is em... Attack Vector
67		Reflected_XSS	/api/server/routes/__tests__/mcp.spec.js: 261	details The method Lambda embeds untrusted data in generated output with location, at line 266 of /api/server/routes/__tests__/mcp.spec.js. This unt... Attack Vector
68		Reflected_XSS	/api/server/routes/__tests__/mcp.spec.js: 553	details The method Lambda embeds untrusted data in generated output with location, at line 559 of /api/server/routes/__tests__/mcp.spec.js. This unt... Attack Vector
69		Reflected_XSS	/api/server/routes/__tests__/mcp.spec.js: 495	details The method Lambda embeds untrusted data in generated output with location, at line 501 of /api/server/routes/__tests__/mcp.spec.js. This unt... Attack Vector
70		Reflected_XSS	/api/server/routes/__tests__/mcp.spec.js: 454	details The method Lambda embeds untrusted data in generated output with location, at line 460 of /api/server/routes/__tests__/mcp.spec.js. This unt... Attack Vector
71		Reflected_XSS	/api/server/routes/__tests__/mcp.spec.js: 409	details The method Lambda embeds untrusted data in generated output with location, at line 415 of /api/server/routes/__tests__/mcp.spec.js. This unt... Attack Vector
72		Reflected_XSS	/api/server/routes/__tests__/mcp.spec.js: 374	details The method Lambda embeds untrusted data in generated output with location, at line 380 of /api/server/routes/__tests__/mcp.spec.js. This unt... Attack Vector
73		Reflected_XSS	/api/server/routes/__tests__/mcp.spec.js: 338	details The method Lambda embeds untrusted data in generated output with location, at line 344 of /api/server/routes/__tests__/mcp.spec.js. This unt... Attack Vector
74		Reflected_XSS	/api/server/routes/__tests__/mcp.spec.js: 281	details The method Lambda embeds untrusted data in generated output with location, at line 287 of /api/server/routes/__tests__/mcp.spec.js. This unt... Attack Vector
75		Reflected_XSS	/api/server/routes/__tests__/mcp.spec.js: 270	details The method Lambda embeds untrusted data in generated output with location, at line 275 of /api/server/routes/__tests__/mcp.spec.js. This unt... Attack Vector
76		Reflected_XSS	/api/server/routes/banner.js: 9	details The method Lambda embeds untrusted data in generated output with send, at line 9 of /api/server/routes/banner.js. This untrusted data is embedded... Attack Vector
77		Reflected_XSS	/api/server/routes/__tests__/mcp.spec.js: 144	details The method Lambda embeds untrusted data in generated output with location, at line 150 of /api/server/routes/__tests__/mcp.spec.js. This unt... Attack Vector
78		Reflected_XSS	/api/server/routes/__tests__/mcp.spec.js: 251	details The method Lambda embeds untrusted data in generated output with location, at line 257 of /api/server/routes/__tests__/mcp.spec.js. This unt... Attack Vector

More results are available on the CxOne platform

[paychex-joser]

If this PR is still required, can you please update the target to be the develop branch instead of main?