Harden runtime configuration and container security defaults

entrypoint.sh

@@ -8,6 +8,11 @@ done
 
 echo "PostgreSQL is available."
 
+if [ "${DJANGO_SETTINGS_MODULE:-}" = "config.settings.production" ] && [ "$1" = "gunicorn" ]; then
+  echo "Running Django deployment checks..."
+  python manage.py check --deploy --fail-level WARNING
+fi
+
 if [ "${AUTO_APPLY_MIGRATIONS:-0}" = "1" ] && [ "$1" = "gunicorn" ]; then
   echo "Applying database migrations..."
   python manage.py migrate --noinput
@@ -15,11 +20,12 @@ fi
 
 if [ "${AUTO_COLLECTSTATIC:-0}" = "1" ] && [ "$1" = "gunicorn" ]; then
   if [ "${AUTO_BUILD_TAILWIND:-1}" = "1" ] && [ -f /app/package.json ]; then
-    echo "Building Tailwind assets..."
-    if [ ! -d /app/node_modules ]; then
-      npm install --no-audit --no-fund
+    if [ -x /app/node_modules/.bin/tailwindcss ]; then
+      echo "Building Tailwind assets..."
+      npm run build
+    else
+      echo "Tailwind dependencies missing; skipping AUTO_BUILD_TAILWIND."
     fi
-    npm run build
   fi
 
   echo "Collecting static files..."