[codex] Harden Docker quickstart config
From the PR description
Summary
Hardens the Docker quickstart after reviewing the merged Docker setup:
- keeps the Supabase service-role key out of the frontend Docker build and runtime environment
- adds
host.docker.internal:host-gatewayto the backend service so host local-model endpoints work on Linux Docker as well as Docker Desktop - replaces the expiring local Supabase demo JWTs with matching development tokens expiring in 2040
- pins MinIO and MinIO client images instead of using
latest - documents the Linux host-gateway behavior in the README
Why
The Docker stack should stay simple for local self-hosting, but the previous config widened the frontend secret boundary, depended on Docker Desktop behavior for host model runtimes, had demo JWTs expiring in 2027, and used non-reproducible MinIO tags.
Validation
docker compose --env-file .env.docker.example config- verified the frontend service config no longer contains
SUPABASE_SECRET_KEY - verified the new anon/service-role JWT signatures against the example
JWT_SECRET docker compose --env-file .env.docker.example build backend frontend- isolated alternate-port stack startup with
COMPOSE_PROJECT_NAME=mikept-docker-review - backend
/healthreturned OK - frontend responded on the alternate port
- schema columns/constraints existed
- MinIO bucket existed
- backend container resolved
host.docker.internal - temporary review stack torn down with volumes
Our analysis
Harden the Docker quickstart for self-hosting — read the full analysis →
Think the analysis missed something the PR description covers?
Commits in this PR (1)
| SHA | Subject | Author | Date | |
|---|---|---|---|---|
f8873309 | Harden Docker quickstart config | Manuel Conde | 2026-05-10 | ↗ GitHub |
Capture this PR into my fork
Download a Markdown prompt that tells Claude how to port every
commit in this PR into your working tree. Run it via
claude -p < capture-pull-13.md from
inside the repo you want the changes in.