Docker quickstart hardened: secret leak fixed, JWTs refreshed, images pinned
manueljpconde tightened four loose ends in the Docker setup that had shipped with the initial compose stack: a server-only credential was leaking into the Next.js build context, development JWTs were due to expire in 2027, image tags were floating on `latest`, and the Linux Docker networking story was undocumented.
The most important change is SUPABASE_SECRET_KEY removal. That credential was being passed as a Docker build ARG and set as a runtime ENV in the frontend Dockerfile - meaning it was baked into the Next.js build context and potentially into the compiled bundle. It's a server-side key that the frontend has no legitimate need for. Both the Dockerfile ARG/ENV lines and the compose build.args and environment entries were removed.
The development JWTs in .env.docker.example were regenerated. The old tokens had an exp of 1799535600 (roughly January 2027); the new ones expire in 2040. Clones after the old tokens expired would have gotten silent auth failures with no obvious diagnostic.
minio/minio is now pinned to RELEASE.2025-09-07T16-13-09Z and minio/mc to RELEASE.2025-08-13T08-35-41Z. Floating on :latest in compose files for storage infrastructure is a standard way to introduce surprise breakage on docker compose pull.
On the networking side, the backend service now declares extra_hosts: - "host.docker.internal:host-gateway". On Docker Desktop this hostname works by default; on plain Linux Docker it doesn't, which meant the documented pattern for reaching a host-side LM Studio instance silently failed on Linux. The README also picked up an explanatory note.
Validation for a config-only PR was thorough: compose config rendering, a fresh build of both services, an isolated scratch-project stack brought up on alternate ports, /health check, schema and bucket presence confirmed, and a host.docker.internal resolution test from inside the backend container.
Spotted something wrong? Or know the PR text has fresher detail than the writeup above?