Docker quickstart hardened: secret leak fixed, JWTs refreshed, images pinned

manueljpconde tightened four loose ends in the Docker setup that had shipped with the initial compose stack: a server-only credential was leaking into the Next.js build context, development JWTs were due to expire in 2027, image tags were floating on `latest`, and the Linux Docker networking story was undocumented.

infrastructuresecurity

The most important change is SUPABASE_SECRET_KEY removal. That credential was being passed as a Docker build ARG and set as a runtime ENV in the frontend Dockerfile - meaning it was baked into the Next.js build context and potentially into the compiled bundle. It's a server-side key that the frontend has no legitimate need for. Both the Dockerfile ARG/ENV lines and the compose build.args and environment entries were removed.

The development JWTs in .env.docker.example were regenerated. The old tokens had an exp of 1799535600 (roughly January 2027); the new ones expire in 2040. Clones after the old tokens expired would have gotten silent auth failures with no obvious diagnostic.

minio/minio is now pinned to RELEASE.2025-09-07T16-13-09Z and minio/mc to RELEASE.2025-08-13T08-35-41Z. Floating on :latest in compose files for storage infrastructure is a standard way to introduce surprise breakage on docker compose pull.

On the networking side, the backend service now declares extra_hosts: - "host.docker.internal:host-gateway". On Docker Desktop this hostname works by default; on plain Linux Docker it doesn't, which meant the documented pattern for reaching a host-side LM Studio instance silently failed on Linux. The README also picked up an explanatory note.

Validation for a config-only PR was thorough: compose config rendering, a fresh build of both services, an isolated scratch-project stack brought up on alternate ports, /health check, schema and bucket presence confirmed, and a host.docker.internal resolution test from inside the backend container.

So what Cherry-pick the `SUPABASE_SECRET_KEY` removal if you've based anything on this fork's Docker setup. The JWT refresh and image pins are routine hygiene. The `host.docker.internal` gateway mapping matters if any of your self-hosted users run on Linux rather than Docker Desktop.

View this fork on GitHub →

Spotted something wrong? Or know the PR text has fresher detail than the writeup above?

Commits in this thread

1 commit from manueljpconde/mikeEU, oldest first. Source extracted verbatim from the harvested git log.

SHA Subject Author Date
f8873309 Harden Docker quickstart config Manuel Conde 2026-05-10 ↗ GitHub

Capture this thread into my fork

Download a single Markdown prompt that tells Claude how to port every commit above into your working tree — adapting paths and structure to match your repo. Run it via claude -p < capture-thread-247.md from inside the repo you want the changes in.

⬇ Download capture-thread-247.md