manueljpconde tightens the self-host on-ramp

A quiet but useful pass over mikeEU's Docker quickstart closes a credential leak and several footguns waiting for the next person who clones the repo.

infrastructuresecurity

The headline fix: a powerful database credential that had been visible to the frontend's build and runtime environment is now scoped to just the backend that actually needs it. That's the kind of boundary slip that costs nothing to fix today and a lot to fix after a leak.

The rest of the pass is housekeeping with teeth. Demo login tokens that would have quietly stopped working in 2027 were reissued to last until 2040, so fresh clones of the repo won't mysteriously break a year from now. Local self-hosters on Linux can now reach AI models running on their own machine the same way Docker Desktop users already could. And the storage layer is pinned to specific versions instead of whatever happens to be newest that morning.

So what Anyone evaluating mikeEU as a self-hosted starting point gets a meaningfully safer and more predictable first hour.

Spotted something wrong? Or know the PR text has fresher detail than the writeup above?

SHA	Subject	Author	Date
`f8873309`	Harden Docker quickstart config	Manuel Conde	2026-05-10	↗ GitHub

SHA

Subject

Author

Date

f8873309

Harden Docker quickstart config

Manuel Conde

2026-05-10

↗ GitHub

Capture this thread into my fork

Download a single Markdown prompt that tells Claude how to port every commit above into your working tree — adapting paths and structure to match your repo. Run it via claude -p < capture-thread-247.md from inside the repo you want the changes in.

manueljpconde tightens the self-host on-ramp

Commits in this thread

Capture this thread into my fork