justice-bac wires devcontainer for corporate VPN and deploys mike to Fly.io
justice-bac/mike adds a `.devcontainer/` setup that trusts the Government of Canada TLS interception root, then builds out a full Fly.io deployment path including Dockerfiles, `fly.toml` configs, and an interactive deploy script. The devcontainer fix is specific to corporate VPN environments; the Fly.io scaffolding is broadly applicable.
The devcontainer work solves a concrete problem: the corporate VPN performs TLS interception, and its root CA isn't in the default trust store. Without it, Node, curl, and git all fail against external HTTPS endpoints. The .devcontainer/Dockerfile fetches GoC-GdC-Root-A.crt from an internal IP via a Host: header override, installs it, and sets five environment variables (NODE_EXTRA_CA_CERTS, SSL_CERT_FILE, REQUESTS_CA_BUNDLE, CURL_CA_BUNDLE, GIT_SSL_CAINFO) so the full toolchain trusts it. The comment in the Dockerfile notes the trust-root step must run before any HTTPS fetch, including the flyctl installer.
The Fly.io path (scripts/deploy-fly.sh, Dockerfiles, fly.toml files) is the larger addition. Backend and frontend each get two-stage builds on node:20-bookworm-slim; the backend runtime installs LibreOffice for document conversion. The deploy script handles multi-source secret resolution, generates missing secrets, derives Fly URLs from app names so they don't have to be manually synchronized with local env files, and uses temporary fly configs so app-name or region changes don't mutate the checked-in toml. It retries remote-builder failures automatically.
Three real build failures were caught and fixed during testing. The original Supabase client in frontend/src/lib/supabase.ts called createClient at module level, which broke the Next.js Docker build because NEXT_PUBLIC_SUPABASE_* are unavailable at build time. The fix wraps the client in a Proxy that defers initialization to first browser use. Separately, the NEXT_PUBLIC_* vars do need to be available at build time for static rendering, so the frontend Dockerfile gained ARG/ENV declarations for all four, with the deploy script writing them into [build.args] in the temp toml.
The commit history also shows some cleanup: a diagnostic Supabase script and storage validation code added during debugging were removed before the branch merged. An upstream sync from willchen96:main sits mid-stream.
Spotted something wrong? Or know the PR text has fresher detail than the writeup above?