justice-bac wires devcontainer for corporate VPN and deploys mike to Fly.io

justice-bac/mike adds a `.devcontainer/` setup that trusts the Government of Canada TLS interception root, then builds out a full Fly.io deployment path including Dockerfiles, `fly.toml` configs, and an interactive deploy script. The devcontainer fix is specific to corporate VPN environments; the Fly.io scaffolding is broadly applicable.

infrastructure

The devcontainer work solves a concrete problem: the corporate VPN performs TLS interception, and its root CA isn't in the default trust store. Without it, Node, curl, and git all fail against external HTTPS endpoints. The .devcontainer/Dockerfile fetches GoC-GdC-Root-A.crt from an internal IP via a Host: header override, installs it, and sets five environment variables (NODE_EXTRA_CA_CERTS, SSL_CERT_FILE, REQUESTS_CA_BUNDLE, CURL_CA_BUNDLE, GIT_SSL_CAINFO) so the full toolchain trusts it. The comment in the Dockerfile notes the trust-root step must run before any HTTPS fetch, including the flyctl installer.

The Fly.io path (scripts/deploy-fly.sh, Dockerfiles, fly.toml files) is the larger addition. Backend and frontend each get two-stage builds on node:20-bookworm-slim; the backend runtime installs LibreOffice for document conversion. The deploy script handles multi-source secret resolution, generates missing secrets, derives Fly URLs from app names so they don't have to be manually synchronized with local env files, and uses temporary fly configs so app-name or region changes don't mutate the checked-in toml. It retries remote-builder failures automatically.

Three real build failures were caught and fixed during testing. The original Supabase client in frontend/src/lib/supabase.ts called createClient at module level, which broke the Next.js Docker build because NEXT_PUBLIC_SUPABASE_* are unavailable at build time. The fix wraps the client in a Proxy that defers initialization to first browser use. Separately, the NEXT_PUBLIC_* vars do need to be available at build time for static rendering, so the frontend Dockerfile gained ARG/ENV declarations for all four, with the deploy script writing them into [build.args] in the temp toml.

The commit history also shows some cleanup: a diagnostic Supabase script and storage validation code added during debugging were removed before the branch merged. An upstream sync from willchen96:main sits mid-stream.

So what The GoC TLS trust-root pattern is only useful if you're operating behind a corporate VPN that intercepts TLS. The Fly.io scaffolding (Dockerfiles, toml files, the lazy Supabase init fix) is worth borrowing for any Fly deployment. The deploy script is opinionated around a local `backend/.env` / `frontend/.env.local` workflow; adapt the secret-resolution logic if your CI setup differs.

View this fork on GitHub →

Spotted something wrong? Or know the PR text has fresher detail than the writeup above?

Commits in this thread

8 commits from justice-bac/mike, oldest first. Source extracted verbatim from the harvested git log.

SHA Subject Author Date
b1ff2d73 fixes to get it to run in devcontainer Jules Kuehn 2026-05-12 ↗ GitHub
d877fdc7 fix certs and debug storage issues Jules Kuehn 2026-05-12 ↗ GitHub
31556b3b devcontainer fixes Jules Kuehn 2026-05-12 ↗ GitHub
1b4c660d Merge branch 'willchen96:main' into jus-setup Jules Kuehn 2026-05-13 ↗ GitHub
eaa58c9b remove 'extra' changes Jules Kuehn 2026-05-13 ↗ GitHub
b67826c0 remove diagnostic script Jules Kuehn 2026-05-13 ↗ GitHub
0ec5fd61 fly.io deployment modifications Jules Kuehn 2026-05-13 ↗ GitHub
aa97c8ef deploy to fly.io Jules Kuehn 2026-05-14 ↗ GitHub

Capture this thread into my fork

Download a single Markdown prompt that tells Claude how to port every commit above into your working tree — adapting paths and structure to match your repo. Run it via claude -p < capture-thread-454.md from inside the repo you want the changes in.

⬇ Download capture-thread-454.md