Hartmut
f8550110eb
A04-1 (High): docker-compose E2E_TEST_MODE now defaults to "false"
via ${E2E_TEST_MODE:-false} — prevents accidental security bypass in
non-test deployments. runtime-env.ts throws at startup if
E2E_TEST_MODE=true in production.
A05-3 (Medium): all 4 cron routes now fail-closed when CRON_SECRET
is unset. Extracted shared verifyCronSecret() helper to
apps/web/src/lib/cron-auth.ts.
A02-1 (Low): verifyCronSecret uses crypto.timingSafeEqual for
constant-time Bearer token comparison.
A10-1 (Medium): Slack webhook routing uses strict hostname check
(parsedUrl.hostname === "hooks.slack.com") instead of .includes()
to prevent bypass via subdomain confusion.
Tickets created for remaining findings: #28 (TOTP rate limit),
#29 (allocations role check), #30 (API keys in DB), #31 (pgAdmin
creds), #32 (MFA enforcement), #33 (auth anomaly alerting),
#34 (comment server-side sanitization).
Co-Authored-By: claude-flow <ruv@ruv.net>
101 lines
2.9 KiB
YAML
101 lines
2.9 KiB
YAML
name: capakraken
|
|
|
|
services:
|
|
postgres:
|
|
image: postgres:16-alpine
|
|
ports:
|
|
- "5433:5432"
|
|
environment:
|
|
POSTGRES_DB: capakraken
|
|
POSTGRES_USER: capakraken
|
|
POSTGRES_PASSWORD: capakraken_dev
|
|
command: >
|
|
postgres
|
|
-c log_connections=on
|
|
-c log_disconnections=on
|
|
-c log_statement=ddl
|
|
-c log_line_prefix='%t [%p] %u@%d '
|
|
-c log_min_duration_statement=1000
|
|
volumes:
|
|
- capakraken_pgdata:/var/lib/postgresql/data
|
|
healthcheck:
|
|
test: ["CMD-SHELL", "pg_isready -U capakraken -d capakraken"]
|
|
interval: 5s
|
|
timeout: 3s
|
|
retries: 5
|
|
|
|
redis:
|
|
image: redis:7-alpine
|
|
ports:
|
|
- "6380:6379"
|
|
healthcheck:
|
|
test: ["CMD", "redis-cli", "ping"]
|
|
interval: 5s
|
|
timeout: 3s
|
|
retries: 5
|
|
|
|
pgadmin:
|
|
image: dpage/pgadmin4
|
|
ports:
|
|
- "5050:80"
|
|
environment:
|
|
PGADMIN_DEFAULT_EMAIL: admin@capakraken.dev
|
|
PGADMIN_DEFAULT_PASSWORD: admin
|
|
depends_on:
|
|
postgres:
|
|
condition: service_healthy
|
|
|
|
app:
|
|
build:
|
|
context: .
|
|
dockerfile: Dockerfile.dev
|
|
ports:
|
|
- "3100:3100"
|
|
environment:
|
|
# Always use the Docker-internal service name. The host-level DATABASE_URL
|
|
# (localhost:5433) must not bleed into the container where "localhost" is
|
|
# the container itself, not the host.
|
|
DATABASE_URL: postgresql://capakraken:capakraken_dev@postgres:5432/capakraken
|
|
REDIS_URL: redis://redis:6379
|
|
NEXTAUTH_URL: ${NEXTAUTH_URL:-http://localhost:3100}
|
|
NEXTAUTH_SECRET: ${NEXTAUTH_SECRET:?set NEXTAUTH_SECRET}
|
|
# Bypass auth + API rate limiters for E2E test runs only.
|
|
# MUST remain "false" in any production or staging deployment.
|
|
# Set E2E_TEST_MODE=true in the host environment before running E2E tests.
|
|
E2E_TEST_MODE: "${E2E_TEST_MODE:-false}"
|
|
# AI provider secrets — forwarded from host .env, not hardcoded
|
|
AZURE_OPENAI_API_KEY: ${AZURE_OPENAI_API_KEY:-}
|
|
OPENAI_API_KEY: ${OPENAI_API_KEY:-}
|
|
GEMINI_API_KEY: ${GEMINI_API_KEY:-}
|
|
depends_on:
|
|
postgres:
|
|
condition: service_healthy
|
|
redis:
|
|
condition: service_healthy
|
|
volumes:
|
|
- .:/app
|
|
# Anonymous volumes mask the bind-mount for generated/installed artefacts.
|
|
# Docker seeds them from the image layer on first start; they persist across restarts.
|
|
# pnpm stores all packages in the root node_modules/.pnpm virtual store — one volume covers it all.
|
|
- /app/node_modules
|
|
- /app/apps/web/.next
|
|
profiles:
|
|
- full
|
|
|
|
postgres-test:
|
|
image: postgres:16-alpine
|
|
ports:
|
|
- "${POSTGRES_TEST_PORT:-5434}:5432"
|
|
environment:
|
|
POSTGRES_DB: capakraken_test
|
|
POSTGRES_USER: capakraken
|
|
POSTGRES_PASSWORD: capakraken_test
|
|
tmpfs:
|
|
- /var/lib/postgresql/data
|
|
profiles:
|
|
- test
|
|
|
|
volumes:
|
|
capakraken_pgdata:
|
|
name: capakraken_pgdata
|