security hardening + drafts/attachments

docker-compose.yml

@@ -0,0 +1,48 @@
+services:
+  db:
+    image: postgres:16
+    environment:
+      POSTGRES_DB: mastermind
+      POSTGRES_USER: mastermind
+      POSTGRES_PASSWORD: ${DB_PASSWORD:-mastermind}
+    volumes:
+      - ./data/postgres:/var/lib/postgresql/data
+    ports:
+      - "5433:5432"
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U mastermind -d mastermind"]
+      interval: 5s
+      timeout: 5s
+      retries: 20
+
+  web:
+    build: ./web
+    environment:
+      NODE_ENV: development
+      PORT: 3005
+      DATABASE_URL: postgres://mastermind:${DB_PASSWORD:-mastermind}@db:5432/mastermind
+      SESSION_SECRET: ${SESSION_SECRET:-change-me}
+      BASE_URL: ${BASE_URL:-http://localhost:3005}
+      GOOGLE_CLIENT_ID: ${GOOGLE_CLIENT_ID:-}
+      GOOGLE_CLIENT_SECRET: ${GOOGLE_CLIENT_SECRET:-}
+      MICROSOFT_CLIENT_ID: ${MICROSOFT_CLIENT_ID:-}
+      MICROSOFT_CLIENT_SECRET: ${MICROSOFT_CLIENT_SECRET:-}
+    depends_on:
+      db:
+        condition: service_healthy
+    ports:
+      - "3005:3005"
+    volumes:
+      - ./data:/app/data
+
+  worker:
+    build: ./worker
+    environment:
+      NODE_ENV: development
+      DATABASE_URL: postgres://mastermind:${DB_PASSWORD:-mastermind}@db:5432/mastermind
+    depends_on:
+      db:
+        condition: service_healthy
+    # (MVP) no bind-mount to avoid masking node_modules inside container
+
+volumes: {}