Harden auth, redaction, upload size checks, and compose token requirements

docker-compose.yml

@@ -6,7 +6,7 @@ services:
       POSTGRES_PASSWORD: dcm
       POSTGRES_DB: dcm
     ports:
-      - "5432:5432"
+      - "${HOST_BIND_IP:-127.0.0.1}:5432:5432"
     volumes:
       - db-data:/var/lib/postgresql/data
     healthcheck:
@@ -18,7 +18,7 @@ services:
   redis:
     image: redis:7-alpine
     ports:
-      - "6379:6379"
+      - "${HOST_BIND_IP:-127.0.0.1}:6379:6379"
     volumes:
       - redis-data:/data
 
@@ -29,7 +29,7 @@ services:
       - "--api-key=dcm-typesense-key"
       - "--enable-cors"
     ports:
-      - "8108:8108"
+      - "${HOST_BIND_IP:-127.0.0.1}:8108:8108"
     volumes:
       - typesense-data:/data
 
@@ -41,16 +41,25 @@ services:
       DATABASE_URL: postgresql+psycopg://dcm:dcm@db:5432/dcm
       REDIS_URL: redis://redis:6379/0
       STORAGE_ROOT: /data/storage
+      ADMIN_API_TOKEN: ${ADMIN_API_TOKEN:?ADMIN_API_TOKEN must be set}
+      USER_API_TOKEN: ${USER_API_TOKEN:?USER_API_TOKEN must be set}
+      PROVIDER_BASE_URL_ALLOWLIST: '${PROVIDER_BASE_URL_ALLOWLIST:-["api.openai.com"]}'
+      PROVIDER_BASE_URL_ALLOW_HTTP: ${PROVIDER_BASE_URL_ALLOW_HTTP:-false}
+      PROVIDER_BASE_URL_ALLOW_PRIVATE_NETWORK: ${PROVIDER_BASE_URL_ALLOW_PRIVATE_NETWORK:-false}
       OCR_LANGUAGES: eng,deu
-      PUBLIC_BASE_URL: http://192.168.2.5:8000
-      CORS_ORIGINS: '["http://localhost:5173","http://localhost:3000","http://192.168.2.5:5173"]'
+      PUBLIC_BASE_URL: ${PUBLIC_BASE_URL:-http://localhost:8000}
+      CORS_ORIGINS: '${CORS_ORIGINS:-["http://localhost:5173","http://localhost:3000"]}'
       TYPESENSE_PROTOCOL: http
       TYPESENSE_HOST: typesense
       TYPESENSE_PORT: 8108
       TYPESENSE_API_KEY: dcm-typesense-key
       TYPESENSE_COLLECTION_NAME: documents
     ports:
-      - "8000:8000"
+      - "${HOST_BIND_IP:-127.0.0.1}:8000:8000"
+    security_opt:
+      - no-new-privileges:true
+    cap_drop:
+      - ALL
     volumes:
       - ./backend/app:/app/app
       - dcm-storage:/data
@@ -71,6 +80,11 @@ services:
       DATABASE_URL: postgresql+psycopg://dcm:dcm@db:5432/dcm
       REDIS_URL: redis://redis:6379/0
       STORAGE_ROOT: /data/storage
+      ADMIN_API_TOKEN: ${ADMIN_API_TOKEN:?ADMIN_API_TOKEN must be set}
+      USER_API_TOKEN: ${USER_API_TOKEN:?USER_API_TOKEN must be set}
+      PROVIDER_BASE_URL_ALLOWLIST: '${PROVIDER_BASE_URL_ALLOWLIST:-["api.openai.com"]}'
+      PROVIDER_BASE_URL_ALLOW_HTTP: ${PROVIDER_BASE_URL_ALLOW_HTTP:-false}
+      PROVIDER_BASE_URL_ALLOW_PRIVATE_NETWORK: ${PROVIDER_BASE_URL_ALLOW_PRIVATE_NETWORK:-false}
       OCR_LANGUAGES: eng,deu
       PUBLIC_BASE_URL: http://localhost:8000
       TYPESENSE_PROTOCOL: http
@@ -81,6 +95,10 @@ services:
     volumes:
       - ./backend/app:/app/app
       - dcm-storage:/data
+    security_opt:
+      - no-new-privileges:true
+    cap_drop:
+      - ALL
     depends_on:
       db:
         condition: service_healthy
@@ -93,9 +111,9 @@ services:
     build:
       context: ./frontend
     environment:
-      VITE_API_BASE: http://192.168.2.5:8000/api/v1
+      VITE_API_BASE: ${VITE_API_BASE:-http://localhost:8000/api/v1}
     ports:
-      - "5173:5173"
+      - "${HOST_BIND_IP:-127.0.0.1}:5173:5173"
     volumes:
       - ./frontend/src:/app/src
       - ./frontend/index.html:/app/index.html
@@ -103,6 +121,10 @@ services:
     depends_on:
       api:
         condition: service_started
+    security_opt:
+      - no-new-privileges:true
+    cap_drop:
+      - ALL
 
 volumes:
   db-data: