backend-user-mgmt/backend/compose.yml

services:
  postgres:
    image: postgres:16-alpine
    container_name: mimic-postgres
    restart: unless-stopped
    environment:
      POSTGRES_DB: ${POSTGRES_DB:-mimic}
      POSTGRES_USER: ${POSTGRES_USER:-mimic_app}
      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:-mimic_dev_password}
    ports:
      - "127.0.0.1:5432:5432"
    volumes:
      - mimic_pgdata:/var/lib/postgresql/data
    # The `mimic_audit_writer` role is provisioned by the Ansible playbook
    # in prod (D-010). For dev, create it manually after `make db-up`
    # (substitute `podman` for `docker` if your runtime is Podman):
    #   docker exec -it mimic-postgres psql -U mimic_app -d mimic \
    #     -c "CREATE ROLE mimic_audit_writer LOGIN PASSWORD '<choose one>';"
    # Then expose the same secret in MIMIC_DATABASE_AUDIT_URL in your .env.
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER:-mimic_app} -d ${POSTGRES_DB:-mimic}"]
      interval: 5s
      timeout: 3s
      retries: 10

volumes:
  mimic_pgdata:
    name: mimic_pgdata
chore(backend): bootstrap Python 3.12+ project skeleton (B0.1) - pyproject.toml with ruff + mypy strict + pytest + coverage >=70% - Makefile with Docker/Podman auto-detect - Multi-stage Dockerfile (python:3.12-slim-bookworm, non-root user) - docker-compose.yml for Postgres dev DB - alembic.ini wired to src/mimic/db/migrations - scripts/postgres-init/00-roles.sql seeds the audit writer role - .env.example documents every MIMIC_* var (no secrets committed) 2026-05-21 20:32:29 +02:00			`services:`
			`postgres:`
			`image: postgres:16-alpine`
			`container_name: mimic-postgres`
			`restart: unless-stopped`
			`environment:`
			`POSTGRES_DB: ${POSTGRES_DB:-mimic}`
			`POSTGRES_USER: ${POSTGRES_USER:-mimic_app}`
			`POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:-mimic_dev_password}`
			`ports:`
			`- "127.0.0.1:5432:5432"`
			`volumes:`
			`- mimic_pgdata:/var/lib/postgresql/data`
fix(backend): stop seeding the audit-writer role via postgres-init (MA1) Code-review MAJOR MA1. The previous `scripts/postgres-init/00-roles.sql` hardcoded a `CHANGE_ME` password for `mimic_audit_writer` and was bind-mounted into the dev Postgres container; on prod boxes this risks lingering as the real credential. - The init script was removed in the previous commit alongside the dropped scripts dir. - `docker-compose.yml` no longer mounts a `docker-entrypoint-initdb.d` directory; the audit-writer role provisioning is the Ansible playbook's responsibility (D-010). - `backend/README.md` documents the manual one-shot `CREATE ROLE` command for local dev with a placeholder password. Net effect: no `CHANGE_ME` credential reaches a container image / git history. The Alembic migration's `audit_log` grant block stays idempotent — it is a no-op when the role is absent. 2026-05-22 05:24:13 +02:00			# The `mimic_audit_writer` role is provisioned by the Ansible playbook
chore(backend): rename docker-compose.yml -> compose.yml + podman notes Compose v2 canonical filename (compose.yml) is recognized by both docker compose and podman compose without preference. The previous docker-compose.yml worked but signalled a Docker-first stance, while target deployment is Podman 5.8+ rootless. - Rename backend/docker-compose.yml -> backend/compose.yml. - backend/README.md `make db-up` comment uses $(CONTAINER) to mirror the Makefile auto-detect (lines 14-16: docker \|\| podman). - backend/README.md audit-writer bootstrap snippet hints at podman fallback explicitly with `command -v` runtime sniff. - backend/compose.yml comment for audit-writer mentions both runtimes. No functional change. Makefile $(COMPOSE) target unchanged: Compose v2 discovers compose.yml first in its search order. 2026-05-22 19:41:38 +02:00			# in prod (D-010). For dev, create it manually after `make db-up`
			# (substitute `podman` for `docker` if your runtime is Podman):
fix(backend): stop seeding the audit-writer role via postgres-init (MA1) Code-review MAJOR MA1. The previous `scripts/postgres-init/00-roles.sql` hardcoded a `CHANGE_ME` password for `mimic_audit_writer` and was bind-mounted into the dev Postgres container; on prod boxes this risks lingering as the real credential. - The init script was removed in the previous commit alongside the dropped scripts dir. - `docker-compose.yml` no longer mounts a `docker-entrypoint-initdb.d` directory; the audit-writer role provisioning is the Ansible playbook's responsibility (D-010). - `backend/README.md` documents the manual one-shot `CREATE ROLE` command for local dev with a placeholder password. Net effect: no `CHANGE_ME` credential reaches a container image / git history. The Alembic migration's `audit_log` grant block stays idempotent — it is a no-op when the role is absent. 2026-05-22 05:24:13 +02:00			`# docker exec -it mimic-postgres psql -U mimic_app -d mimic \`
			`# -c "CREATE ROLE mimic_audit_writer LOGIN PASSWORD '<choose one>';"`
			`# Then expose the same secret in MIMIC_DATABASE_AUDIT_URL in your .env.`
chore(backend): bootstrap Python 3.12+ project skeleton (B0.1) - pyproject.toml with ruff + mypy strict + pytest + coverage >=70% - Makefile with Docker/Podman auto-detect - Multi-stage Dockerfile (python:3.12-slim-bookworm, non-root user) - docker-compose.yml for Postgres dev DB - alembic.ini wired to src/mimic/db/migrations - scripts/postgres-init/00-roles.sql seeds the audit writer role - .env.example documents every MIMIC_* var (no secrets committed) 2026-05-21 20:32:29 +02:00			`healthcheck:`
			`test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER:-mimic_app} -d ${POSTGRES_DB:-mimic}"]`
			`interval: 5s`
			`timeout: 3s`
			`retries: 10`

			`volumes:`
			`mimic_pgdata:`
			`name: mimic_pgdata`