backend/docker-compose.yml

services:
  postgres:
    image: postgres:16-alpine
    container_name: mimic-postgres
    restart: unless-stopped
    environment:
      POSTGRES_DB: ${POSTGRES_DB:-mimic}
      POSTGRES_USER: ${POSTGRES_USER:-mimic_app}
      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:-mimic_dev_password}
    ports:
      - "127.0.0.1:5432:5432"
    volumes:
      - mimic_pgdata:/var/lib/postgresql/data
    # The `mimic_audit_writer` role is provisioned by the Ansible playbook
    # in prod (D-010). For dev, create it manually after `make db-up`:
    #   docker exec -it mimic-postgres psql -U mimic_app -d mimic \
    #     -c "CREATE ROLE mimic_audit_writer LOGIN PASSWORD '<choose one>';"
    # Then expose the same secret in MIMIC_DATABASE_AUDIT_URL in your .env.
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER:-mimic_app} -d ${POSTGRES_DB:-mimic}"]
      interval: 5s
      timeout: 3s
      retries: 10

volumes:
  mimic_pgdata:
    name: mimic_pgdata
chore(backend): bootstrap Python 3.12+ project skeleton (B0.1) - pyproject.toml with ruff + mypy strict + pytest + coverage >=70% - Makefile with Docker/Podman auto-detect - Multi-stage Dockerfile (python:3.12-slim-bookworm, non-root user) - docker-compose.yml for Postgres dev DB - alembic.ini wired to src/mimic/db/migrations - scripts/postgres-init/00-roles.sql seeds the audit writer role - .env.example documents every MIMIC_* var (no secrets committed) 2026-05-21 20:32:29 +02:00			`services:`
			`postgres:`
			`image: postgres:16-alpine`
			`container_name: mimic-postgres`
			`restart: unless-stopped`
			`environment:`
			`POSTGRES_DB: ${POSTGRES_DB:-mimic}`
			`POSTGRES_USER: ${POSTGRES_USER:-mimic_app}`
			`POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:-mimic_dev_password}`
			`ports:`
			`- "127.0.0.1:5432:5432"`
			`volumes:`
			`- mimic_pgdata:/var/lib/postgresql/data`
fix(backend): stop seeding the audit-writer role via postgres-init (MA1) Code-review MAJOR MA1. The previous `scripts/postgres-init/00-roles.sql` hardcoded a `CHANGE_ME` password for `mimic_audit_writer` and was bind-mounted into the dev Postgres container; on prod boxes this risks lingering as the real credential. - The init script was removed in the previous commit alongside the dropped scripts dir. - `docker-compose.yml` no longer mounts a `docker-entrypoint-initdb.d` directory; the audit-writer role provisioning is the Ansible playbook's responsibility (D-010). - `backend/README.md` documents the manual one-shot `CREATE ROLE` command for local dev with a placeholder password. Net effect: no `CHANGE_ME` credential reaches a container image / git history. The Alembic migration's `audit_log` grant block stays idempotent — it is a no-op when the role is absent. 2026-05-22 05:24:13 +02:00			# The `mimic_audit_writer` role is provisioned by the Ansible playbook
			# in prod (D-010). For dev, create it manually after `make db-up`:
			`# docker exec -it mimic-postgres psql -U mimic_app -d mimic \`
			`# -c "CREATE ROLE mimic_audit_writer LOGIN PASSWORD '<choose one>';"`
			`# Then expose the same secret in MIMIC_DATABASE_AUDIT_URL in your .env.`
chore(backend): bootstrap Python 3.12+ project skeleton (B0.1) - pyproject.toml with ruff + mypy strict + pytest + coverage >=70% - Makefile with Docker/Podman auto-detect - Multi-stage Dockerfile (python:3.12-slim-bookworm, non-root user) - docker-compose.yml for Postgres dev DB - alembic.ini wired to src/mimic/db/migrations - scripts/postgres-init/00-roles.sql seeds the audit writer role - .env.example documents every MIMIC_* var (no secrets committed) 2026-05-21 20:32:29 +02:00			`healthcheck:`
			`test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER:-mimic_app} -d ${POSTGRES_DB:-mimic}"]`
			`interval: 5s`
			`timeout: 3s`
			`retries: 10`

			`volumes:`
			`mimic_pgdata:`
			`name: mimic_pgdata`