From 3683ba9dd251fabf26a201757baee78746965cfd Mon Sep 17 00:00:00 2001
From: Saravana Kumar <saravanakumardb1@gmail.com>
Date: Wed, 27 May 2026 21:37:31 +0000
Subject: [PATCH] fix: bind Notes host ports to loopback

---
 docker-compose.override.yml | 13 ++++++-------
 docker-compose.yml          |  4 ++--
 2 files changed, 8 insertions(+), 9 deletions(-)

diff --git a/docker-compose.override.yml b/docker-compose.override.yml
index b23fd50..0a17f41 100644
--- a/docker-compose.override.yml
+++ b/docker-compose.override.yml
@@ -1,16 +1,15 @@
 # Local override for `docker compose up` on this host.
 #
 # Why this exists:
-#   docker-compose.yml maps the web container to host port 3000, but
-#   port 3000 on this host is already occupied (Grafana). This file
-#   remaps web to host port 3050 and backend stays on 4016. The backend
-#   is configured to point at the sibling platform/extraction/mcp
+#   Keep direct host access loopback-only. Caddy reaches the web container
+#   over the Docker network, so the host bind is for local smoke checks only.
+#   The backend is configured to point at the sibling platform/extraction/mcp
 #   services already running on the host network.
 #
 # Bring up:
 #   docker compose up -d
 # URLs:
-#   Web:     http://127.0.0.1:3050
+#   Web:     http://127.0.0.1:3000
 #   Backend: http://127.0.0.1:4016
 #   Health:  http://127.0.0.1:4016/health
 # Bring down:
@@ -21,7 +20,7 @@ services:
     extra_hosts:
       - "host.docker.internal:host-gateway"
     environment:
-      CORS_ORIGIN: "http://127.0.0.1:3050"
+      CORS_ORIGIN: "http://127.0.0.1:3000"
       PLATFORM_SERVICE_URL: "http://host.docker.internal:4003"
       EXTRACTION_SERVICE_URL: "http://host.docker.internal:4005"
       MCP_SERVER_URL: "http://host.docker.internal:4007"
@@ -33,7 +32,7 @@ services:
 
   web:
     ports: !override
-      - "3050:3045"
+      - "127.0.0.1:3000:3045"
     # NEXT_PUBLIC_* values are baked into the Next.js bundle at build
     # time. They MUST be set as build args so `pnpm run build` inside
     # the Dockerfile picks them up. Runtime `environment:` alone has no
diff --git a/docker-compose.yml b/docker-compose.yml
index b653404..6354dcf 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -5,7 +5,7 @@ services:
       context: .
       dockerfile: backend/Dockerfile
     ports:
-      - "4016:4016"
+      - "127.0.0.1:4016:4016"
     environment:
       NODE_ENV: development
       PORT: 4016
@@ -62,7 +62,7 @@ services:
         NEXT_PUBLIC_PRODUCT_ID: ${NEXT_PUBLIC_PRODUCT_ID:-notelett}
         NEXT_PUBLIC_TELEMETRY_TRANSPORT: ${NEXT_PUBLIC_TELEMETRY_TRANSPORT:-fetch}
     ports:
-      - "3000:3045"
+      - "127.0.0.1:3000:3045"
     environment:
       NODE_ENV: production
       NEXT_PUBLIC_PRODUCT_NAME: NoteLett