Detect external DB/Redis via flags; sanitize URLs

Improve entrypoint handling for external services and startup wrappers. entrypoint.sh now more robustly parses REDIS_URL (handles optional :password@host) and masks credentials when printing DATABASE_URL/REDIS_URL. It exports USE_EXTERNAL_POSTGRES and USE_EXTERNAL_REDIS so supervisor wrappers can decide behavior without re-parsing URLs. The temporary PostgreSQL shutdown was moved to after Prisma migrations and a warning was added when pushing schema to an external DB. postgres-start.sh and redis-start.sh were simplified to check the USE_EXTERNAL_* flags and sleep if an external service is configured. Also cleaned up formatting of the PostgreSQL ownership error message.

docker/unified/entrypoint.sh

@@ -172,8 +172,13 @@ if [ -n "$DATABASE_URL" ]; then
 fi
 
 if [ -n "$REDIS_URL" ]; then
-    REDIS_HOST=$(echo "$REDIS_URL" | sed -n 's|redis://\([^:@]*@\)\?\([^:/]*\).*|\2|p')
-    if [ "$REDIS_HOST" != "127.0.0.1" ] && [ "$REDIS_HOST" != "localhost" ]; then
+    # Extract host from REDIS_URL - handles both redis://host:port and redis://:password@host:port
+    if echo "$REDIS_URL" | grep -q '@'; then
+        REDIS_HOST=$(echo "$REDIS_URL" | sed -n 's|.*@\([^:/]*\).*|\1|p')
+    else
+        REDIS_HOST=$(echo "$REDIS_URL" | sed -n 's|redis://\([^:/]*\).*|\1|p')
+    fi
+    if [ -n "$REDIS_HOST" ] && [ "$REDIS_HOST" != "127.0.0.1" ] && [ "$REDIS_HOST" != "localhost" ]; then
         USE_EXTERNAL_REDIS=true
         echo "ℹ️  External Redis detected at $REDIS_HOST"
     fi
@@ -192,33 +197,33 @@ if [ "$USE_EXTERNAL_POSTGRES" = "false" ]; then
 
     # PostgreSQL directories - owned by postgres user, group accessible
     if ! chown -R postgres:postgres "$PGDATA" /var/run/postgresql 2>/dev/null; then
-    echo ""
-    echo "❌ ERROR: Failed to set ownership on PostgreSQL directories"
-    echo ""
-    echo "   This usually happens when using bind mounts on incompatible filesystems."
-    echo ""
-    echo "   Common causes:"
-    echo "   - WSL2: Project on Windows filesystem (/mnt/c/...)"
-    echo "   - NFS/CIFS: Mount without proper permission support"
-    echo ""
-    echo "   Solutions:"
-    echo ""
-    echo "   1. Use Docker named volumes (recommended for WSL2):"
-    echo "      In docker-compose.yml, change:"
-    echo "        - ./pgdata:/var/lib/postgresql/data"
-    echo "      To:"
-    echo "        - pgdata:/var/lib/postgresql/data"
-    echo "      Then add at bottom:"
-    echo "        volumes:"
-    echo "          pgdata:"
-    echo ""
-    echo "   2. Move project to Linux filesystem (WSL2):"
-    echo "      mkdir -p ~/readmeabook && cd ~/readmeabook"
-    echo "      # Copy docker-compose.yml and restart"
-    echo ""
-    echo "   3. Pre-create directories with correct ownership:"
-    echo "      mkdir -p pgdata redis config cache"
-    echo "      # Let Docker create them on first run"
+        echo ""
+        echo "❌ ERROR: Failed to set ownership on PostgreSQL directories"
+        echo ""
+        echo "   This usually happens when using bind mounts on incompatible filesystems."
+        echo ""
+        echo "   Common causes:"
+        echo "   - WSL2: Project on Windows filesystem (/mnt/c/...)"
+        echo "   - NFS/CIFS: Mount without proper permission support"
+        echo ""
+        echo "   Solutions:"
+        echo ""
+        echo "   1. Use Docker named volumes (recommended for WSL2):"
+        echo "      In docker-compose.yml, change:"
+        echo "        - ./pgdata:/var/lib/postgresql/data"
+        echo "      To:"
+        echo "        - pgdata:/var/lib/postgresql/data"
+        echo "      Then add at bottom:"
+        echo "        volumes:"
+        echo "          pgdata:"
+        echo ""
+        echo "   2. Move project to Linux filesystem (WSL2):"
+        echo "      mkdir -p ~/readmeabook && cd ~/readmeabook"
+        echo "      # Copy docker-compose.yml and restart"
+        echo ""
+        echo "   3. Pre-create directories with correct ownership:"
+        echo "      mkdir -p pgdata redis config cache"
+        echo "      # Let Docker create them on first run"
         echo ""
         exit 1
     fi
@@ -336,9 +341,6 @@ EOF
         echo "✅ Database user and permissions verified"
     fi
 
-    # Stop PostgreSQL (supervisord will start it via wrapper)
-    echo "🔧 Stopping temporary PostgreSQL instance..."
-    su - postgres -c "/usr/lib/postgresql/16/bin/pg_ctl -D $PGDATA stop -m fast"
 fi
 
 # ============================================================================
@@ -352,7 +354,7 @@ if [ "$USE_EXTERNAL_POSTGRES" = "false" ]; then
     echo "✅ Using internal PostgreSQL (127.0.0.1:5432)"
 else
     # DATABASE_URL already set by user - do not modify
-    echo "✅ Using external DATABASE_URL: ${DATABASE_URL%%@*}@***"
+    echo "✅ Using external DATABASE_URL: $(echo "$DATABASE_URL" | sed 's|//.*@|//***@|')"
 fi
 
 if [ "$USE_EXTERNAL_REDIS" = "false" ]; then
@@ -360,7 +362,7 @@ if [ "$USE_EXTERNAL_REDIS" = "false" ]; then
     echo "✅ Using internal Redis (127.0.0.1:6379)"
 else
     # REDIS_URL already set by user - do not modify
-    echo "✅ Using external REDIS_URL: ${REDIS_URL}"
+    echo "✅ Using external REDIS_URL: $(echo "$REDIS_URL" | sed 's|//.*@|//***@|')"
 fi
 
 export NODE_ENV="production"
@@ -372,6 +374,8 @@ export HOSTNAME="0.0.0.0"
 cat > /etc/environment <<EOF
 DATABASE_URL=$DATABASE_URL
 REDIS_URL=$REDIS_URL
+USE_EXTERNAL_POSTGRES=$USE_EXTERNAL_POSTGRES
+USE_EXTERNAL_REDIS=$USE_EXTERNAL_REDIS
 JWT_SECRET=$JWT_SECRET
 JWT_REFRESH_SECRET=$JWT_REFRESH_SECRET
 CONFIG_ENCRYPTION_KEY=$CONFIG_ENCRYPTION_KEY
@@ -391,10 +395,20 @@ echo "✅ Environment configured"
 # ============================================================================
 # RUN PRISMA MIGRATIONS
 # ============================================================================
+if [ "$USE_EXTERNAL_POSTGRES" = "true" ]; then
+    echo "⚠️  Running schema sync against EXTERNAL database - prisma db push --accept-data-loss"
+    echo "   This runs on every container start. Ensure your external database is backed up."
+fi
 echo "🔄 Running Prisma migrations..."
 cd /app
 su - node -c "cd /app && DATABASE_URL='$DATABASE_URL' npx prisma db push --skip-generate --accept-data-loss" || echo "⚠️  Migrations may have failed, continuing..."
 
+# Stop internal PostgreSQL (supervisord will restart it via wrapper)
+if [ "$USE_EXTERNAL_POSTGRES" = "false" ]; then
+    echo "🔧 Stopping temporary PostgreSQL instance..."
+    su - postgres -c "/usr/lib/postgresql/16/bin/pg_ctl -D $PGDATA stop -m fast"
+fi
+
 # ============================================================================
 # DISPLAY STARTUP INFO
 # ============================================================================

docker/unified/postgres-start.sh

@@ -1,10 +1,7 @@
 #!/bin/bash
 # PostgreSQL startup wrapper for unified container
-# Smart supervisor: detects external PostgreSQL and sleeps instead of starting local instance
-#
-# Behavior:
-# - If DATABASE_URL points to external host (not 127.0.0.1/localhost), sleep infinity
-# - Otherwise, start local PostgreSQL instance
+# Checks USE_EXTERNAL_POSTGRES flag (set by entrypoint) to decide whether
+# to start the local instance or sleep to keep supervisord happy.
 
 set -e
 
@@ -15,25 +12,10 @@ if [ -f /etc/environment ]; then
     set +a
 fi
 
-echo "[PostgreSQL] Checking for external database configuration..."
-
-# Extract host from DATABASE_URL
-# Format: postgresql://user:pass@host:port/db
-if [ -n "$DATABASE_URL" ]; then
-    # Extract the host part (between @ and :port or /)
-    DB_HOST=$(echo "$DATABASE_URL" | sed -n 's|.*@\([^:/]*\).*|\1|p')
-    
-    echo "[PostgreSQL] Detected DATABASE_URL host: $DB_HOST"
-    
-    # Check if host is external (not localhost or 127.0.0.1)
-    if [ "$DB_HOST" != "127.0.0.1" ] && [ "$DB_HOST" != "localhost" ]; then
-        echo "[PostgreSQL] ✅ External PostgreSQL detected at $DB_HOST"
-        echo "[PostgreSQL] Skipping local PostgreSQL startup - sleeping to keep supervisord happy"
-        exec sleep infinity
-    fi
+if [ "$USE_EXTERNAL_POSTGRES" = "true" ]; then
+    echo "[PostgreSQL] External database configured - skipping local instance"
+    exec sleep infinity
 fi
 
 echo "[PostgreSQL] Starting local PostgreSQL server..."
-
-# Start PostgreSQL as postgres user
 exec /usr/lib/postgresql/16/bin/postgres -D /var/lib/postgresql/data

docker/unified/redis-start.sh

@@ -1,10 +1,7 @@
 #!/bin/bash
 # Redis startup wrapper for unified container
-# Smart supervisor: detects external Redis and sleeps instead of starting local instance
-#
-# Behavior:
-# - If REDIS_URL points to external host (not 127.0.0.1/localhost), sleep infinity
-# - Otherwise, start local Redis instance
+# Checks USE_EXTERNAL_REDIS flag (set by entrypoint) to decide whether
+# to start the local instance or sleep to keep supervisord happy.
 #
 # Uses gosu to ensure correct PUID:PGID for file operations
 #
@@ -21,22 +18,9 @@ if [ -f /etc/environment ]; then
     set +a
 fi
 
-echo "[Redis] Checking for external Redis configuration..."
-
-# Extract host from REDIS_URL
-# Format: redis://host:port or redis://:password@host:port
-if [ -n "$REDIS_URL" ]; then
-    # Extract the host part (between :// or @, and :port or end)
-    REDIS_HOST=$(echo "$REDIS_URL" | sed -n 's|redis://\([^:@]*@\)\?\([^:/]*\).*|\2|p')
-    
-    echo "[Redis] Detected REDIS_URL host: $REDIS_HOST"
-    
-    # Check if host is external (not localhost or 127.0.0.1)
-    if [ "$REDIS_HOST" != "127.0.0.1" ] && [ "$REDIS_HOST" != "localhost" ]; then
-        echo "[Redis] ✅ External Redis detected at $REDIS_HOST"
-        echo "[Redis] Skipping local Redis startup - sleeping to keep supervisord happy"
-        exec sleep infinity
-    fi
+if [ "$USE_EXTERNAL_REDIS" = "true" ]; then
+    echo "[Redis] External Redis configured - skipping local instance"
+    exec sleep infinity
 fi
 
 echo "[Redis] Starting local Redis server..."