Isolate backend and db from host: two Docker networks

- backend-net (internal: true): db ↔ backend ↔ frontend reverse proxy
- frontend-net: frontend only; single host port binding (80 prod / 5173 dev)
- Remove ports: from db (5432) and backend (8000) — unreachable from host
- Security auditor: hard rule to never add host ports to db or backend

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

README.md

@@ -22,19 +22,24 @@ A fullstack SaaS web application built with FastAPI, React, and PostgreSQL.
 - All input sanitized before reaching the DB (null-byte rejection, length caps, format validation)
 - 3 separate Docker containers: `db` (PostgreSQL), `backend` (FastAPI), `frontend` (nginx)
 - All containers run as non-root users (UID 1001 for backend and frontend, UID 70 for db)
+- Network-isolated: only the frontend exposes a host port (80/5173); db and backend are unreachable from outside Docker
 - Dev environment seeds a test user automatically on startup (`test@example.com` / `Test123!`)
 - Password policy: min 8 chars, upper + lowercase, digit, special character, no common words
 - Pre-commit security hook (`scripts/security_check.py`) runs inside Docker on every commit
 
 ## Containers
 
-| Container | Image | Port | User (UID:GID) | Description |
-|---|---|---|---|---|
-| `db` | postgres:16-alpine | 5432 | 70:70 (postgres) | PostgreSQL database |
-| `backend` | custom (python:3.12-slim) | 8000 | 1001:1001 (appuser) | FastAPI management API |
-| `frontend` | custom (nginxinc/nginx-unprivileged:alpine) | 80 | 1001:1001 (appuser) | React UI served by nginx (internal port 8080) |
+| Container | Image | Host port | Network | User (UID:GID) | Description |
+|---|---|---|---|---|---|
+| `db` | postgres:16-alpine | none | backend-net | 70:70 | PostgreSQL database |
+| `backend` | custom (python:3.12-slim) | none | backend-net | 1001:1001 | FastAPI management API |
+| `frontend` | custom (nginxinc/nginx-unprivileged:alpine) | 80 (prod) / 5173 (dev) | backend-net + frontend-net | 1001:1001 | React UI + nginx reverse proxy |
 
-The frontend nginx container proxies `/api/*` to the backend container internally — no CORS headers needed in production.
+**Networks:**
+- `backend-net` (`internal: true`) — db, backend, and frontend reverse proxy communicate here; no host routing
+- `frontend-net` — frontend only; this is where the single host port (80/5173) is bound
+
+The frontend nginx proxies `/api/*` to `backend:8000` via `backend-net`. No backend or database port is ever exposed to the host.
 
 ## Installation
 
@@ -47,12 +52,13 @@ The frontend nginx container proxies `/api/*` to the backend container internall
 ```bash
 git clone <repo>
 cd destroying_sap
-cp .env.example backend/.env   # edit SECRET_KEY at minimum
+cp .env.example backend/.env
+python scripts/generate_jwt_keys.py  # paste output into backend/.env
 docker compose up --build -d
 ```
 
 - Frontend: http://localhost
-- API docs: http://localhost:8000/docs
+- API docs: not directly accessible from host (backend port not exposed); access via `docker compose exec backend` or add a dev-only port mapping
 
 ### Development (hot reload)
 
@@ -61,7 +67,7 @@ docker compose -f docker-compose.yml -f docker-compose.dev.yml up --build
 ```
 
 - Frontend (Vite): http://localhost:5173
-- Backend (uvicorn --reload): http://localhost:8000
+- Backend: reachable by frontend via Docker network only (not exposed to host)
 
 ### Local (no Docker)
 
@@ -95,7 +101,8 @@ Copy `.env.example` to `backend/.env` and adjust:
 | Variable | Default | Description |
 |---|---|---|
 | `DATABASE_URL` | `postgresql+asyncpg://postgres:password@localhost:5432/destroying_sap` | Async PostgreSQL URL |
-| `SECRET_KEY` | `change-me-in-production` | JWT signing key |
+| `JWT_PRIVATE_KEY` | — | RS256 private key PEM (generate with `scripts/generate_jwt_keys.py`) |
+| `JWT_PUBLIC_KEY` | — | RS256 public key PEM (generate with `scripts/generate_jwt_keys.py`) |
 | `CORS_ORIGINS` | `["http://localhost:5173"]` | Allowed frontend origins |
 
 ## Development