# 2026-04-14 — Docker network isolation: backend and db ports removed from host

**Timestamp:** 2026-04-14T00:00:00

## Summary

Replaced flat single-network Docker setup with two explicit networks. Only the frontend exposes a host port. The database and backend are unreachable from outside the Docker network.

## Network architecture

- `backend-net` (`internal: true`) — db, backend, and frontend reverse proxy; no gateway, no host routing
- `frontend-net` — frontend only; binds port 80 (prod) or 5173 (dev) to the host

## Files Modified

- `docker-compose.yml` — removed `ports:` from `db` and `backend`; added `networks:` to all services; defined `backend-net` (internal) and `frontend-net`
- `docker-compose.dev.yml` — no network changes needed (inherits from base); kept `5173:5173` on frontend
- `.claude/agents/security-auditor.md` — added hard rule: only frontend exposes host ports; db and backend must never have `ports:` in any compose file
- `TODO.md` — marked Docker port hardening as done
- `README.md` — updated Containers table with network column; updated Installation section; removed stale SECRET_KEY env var; noted backend API docs are not directly accessible from host