docker-compose.yml hardcodes POSTGRES_PASSWORD: password and the matching DATABASE_URL with the same credential for the api service. While acceptable for pure local dev, this pattern encourages copy-pasting into staging/production configs.
Document this explicitly as dev-only (e.g., a comment banner) and/or switch to reading credentials from a .env file that's gitignored, consistent with the .env.example pattern already used elsewhere.
docker-compose.ymlhardcodesPOSTGRES_PASSWORD: passwordand the matchingDATABASE_URLwith the same credential for theapiservice. While acceptable for pure local dev, this pattern encourages copy-pasting into staging/production configs.Document this explicitly as dev-only (e.g., a comment banner) and/or switch to reading credentials from a
.envfile that's gitignored, consistent with the.env.examplepattern already used elsewhere.