feat(docker): improve local/Docker mode UX

- Hide social login buttons when OAuth providers aren't configured
- Fix per-user data isolation in local mode (session guard prioritizes
  real Better Auth sessions over synthetic loopback fallback)
- Expose isLocalMode and ollamaAvailable in GET /api/v1/setup/status
- Make Ollama optional via Docker Compose profile (--profile ollama)
- Show contextual messages for Ollama in provider list based on state
- Centralize setup status fetching in shared cached service

Author: SebConejo

docker/docker-compose.yml

@@ -30,6 +30,8 @@ services:
       - DATABASE_URL=${DATABASE_URL:-postgresql://manifest:manifest@postgres:5432/manifest}
       - BETTER_AUTH_SECRET=${BETTER_AUTH_SECRET:?BETTER_AUTH_SECRET must be set in .env}
       - BETTER_AUTH_URL=${BETTER_AUTH_URL:-http://localhost:3001}
+      - MANIFEST_MODE=local
+      - OLLAMA_HOST=http://ollama:11434
       - SEED_DATA=false
       - NODE_ENV=production
       - AUTO_MIGRATE=true
@@ -87,6 +89,22 @@ services:
     networks:
       - internal
 
+  # Optional: run local LLMs via Ollama.
+  # Start with: docker compose --profile ollama up -d
+  ollama:
+    image: ollama/ollama:latest
+    profiles: ["ollama"]
+    volumes:
+      - ollama_data:/root/.ollama
+    healthcheck:
+      test: ["CMD-SHELL", "ollama list || exit 1"]
+      interval: 30s
+      timeout: 5s
+      start_period: 30s
+      retries: 3
+    networks:
+      - internal
+
 networks:
   internal:
     driver: bridge
@@ -96,3 +114,4 @@ networks:
 
 volumes:
   pgdata:
+  ollama_data:

packages/backend/src/auth/session.guard.spec.ts

@@ -86,10 +86,10 @@ describe('SessionGuard', () => {
     expect(request['authMethod']).toBe('session');
   });
 
-  it('returns true even when no session found', async () => {
+  it('returns true even when no session found (non-local mode)', async () => {
     jest.spyOn(reflector, 'getAllAndOverride').mockReturnValue(false);
     (auth.api.getSession as jest.Mock).mockResolvedValue(null);
-    const { context, request } = createMockContext({});
+    const { context, request } = createMockContext({ ip: '203.0.113.1' });
 
     const result = await guard.canActivate(context);
 
@@ -98,15 +98,146 @@ describe('SessionGuard', () => {
     expect(request['authMethod']).toBeUndefined();
   });
 
-  it('returns true and leaves user undefined when getSession throws', async () => {
+  it('returns true and leaves user undefined when getSession throws (non-local mode)', async () => {
     jest.spyOn(reflector, 'getAllAndOverride').mockReturnValue(false);
     (auth.api.getSession as jest.Mock).mockRejectedValue(new Error('DB connection lost'));
-    const { context, request } = createMockContext({});
+    const { context, request } = createMockContext({ ip: '203.0.113.1' });
 
     const result = await guard.canActivate(context);
 
     expect(result).toBe(true);
     expect(request['user']).toBeUndefined();
     expect(request['authMethod']).toBeUndefined();
   });
+
+  describe('cloud mode (default) — no loopback fallback', () => {
+    const originalEnv = process.env['MANIFEST_MODE'];
+
+    beforeEach(() => {
+      delete process.env['MANIFEST_MODE'];
+    });
+
+    afterEach(() => {
+      if (originalEnv === undefined) delete process.env['MANIFEST_MODE'];
+      else process.env['MANIFEST_MODE'] = originalEnv;
+    });
+
+    it('does NOT inject synthetic user for loopback IP without session', async () => {
+      jest.spyOn(reflector, 'getAllAndOverride').mockReturnValue(false);
+      (auth.api.getSession as jest.Mock).mockResolvedValue(null);
+      const { context, request } = createMockContext({ ip: '127.0.0.1' });
+
+      await guard.canActivate(context);
+
+      expect(request['user']).toBeUndefined();
+      expect(request['authMethod']).toBeUndefined();
+    });
+
+    it('does NOT inject synthetic user for loopback IP when getSession throws', async () => {
+      jest.spyOn(reflector, 'getAllAndOverride').mockReturnValue(false);
+      (auth.api.getSession as jest.Mock).mockRejectedValue(new Error('DB error'));
+      const { context, request } = createMockContext({ ip: '127.0.0.1' });
+
+      await guard.canActivate(context);
+
+      expect(request['user']).toBeUndefined();
+      expect(request['authMethod']).toBeUndefined();
+    });
+
+    it('attaches real user when Better Auth session is valid (loopback IP)', async () => {
+      jest.spyOn(reflector, 'getAllAndOverride').mockReturnValue(false);
+      const mockSession = {
+        user: { id: 'cloud-user-1', name: 'Cloud User', email: 'cloud@example.com' },
+        session: { id: 'session-cloud' },
+      };
+      (auth.api.getSession as jest.Mock).mockResolvedValue(mockSession);
+      const { context, request } = createMockContext({ ip: '127.0.0.1' });
+
+      await guard.canActivate(context);
+
+      expect(request['user']).toEqual(mockSession.user);
+      expect(request['authMethod']).toBe('session');
+    });
+
+    it('does NOT inject synthetic user when MANIFEST_MODE is "cloud"', async () => {
+      process.env['MANIFEST_MODE'] = 'cloud';
+      jest.spyOn(reflector, 'getAllAndOverride').mockReturnValue(false);
+      (auth.api.getSession as jest.Mock).mockResolvedValue(null);
+      const { context, request } = createMockContext({ ip: '127.0.0.1' });
+
+      await guard.canActivate(context);
+
+      expect(request['user']).toBeUndefined();
+      expect(request['authMethod']).toBeUndefined();
+    });
+  });
+
+  describe('local mode loopback fallback', () => {
+    const originalEnv = process.env['MANIFEST_MODE'];
+
+    beforeEach(() => {
+      process.env['MANIFEST_MODE'] = 'local';
+    });
+
+    afterEach(() => {
+      if (originalEnv === undefined) delete process.env['MANIFEST_MODE'];
+      else process.env['MANIFEST_MODE'] = originalEnv;
+    });
+
+    it('uses real session when Better Auth session exists (preserves per-user isolation)', async () => {
+      jest.spyOn(reflector, 'getAllAndOverride').mockReturnValue(false);
+      const mockSession = {
+        user: { id: 'real-user-1', name: 'Real User', email: 'real@test.com' },
+        session: { id: 'session-1' },
+      };
+      (auth.api.getSession as jest.Mock).mockResolvedValue(mockSession);
+      const { context, request } = createMockContext({ ip: '127.0.0.1' });
+
+      await guard.canActivate(context);
+
+      expect(request['user']).toEqual(mockSession.user);
+      expect(request['authMethod']).toBe('session');
+    });
+
+    it('falls back to synthetic local user when no session on loopback', async () => {
+      jest.spyOn(reflector, 'getAllAndOverride').mockReturnValue(false);
+      (auth.api.getSession as jest.Mock).mockResolvedValue(null);
+      const { context, request } = createMockContext({ ip: '127.0.0.1' });
+
+      await guard.canActivate(context);
+
+      expect(request['user']).toEqual({
+        id: 'local',
+        name: 'Local User',
+        email: 'local@localhost',
+      });
+      expect(request['authMethod']).toBe('session');
+    });
+
+    it('falls back to synthetic local user when getSession throws on loopback', async () => {
+      jest.spyOn(reflector, 'getAllAndOverride').mockReturnValue(false);
+      (auth.api.getSession as jest.Mock).mockRejectedValue(new Error('DB error'));
+      const { context, request } = createMockContext({ ip: '127.0.0.1' });
+
+      await guard.canActivate(context);
+
+      expect(request['user']).toEqual({
+        id: 'local',
+        name: 'Local User',
+        email: 'local@localhost',
+      });
+      expect(request['authMethod']).toBe('session');
+    });
+
+    it('does not apply loopback fallback for non-loopback IPs', async () => {
+      jest.spyOn(reflector, 'getAllAndOverride').mockReturnValue(false);
+      (auth.api.getSession as jest.Mock).mockResolvedValue(null);
+      const { context, request } = createMockContext({ ip: '203.0.113.1' });
+
+      await guard.canActivate(context);
+
+      expect(request['user']).toBeUndefined();
+      expect(request['authMethod']).toBeUndefined();
+    });
+  });
 });

packages/backend/src/auth/session.guard.ts

@@ -4,6 +4,7 @@ import { Request } from 'express';
 import { fromNodeHeaders } from 'better-auth/node';
 import { auth } from './auth.instance';
 import { IS_PUBLIC_KEY } from '../common/decorators/public.decorator';
+import { isLoopbackIp } from '../common/utils/local-ip';
 
 @Injectable()
 export class SessionGuard implements CanActivate {
@@ -23,7 +24,7 @@ export class SessionGuard implements CanActivate {
     // Let API-key authenticated requests be handled by ApiKeyGuard
     if (request.headers['x-api-key']) return true;
 
-    // In local mode, Better Auth is not initialized
+    // In local mode without Better Auth, skip session lookup
     if (!auth) return true;
 
     try {
@@ -35,11 +36,24 @@ export class SessionGuard implements CanActivate {
         (request as Request & { user: unknown }).user = session.user;
         (request as Request & { session: unknown }).session = session.session;
         (request as Request & { authMethod: string }).authMethod = 'session';
+        return true;
       }
     } catch (err) {
       this.logger.warn(`Session lookup failed: ${(err as Error).message}`);
     }
 
+    // In local mode, fall back to a synthetic user for loopback requests
+    // without a session (e.g. curl, programmatic access)
+    if (process.env['MANIFEST_MODE'] === 'local' && request.ip && isLoopbackIp(request.ip)) {
+      (request as Request & { user: unknown }).user = {
+        id: 'local',
+        name: 'Local User',
+        email: 'local@localhost',
+      };
+      (request as Request & { authMethod: string }).authMethod = 'session';
+      return true;
+    }
+
     // Always pass — let ApiKeyGuard handle unauthenticated requests
     return true;
   }

packages/backend/src/setup/setup.controller.spec.ts

@@ -10,10 +10,16 @@ describe('SetupController', () => {
   let controller: SetupController;
   let mockNeedsSetup: jest.Mock;
   let mockCreateFirstAdmin: jest.Mock;
+  let mockGetEnabledSocialProviders: jest.Mock;
+  let mockIsLocalMode: jest.Mock;
+  let mockIsOllamaAvailable: jest.Mock;
 
   beforeEach(async () => {
     mockNeedsSetup = jest.fn();
     mockCreateFirstAdmin = jest.fn();
+    mockGetEnabledSocialProviders = jest.fn().mockReturnValue([]);
+    mockIsLocalMode = jest.fn().mockReturnValue(false);
+    mockIsOllamaAvailable = jest.fn().mockResolvedValue(false);
 
     const module: TestingModule = await Test.createTestingModule({
       controllers: [SetupController],
@@ -23,6 +29,9 @@ describe('SetupController', () => {
           useValue: {
             needsSetup: mockNeedsSetup,
             createFirstAdmin: mockCreateFirstAdmin,
+            getEnabledSocialProviders: mockGetEnabledSocialProviders,
+            isLocalMode: mockIsLocalMode,
+            isOllamaAvailable: mockIsOllamaAvailable,
           },
         },
       ],
@@ -32,16 +41,72 @@ describe('SetupController', () => {
   });
 
   describe('getStatus', () => {
-    it('returns needsSetup=true when service says so', async () => {
+    it('returns needsSetup=true with empty socialProviders in cloud mode', async () => {
       mockNeedsSetup.mockResolvedValue(true);
       const result = await controller.getStatus();
-      expect(result).toEqual({ needsSetup: true });
+      expect(result).toEqual({
+        needsSetup: true,
+        socialProviders: [],
+        isLocalMode: false,
+        ollamaAvailable: false,
+      });
     });
 
-    it('returns needsSetup=false when an admin already exists', async () => {
+    it('returns needsSetup=false with empty socialProviders in cloud mode', async () => {
       mockNeedsSetup.mockResolvedValue(false);
       const result = await controller.getStatus();
-      expect(result).toEqual({ needsSetup: false });
+      expect(result).toEqual({
+        needsSetup: false,
+        socialProviders: [],
+        isLocalMode: false,
+        ollamaAvailable: false,
+      });
+    });
+
+    it('includes enabled social providers in the response', async () => {
+      mockNeedsSetup.mockResolvedValue(false);
+      mockGetEnabledSocialProviders.mockReturnValue(['google', 'github']);
+      const result = await controller.getStatus();
+      expect(result).toEqual({
+        needsSetup: false,
+        socialProviders: ['google', 'github'],
+        isLocalMode: false,
+        ollamaAvailable: false,
+      });
+    });
+
+    it('returns isLocalMode=true when in local mode', async () => {
+      mockNeedsSetup.mockResolvedValue(false);
+      mockIsLocalMode.mockReturnValue(true);
+      mockIsOllamaAvailable.mockResolvedValue(false);
+      const result = await controller.getStatus();
+      expect(result).toEqual({
+        needsSetup: false,
+        socialProviders: [],
+        isLocalMode: true,
+        ollamaAvailable: false,
+      });
+    });
+
+    it('returns ollamaAvailable=true when in local mode and Ollama is reachable', async () => {
+      mockNeedsSetup.mockResolvedValue(false);
+      mockIsLocalMode.mockReturnValue(true);
+      mockIsOllamaAvailable.mockResolvedValue(true);
+      const result = await controller.getStatus();
+      expect(result).toEqual({
+        needsSetup: false,
+        socialProviders: [],
+        isLocalMode: true,
+        ollamaAvailable: true,
+      });
+    });
+
+    it('skips Ollama check in cloud mode (always false)', async () => {
+      mockNeedsSetup.mockResolvedValue(false);
+      mockIsLocalMode.mockReturnValue(false);
+      const result = await controller.getStatus();
+      expect(result.ollamaAvailable).toBe(false);
+      expect(mockIsOllamaAvailable).not.toHaveBeenCalled();
     });
   });
 

packages/backend/src/setup/setup.controller.ts

@@ -9,8 +9,19 @@ export class SetupController {
 
   @Public()
   @Get('status')
-  async getStatus(): Promise<{ needsSetup: boolean }> {
-    return { needsSetup: await this.setupService.needsSetup() };
+  async getStatus(): Promise<{
+    needsSetup: boolean;
+    socialProviders: string[];
+    isLocalMode: boolean;
+    ollamaAvailable: boolean;
+  }> {
+    const isLocal = this.setupService.isLocalMode();
+    return {
+      needsSetup: await this.setupService.needsSetup(),
+      socialProviders: this.setupService.getEnabledSocialProviders(),
+      isLocalMode: isLocal,
+      ollamaAvailable: isLocal ? await this.setupService.isOllamaAvailable() : false,
+    };
   }
 
   @Public()