fix(docker): keep internal Postgres creds fixed to avoid URL-encoding bug

Cubic flagged that interpolating POSTGRES_PASSWORD into DATABASE_URL
breaks connections when the password contains URI-reserved characters
(@ : / # ?). The compose-internal Postgres is never exposed on the host,
so exposing POSTGRES_PASSWORD as an overridable variable was more risk
than reward.

Revert compose to fixed manifest/manifest credentials for the bundled
Postgres, drop POSTGRES_PASSWORD from .env.example and install.sh, and
document that users who need a custom DB password should use Option 2
(docker run with an external Postgres) where they control the full
DATABASE_URL end-to-end and can URL-encode as needed.

Author: brunobuddy

docker/.env.example

@@ -7,23 +7,25 @@
 #                              openssl rand -hex 32
 #   3. Set SEED_DATA=false and change the seeded admin password
 #      (admin@manifest.build / manifest) after first login.
-#   4. Pick a strong POSTGRES_PASSWORD.
-#   5. Update BETTER_AUTH_URL to match the public origin you serve on.
+#   4. Update BETTER_AUTH_URL to match the public origin you serve on.
 #
 # Docker Compose reads .env automatically from the same directory as the
 # compose file. Variables below are all optional — compose falls back to
 # the localhost-safe defaults baked into docker-compose.yml if unset.
+#
+# The bundled Postgres credentials are internal to the compose network and
+# intentionally not overridable here: changing them requires updating the
+# full DATABASE_URL consistently (and URL-encoding any special characters
+# in the password). If you need a custom DB password or an external
+# Postgres, use Option 2 from DOCKER_README.md and supply your own
+# DATABASE_URL end-to-end.
 
 # Required for any non-localhost deployment. Minimum 32 characters.
 BETTER_AUTH_SECRET=change-me-to-a-random-32-char-string!!
 
 # Public URL Manifest is served on. Must match host + port the browser uses.
 BETTER_AUTH_URL=http://localhost:3001
 
-# PostgreSQL password. Stays inside the compose internal network, but still
-# worth changing for any real deployment.
-POSTGRES_PASSWORD=manifest
-
 # Seeds a demo admin user (admin@manifest.build / manifest) and sample data
 # on first boot. Set to false before exposing publicly.
 SEED_DATA=true

docker/docker-compose.yml

@@ -4,7 +4,11 @@
 #     secret. Generate one with: openssl rand -hex 32
 #   - Set SEED_DATA=false to stop seeding the demo agent on every boot.
 #   - Change the seeded admin password (admin@manifest.build / manifest).
-#   - Pick a strong POSTGRES_PASSWORD.
+#
+# The Postgres credentials below are internal to the compose network and
+# never exposed on the host — there is no published port for postgres. If
+# you need a custom DB password (or an external Postgres), use Option 2
+# from DOCKER_README.md and supply your own DATABASE_URL end-to-end.
 #
 # All `${VAR:-default}` values below fall back to localhost-safe defaults
 # when no .env file is present, so `docker compose up -d` works out of the
@@ -16,7 +20,7 @@ services:
     ports:
       - "3001:3001"
     environment:
-      - DATABASE_URL=postgresql://manifest:${POSTGRES_PASSWORD:-manifest}@postgres:5432/manifest
+      - DATABASE_URL=postgresql://manifest:manifest@postgres:5432/manifest
       # ⚠  Default is a placeholder. Replace via .env before any non-localhost use.
       - BETTER_AUTH_SECRET=${BETTER_AUTH_SECRET:-change-me-to-a-random-32-char-string!!}
       - BETTER_AUTH_URL=${BETTER_AUTH_URL:-http://localhost:3001}
@@ -49,7 +53,7 @@ services:
     image: postgres:16-alpine@sha256:20edbde7749f822887a1a022ad526fde0a47d6b2be9a8364433605cf65099416
     environment:
       - POSTGRES_USER=manifest
-      - POSTGRES_PASSWORD=${POSTGRES_PASSWORD:-manifest}
+      - POSTGRES_PASSWORD=manifest
       - POSTGRES_DB=manifest
     volumes:
       - pgdata:/var/lib/postgresql/data

docker/install.sh

@@ -117,7 +117,6 @@ else
 # Regenerate BETTER_AUTH_SECRET before exposing beyond localhost.
 BETTER_AUTH_SECRET=$SECRET
 BETTER_AUTH_URL=http://localhost:3001
-POSTGRES_PASSWORD=manifest
 SEED_DATA=true
 EOF
 fi