Feat: Add Docker Compose, security tools, and improve logging (#8)

CharlesPoulin · web-flow · commit 990e31ae1213 · 2026-01-14T19:20:01.000-05:00
Introduces docker-compose.yml and .dockerignore for container
orchestration and build optimization. Switches Dockerfile to use the
official Python image and installs uv via pip. Adds pip-audit and
detect-secrets to pre-commit and dev dependencies, and updates
Taskfile.yml with new security and Docker tasks. Improves logging in
FastAPI app and main entrypoint, refines global exception handling, and
updates tests for logger usage. Removes SECURITY.md and unused test
fixture. Dependabot schedule changed to weekly.

## Description

Please include a summary of the change and which issue is fixed.

## Type of change

- [ ] Bug fix (non-breaking change which fixes an issue)
- [ ] New feature (non-breaking change which adds functionality)
- [ ] Breaking change (fix or feature that would cause existing
functionality to not work as expected)
- [ ] Documentation update

## Checklist

- [ ] My code follows the style guidelines of this project
- [ ] I have performed a self-review of my own code
- [ ] I have commented my code, particularly in hard-to-understand areas
- [ ] I have made corresponding changes to the documentation
- [ ] I have added tests that prove my fix is effective or that my
feature works
- [ ] New and existing unit tests pass locally with `make test`
diff --git a/.coverage b/.coverage
diff --git a/.dockerignore b/.dockerignore
@@ -0,0 +1,22 @@
+__pycache__
+*.pyc
+*.pyo
+*.pyd
+.Python
+env/
+venv/
+.venv/
+pip-log.txt
+pip-delete-this-directory.txt
+.tox/
+.coverage
+.coverage.*
+.cache
+nosetests.xml
+coverage.xml
+*.cover
+*.log
+.git
+.mypy_cache
+.pytest_cache
+.hypothesis
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -4,7 +4,7 @@ updates:
   - package-ecosystem: "pip"
     directory: "/"
     schedule:
-      interval: "daily"
+      interval: "weekly"
       time: "09:00"
       timezone: "America/New_York"
     labels:
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -20,3 +20,14 @@ repos:
       - id: bandit
         args: ["-r", "src"]
         exclude: ^tests/
+
+  - repo: https://github.com/pypa/pip-audit
+    rev: v2.7.3
+    hooks:
+      - id: pip-audit
+        args: ["--progress-spinner", "off"]
+
+  - repo: https://github.com/Yelp/detect-secrets
+    rev: v1.5.0
+    hooks:
+      - id: detect-secrets
diff --git a/.vscode/settings.json b/.vscode/settings.json
@@ -16,5 +16,6 @@
     ],
     "mypy-type-checker.args": [
         "--config-file=pyproject.toml"
-    ]
+    ],
+    "makefile.configureOnOpen": false
 }
diff --git a/Dockerfile b/Dockerfile
@@ -1,5 +1,8 @@
-# Use a Python image with uv pre-installed
-FROM ghcr.io/astral-sh/uv:python3.13-bookworm-slim
+# Use standard Python image to avoid ghcr.io auth issues
+FROM python:3.13-slim
+
+# Install uv
+RUN pip install uv
 
 # Set the working directory to /app
 WORKDIR /app
diff --git a/SECURITY.md b/SECURITY.md
diff --git a/Taskfile.yml b/Taskfile.yml
@@ -67,9 +67,10 @@ tasks:
       - uv run python -m mypy src tests
 
   security:
-    desc: Run bandit security checks
+    desc: Run all security checks (bandit, pip-audit)
     cmds:
       - uv run bandit -r src
+      - task: security-audit
 
   check:
     desc: Run all checks (lint, format, type-check, security, test)
@@ -103,6 +104,21 @@ tasks:
     cmds:
       - docker run --rm defaultpython
 
+  docker-up:
+    desc: Start services with docker compose
+    cmds:
+      - docker compose up --build
+
+  docker-down:
+    desc: Stop services
+    cmds:
+      - docker compose down
+
+  security-audit:
+    desc: Check for known security vulnerabilities in dependencies
+    cmds:
+      - uv run pip-audit
+
   pre-commit:
     desc: Run pre-commit hooks on all files
     cmds:
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -0,0 +1,13 @@
+services:
+  app:
+    build: .
+    image: defaultpython-app
+    environment:
+      - APP_ENV=production
+    volumes:
+      - .:/app
+      - /app/.venv
+    # If/when you switch to a web server, uncomment ports:
+    # ports:
+    #   - "8000:8000"
+    # command: uvicorn defaultpython.main:app --host 0.0.0.0 --port 8000 --reload
diff --git a/pyproject.toml b/pyproject.toml
@@ -11,6 +11,7 @@ requires-python = ">=3.13"
 dependencies = [
     "fastapi>=0.128.0",
     "pydantic-settings>=2.12.0",
+    "python-dotenv>=1.2.1",
     "uvicorn>=0.40.0",
 ]
 
@@ -58,6 +59,9 @@ disallow_untyped_defs = true
 [dependency-groups]
 dev = [
     "bandit>=1.9.2",
+    "detect-secrets>=1.5.0",
+    "pip-audit>=2.7.3",
+    "vulture>=2.11",
     "commitizen>=4.11.3",
     "httpx>=0.28.1",
     "mypy>=1.19.1",
diff --git a/src/defaultpython/api.py b/src/defaultpython/api.py
@@ -1,3 +1,4 @@
+import logging
 from collections.abc import AsyncGenerator
 from contextlib import asynccontextmanager
 
@@ -7,6 +8,8 @@
 from .config import get_settings
 from .main import main as run_main_logic
 
+logger = logging.getLogger(__name__)
+
 
 @asynccontextmanager
 async def lifespan(_app: FastAPI) -> AsyncGenerator[None]:
@@ -16,12 +19,14 @@ async def lifespan(_app: FastAPI) -> AsyncGenerator[None]:
     """
     # Startup logic
     settings = get_settings()
-    print(f"Starting {settings.PROJECT_NAME} in {settings.ENVIRONMENT} mode...")
+    logger.info(
+        "Starting %s in %s mode...", settings.PROJECT_NAME, settings.ENVIRONMENT
+    )
 
     yield
 
     # Shutdown logic
-    print(f"Shutting down {settings.PROJECT_NAME}...")
+    logger.info("Shutting down %s...", settings.PROJECT_NAME)
 
 
 def create_app() -> FastAPI:
@@ -32,18 +37,25 @@ def create_app() -> FastAPI:
         title=settings.PROJECT_NAME,
         version=settings.VERSION,
         lifespan=lifespan,
-        docs_url=None,
-        redoc_url=None,
+        docs_url="/docs" if settings.DEBUG else None,
+        redoc_url="/redoc" if settings.DEBUG else None,
     )
 
     @app.exception_handler(Exception)
     async def global_exception_handler(
-        _request: Request, exc: Exception
+        request: Request, exc: Exception
     ) -> JSONResponse:
         """Global exception handler to return consistent JSON errors."""
+        logger.exception(
+            "Unhandled exception: %s", exc, extra={"path": request.url.path}
+        )
+
+        # Don't expose internal error details in production
+        error_detail = str(exc) if settings.DEBUG else "Internal Server Error"
+
         return JSONResponse(
             status_code=500,
-            content={"detail": "Internal Server Error", "error": str(exc)},
+            content={"detail": "Internal Server Error", "error": error_detail},
         )
 
     @app.get("/health")
diff --git a/src/defaultpython/main.py b/src/defaultpython/main.py
@@ -17,10 +17,10 @@ def main() -> None:
     """
     load_dotenv()
 
-    app_env: str | None = os.getenv("APP_ENV", "development")
+    app_env: str = os.getenv("APP_ENV", "development")
 
     logger.info("Starting defaultpython in %s mode", app_env)
-    print(f"Hello from defaultpython! Environment: {app_env}")
+    logger.info("Hello from defaultpython! Environment: %s", app_env)
 
 
 if __name__ == "__main__":
diff --git a/tests/conftest.py b/tests/conftest.py
@@ -4,12 +4,6 @@
 from fastapi.testclient import TestClient
 
 from defaultpython.api import app
-from defaultpython.config import Settings, get_settings
-
-
-@pytest.fixture
-def settings() -> Settings:
-    return get_settings()
 
 
 @pytest.fixture
diff --git a/tests/test_main.py b/tests/test_main.py
@@ -1,8 +1,17 @@
+from unittest.mock import patch
+
+import pytest
+
 from defaultpython.main import main
 
 
-def test_main_runs() -> None:
-    """Basic test to ensure main function exists and runs without error."""
-    # Since main() currently just prints, we'll just call it.
-    # In a real app, you might mock stdout or check return values.
-    main()
+def test_main_runs(monkeypatch: pytest.MonkeyPatch) -> None:
+    """Test main function loads environment and logs correctly."""
+    monkeypatch.setenv("APP_ENV", "testing")
+
+    with patch("defaultpython.main.logger") as mock_logger:
+        main()
+        # Verify logger was called with the environment
+        assert mock_logger.info.call_count == 2
+        calls = [str(call) for call in mock_logger.info.call_args_list]
+        assert any("testing" in str(call) for call in calls)
diff --git a/uv.lock b/uv.lock

Original file line number	Diff line number	Diff line change
`@@ -16,5 +16,6 @@`
`16`	`16`	`],`
`17`	`17`	`"mypy-type-checker.args": [`
`18`	`18`	`"--config-file=pyproject.toml"`
`19`		`- ]`
	`19`	`+ ],`
	`20`	`+ "makefile.configureOnOpen": false`
`20`	`21`	`}`