feat: 优化开发容器配置和开发环境

[andaoai]

Summary

• 更新开发容器配置以优化开发环境
• 配置开发环境使用 uv 进行依赖管理
• 添加VS Code Dev Containers支持

Test plan

• 测试开发容器启动正常
• 验证uv依赖管理功能
• 确认MongoDB集成工作正常

Summary by CodeRabbit

• Chores
  • Switched to a Docker Compose multi-service dev environment (app + MongoDB) with workspace mounts, persistent DB volume and cache.
  • Added automated container setup/start tasks, DB migrations, port forwarding for 8000/3000/27017, and VS Code tooling/customizations.
  • Updated backend project configuration and dependencies; enabled frontend dev server to listen on all network interfaces.
  • Adjusted dev user context and removed legacy devcontainer fields.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

Replaces single-image devcontainer with a Docker Compose multi-service setup: adds .devcontainer/docker-compose.yml, configures app and mongodb services, updates .devcontainer/devcontainer.json for compose usage, mounts workspaces, adds port forwarding (8000, 3000, 27017), post-create/post-start commands, VSCode customizations, backend Python deps, and sets Vite host to 0.0.0.0.

Changes

Cohort / File(s)	Summary
Devcontainer manifest .devcontainer/devcontainer.json	Replace image/name with Docker Compose fields (dockerComposeFile, service, workspaceFolder); add postCreateCommand (uv install + cd /workspaces/backend && uv sync), postStartCommand (Django migrate), forwardPorts, portsAttributes (8000,3000,27017), customizations (extensions, Python settings), mounts for backend/frontend, and set remoteUser: root.
Docker Compose .devcontainer/docker-compose.yml	New Compose file defining app (ghcr.io/prulloac/base:bookworm) and mongodb (mongo:6.0) services; declares volumes (mongodb_dev_data, uv_cache), dev_network; app depends_on mongodb, sets env vars for Mongo URL and UV link mode, exposes 3000/8000, mounts workspace/backend & frontend, uses sleep infinity command; mongodb sets root credentials, DB name, data volume, exposes 27017.
Backend project metadata backend/pyproject.toml	Adds [project] metadata and dependencies: Django, djangorestframework, django-cors-headers, requests, OpenAI packages, python-gitlab, python-dateutil, gunicorn, gevent, python-dotenv, psutil; defines dev dependency-group (black, flake8, pytest, pytest-django).
Frontend dev server frontend/vite.config.ts	Sets dev server host: '0.0.0.0' so Vite listens on all network interfaces.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  participant VSCode as VS Code (Remote)
  participant Compose as Docker Compose
  participant App as app (container)
  participant Mongo as mongodb (container)

  Note over VSCode,Compose `#E8F5E9`: Devcontainer startup (compose-based)
  VSCode->>Compose: docker-compose up (.devcontainer/docker-compose.yml)
  Compose->>Mongo: start mongo:6.0 (27017)
  Compose->>App: start app container (3000,8000) with mounts & env
  Note right of App `#FFF3E0`: app waits (sleep infinity) for dev commands
  VSCode->>App: run postCreateCommand (uv install && uv sync)
  VSCode->>App: run postStartCommand (cd /workspaces/backend && uv run python manage.py migrate)
  App->>Mongo: connect using MONGO_URL env
  Note right of VSCode `#E3F2FD`: Ports auto-forwarded (8000,3000,27017)

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

• Inspect .devcontainer/docker-compose.yml env vars, volume mounts, network, and restart policies.
• Verify postCreateCommand / postStartCommand correctness and working directories.
• Check backend/pyproject.toml dependency versions for compatibility and formatting.

Poem

🐰 I swapped a single image for a lively pair,
Containers hum, ports open to air,
I sync and migrate with a happy stare,
Workspaces mounted with tender care,
Hop, code, and carrots everywhere.

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main changes: optimizing dev container configuration and development environment setup with Docker Compose, uv dependency management, and VS Code integration.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feat/devcontainer-alignment

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between e33e1b2 and af69a13.

📒 Files selected for processing (1)

• .devcontainer/devcontainer.json (2 hunks)

🔇 Additional comments (4)

.devcontainer/devcontainer.json (4)

2-11: Well-structured docker-compose transition.

The switch to a docker-compose-based setup with proper service configuration and workspace mounts is a solid approach for a multi-service development environment.

---

26-42: Port configuration is clear and well-documented.

The forwarding setup with descriptive labels and appropriate auto-forward notifications is good for developer experience.

---

45-55: VSCode extensions are well-selected.

The extensions for Python, Vue, Tailwind, and Docker support cover the full stack of this project.

---

65-68: Mount configuration is correct.

The workspace mounts for backend and frontend align properly with the workspaceFolder configuration.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 6

🧹 Nitpick comments (3)

backend/pyproject.toml (1)

31-31: Add newline at end of file.

The file is missing a newline at the end, which is a common convention and can cause issues with some tools.

Apply this diff:

     "pytest-django>=4.5.0",
 ]
+

.devcontainer/devcontainer.json (2)

23-23: Optimize postCreateCommand to avoid reinstalling uv.

The postCreateCommand downloads and installs uv every time the container is created, which is inefficient. Consider baking uv into the base image or using a dev container feature.

Options to improve this:

1. Use a custom base image with uv pre-installed
2. Create a dev container feature for uv installation
3. Check if uv exists before installing:

-	"postCreateCommand": "curl -LsSf https://astral.sh/uv/install.sh | sh && cd /workspaces/backend && uv sync",
+	"postCreateCommand": "command -v uv >/dev/null 2>&1 || curl -LsSf https://astral.sh/uv/install.sh | sh && cd /workspaces/backend && uv sync",

---

73-76: Redundant mounts configuration.

The mounts configuration explicitly binds backend and frontend directories, but the app service in docker-compose.yml already mounts the entire workspace (..:/workspaces:cached). These explicit mounts are redundant and could cause confusion.

Consider removing the redundant mounts section:

-	// 👇 挂载卷（如果有需要持久化的数据）
-	"mounts": [
-		"source=${localWorkspaceFolder}/backend,target=/workspaces/backend,type=bind",
-		"source=${localWorkspaceFolder}/frontend,target=/workspaces/frontend,type=bind"
-	],
-

The entire workspace is already mounted via the docker-compose configuration.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 251d33d and 10c6f42.

⛔ Files ignored due to path filters (2)

• backend/uv.lock is excluded by !**/*.lock
• frontend/package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (4)

• .devcontainer/devcontainer.json (2 hunks)
• .devcontainer/docker-compose.yml (1 hunks)
• backend/pyproject.toml (1 hunks)
• frontend/vite.config.ts (1 hunks)

🔇 Additional comments (3)

frontend/vite.config.ts (1)

13-13: LGTM! Appropriate for containerized development.

Binding to 0.0.0.0 allows the Vite dev server to be accessible from outside the container, which is necessary for the multi-service Docker Compose setup introduced in this PR.

.devcontainer/docker-compose.yml (1)

21-21: Consider the implications of UV_LINK_MODE=copy.

The UV_LINK_MODE=copy setting copies files instead of symlinking them. While this can avoid issues with cross-filesystem linking in containers, it may increase disk usage and slow down installations.

Verify if this setting is necessary for your use case. In most containerized environments, the default symlink mode works fine and is more efficient. Test removing this line to see if the setup still works correctly.

.devcontainer/devcontainer.json (1)

57-57: I need to better understand how uv manages Python environments to properly verify the concern. Let me search for more information about uv's behavior.

Let me search for more specific information about how the python.defaultInterpreterPath setting is used in devcontainers.

Now I need to understand the actual context around this devcontainer setting. Let me search for information about whether this devcontainer uses uv with a project environment or just system Python.

Based on my verification, I can now generate the rewritten review comment. The investigation revealed that the python.defaultInterpreterPath setting is a VS Code Python extension configuration for IDE settings, not a uv-specific setting. However, the underlying concern has merit.

The review comment correctly identifies a potential issue, but the reasoning needs refinement. When using uv with a project-managed virtual environment, the path should typically be ${containerWorkspaceFolder}/.venv/bin/python, rather than the system Python path. In devcontainers, /usr/local/bin/python is appropriate only when using system Python without a project virtual environment.

The initial verification script found no virtual environment, which is expected during container setup. The actual issue depends on whether this devcontainer creates a .venv during initialization.

Update the Python interpreter path to align with your virtual environment setup.

The python.defaultInterpreterPath setting should point to your actual Python interpreter. If the devcontainer runs uv venv or uv sync during setup (in a postCreateCommand or Dockerfile), it creates a .venv directory, and the path should be updated to "${containerWorkspaceFolder}/.venv/bin/python". If you're using system Python only (without a project virtual environment), /usr/local/bin/python is correct.

Verify your devcontainer.json setup: check if postCreateCommand or the Dockerfile runs uv environment initialization. Update the interpreter path accordingly to ensure VS Code's Python extension locates the correct interpreter.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Reconsider automatic database migrations on startup.

Running migrate automatically on every container start could cause issues, especially if:

• Migrations fail and prevent the container from starting properly
• Multiple developers work on conflicting migrations
• The database state is inconsistent

Consider making migrations a manual step or at least make it more robust:

-	"postStartCommand": "cd /workspaces/backend && uv run python manage.py migrate",
+	"postStartCommand": "cd /workspaces/backend && uv run python manage.py migrate --check || echo 'Migrations need to be applied. Run: uv run python manage.py migrate'",

Or simply document that developers should run migrations manually when needed.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	"postStartCommand": "cd /workspaces/backend && uv run python manage.py migrate",
	"postStartCommand": "cd /workspaces/backend && uv run python manage.py migrate --check || echo 'Migrations need to be applied. Run: uv run python manage.py migrate'",

🤖 Prompt for AI Agents

In .devcontainer/devcontainer.json around line 79, the postStartCommand
auto-runs Django migrations on every container start which can cause failed
starts and conflicts; change this to either remove the automatic migrate and
document that developers must run python manage.py migrate manually, or make it
opt-in by replacing the command with a conditional that checks an environment
variable (e.g. DEV_AUTO_MIGRATE) and only runs `python manage.py migrate` when
that variable is true, ensuring the container will not fail on migration errors.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Use secrets or environment files for MongoDB credentials.

Hard-coded credentials (admin/password) are present in the compose file, even for development. This creates a security risk if the file is accidentally committed with production-like credentials or if developers adopt this pattern for other environments.

Consider using a .env file (excluded from git) or Docker secrets:

+    env_file:
+      - .env
     environment:
       - MONGODB_HOST=mongodb
       - MONGODB_PORT=27017
-      - MONGODB_USER=admin
-      - MONGODB_PASSWORD=password
+      - MONGODB_USER=${MONGODB_USER}
+      - MONGODB_PASSWORD=${MONGODB_PASSWORD}
       - UV_LINK_MODE=copy

And for the MongoDB service:

     environment:
-      MONGO_INITDB_ROOT_USERNAME: admin
-      MONGO_INITDB_ROOT_PASSWORD: password
+      MONGO_INITDB_ROOT_USERNAME: ${MONGODB_USER}
+      MONGO_INITDB_ROOT_PASSWORD: ${MONGODB_PASSWORD}
       MONGO_INITDB_DATABASE: code_review_gpt

Then create a .env.example file with placeholders and add .env to .gitignore.

Also applies to: 33-36

🤖 Prompt for AI Agents

.devcontainer/docker-compose.yml lines 17-20 (and similarly 33-36) contain
hard-coded MongoDB credentials; replace them with references to environment
variables or Docker secrets, move actual values into a local .env (or create
Docker secrets) that is excluded from git, add a .env.example with placeholder
values to the repo, and add .env to .gitignore; update the compose file to use
env_file or secret references for MONGODB_HOST, MONGODB_PORT, MONGODB_USER, and
MONGODB_PASSWORD so no plaintext credentials remain in the committed compose
file.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

Verify MongoDB version compatibility.

MongoDB 6.0 is being used. Ensure this version is compatible with your application requirements and has no known security vulnerabilities.

---

🌐 Web query:

What is the latest stable version of MongoDB and are there any known security issues with MongoDB 6.0?

💡 Result:

Latest stable MongoDB (on‑premises): 8.2.1 (current production release). [1][5]

Known security issues with MongoDB 6.0 (summary):

• MongoDB 6.0 reached End-of-Life on July 31, 2025 — it is no longer fully supported. [2]
• Multiple security vulnerabilities affecting 6.0 were disclosed in 2025 (examples): CVE-2025-6709 (OIDC-related DoS, requires auth on 6.0; fixed in 6.0.21+), CVE-2025-6707 (privilege-cache race, fixed in 6.0.24+), and CVE-2025-10061 (aggregation/$group crash, fixed in later 6.0 patches). You should upgrade to the latest 6.0 patch (or to 8.2.x) or apply MongoDB’s security patches. [3][4][5]

If you want, I can list all 6.0 CVEs with affected/patched subversions and upgrade recommendations for your deployment.

---

Upgrade MongoDB from 6.0 — version is EOL and has known security vulnerabilities.

MongoDB 6.0 reached End-of-Life on July 31, 2025 and is no longer fully supported. Multiple security vulnerabilities affecting 6.0 were disclosed in 2025, including privilege escalation and denial-of-service issues. Upgrade to the latest 6.0 patch or to 8.2.x, or apply MongoDB's security patches. The latest stable version is MongoDB 8.2.1.

🤖 Prompt for AI Agents

.devcontainer/docker-compose.yml around line 30: the service currently pins
image: mongo:6.0 which is EOL and insecure; update the image to a supported
release (recommended: mongo:8.2.1) or at minimum to the latest 6.0 patch (e.g.,
mongo:6.0.X) depending on compatibility, then adjust any MongoDB-specific
configuration (auth, featureCompatibilityVersion, storage engine settings) if
required for the newer major version, run local integration tests and migrate or
backup data before switching, and update any documentation or CI/devcontainer
references to reflect the new image tag.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

Verify dependency versions for security vulnerabilities and latest releases.

Several dependencies are pinned to specific versions that may be outdated or have known security vulnerabilities. Given the project involves Django and OpenAI integrations, it's critical to ensure these are secure.

Run the following script to check for security advisories and available updates:

---

🏁 Script executed:

#!/bin/bash
# Check for security vulnerabilities in Python dependencies

echo "=== Checking for security advisories ==="
for pkg in "Django" "djangorestframework" "django-cors-headers" "requests" "openai" "python-gitlab" "gunicorn" "gevent"; do
  echo "--- $pkg ---"
  gh api graphql -f query="
  {
    securityVulnerabilities(first: 5, ecosystem: PIP, package: \"$pkg\") {
      nodes {
        advisory {
          summary
          severity
          publishedAt
        }
        vulnerableVersionRange
        firstPatchedVersion {
          identifier
        }
      }
    }
  }"
done

echo ""
echo "=== Checking latest versions on PyPI ==="
for pkg in "Django" "djangorestframework" "django-cors-headers" "requests" "openai" "litellm" "python-gitlab" "gunicorn"; do
  echo -n "$pkg: "
  curl -s "https://pypi.org/pypi/$pkg/json" | jq -r '.info.version'
done

Length of output: 4857

---

Update dependencies to address critical and high-severity security vulnerabilities.

Verification found multiple security issues:

• CRITICAL: Django 4.1.13 contains SQL injection vulnerability via _connector keyword argument (update to ≥4.2.26)
• HIGH: Gunicorn 21.2.0 contains HTTP Request/Response Smuggling and request smuggling vulnerabilities (update to ≥22.0.0)
• MODERATE: Requests 2.31.0 contains .netrc credentials leak and session verification bypass (update to ≥2.32.4)
• LOW/MODERATE: djangorestframework 3.14.0 contains XSS vulnerabilities (update to ≥3.15.2)

Recommended versions: Django ≥4.2.26, Gunicorn ≥22.0.0, requests ≥2.32.5, djangorestframework ≥3.16.1

🤖 Prompt for AI Agents

In backend/pyproject.toml around lines 1 to 31, several pinned dependencies have
known security vulnerabilities; update the listed packages to the recommended
minimum safe versions: set "Django" to >=4.2.26 (or a specific secure patch),
"gunicorn" to >=22.0.0, "requests" to >=2.32.5 (or >=2.32.4 if preferred), and
"djangorestframework" to >=3.16.1, then run dependency resolution
(pip-tools/poetry/installer) and run tests to ensure compatibility and adjust
any code breaking changes.

[coderabbitai]

Actionable comments posted: 2

♻️ Duplicate comments (1)

.devcontainer/devcontainer.json (1)

71-71: Automatic database migrations should be opt-in, not automatic.

This line auto-runs Django migrations on every container start, which can cause issues if migrations fail or conflict. This concern was flagged in a previous review.

Consider making migrations opt-in or at least conditional:

-	"postStartCommand": "cd /workspaces/backend && uv run python manage.py migrate",
+	"postStartCommand": "cd /workspaces/backend && uv run python manage.py migrate --check || echo 'ℹ️  Migrations pending. Run: uv run python manage.py migrate'",

Alternatively, document that developers must run migrations manually after pulling schema changes.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 10c6f42 and e33e1b2.

📒 Files selected for processing (1)

• .devcontainer/devcontainer.json (2 hunks)

🔇 Additional comments (4)

.devcontainer/devcontainer.json (4)

45-62: VSCode customizations look well-structured.

The selection of extensions (Python, Black, Flake8, Vue/TypeScript, Tailwind, Docker) and formatting settings align well with a full-stack Python/Vue development environment.

---

26-42: Port forwarding and attributes are well-configured.

Port assignments (8000 for Django, 3000 for Vue, 27017 for MongoDB) are clear and appropriately labeled. The onAutoForward settings are sensible (notify for app services, silent for database).

---

65-68: Mounts configuration appropriate for isolated services.

Binding backend and frontend directories into the container enables live editing and is a good practice for dev containers.

---

74-74: Manual verification required: Confirm the vscode user exists in the base image.

The configuration uses an external base image (ghcr.io/prulloac/base:bookworm) and relies entirely on it to provide the vscode user. The codebase contains no user creation logic. You must verify that your base image includes the vscode user with appropriate permissions and sudo access. Consult the base image documentation or run a test container to confirm.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Inefficient uv installation on every container creation.

Installing uv via a shell script in postCreateCommand runs on every container creation, which is inefficient. The uv tool should be installed once during the Docker image build process.

Move the uv installation to the Dockerfile or a build script so it's baked into the image, then simplify the postCreateCommand:

-	"postCreateCommand": "curl -LsSf https://astral.sh/uv/install.sh | sh && cd /workspaces/backend && uv sync",
+	"postCreateCommand": "cd /workspaces/backend && uv sync",

Ensure your Docker image (referenced by docker-compose.yml) installs uv during the build:

RUN curl -LsSf https://astral.sh/uv/install.sh | sh
ENV PATH="/root/.cargo/bin:${PATH}"

🤖 Prompt for AI Agents

.devcontainer/devcontainer.json around line 23: the postCreateCommand currently
installs uv on every container creation which is inefficient; move the uv
installation into the Docker image build instead (e.g., add the curl install
command and PATH update in the Dockerfile or build script used by
docker-compose), then simplify postCreateCommand to only run workspace setup
(remove the curl install) so uv is baked into the image and not reinstalled each
time.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

Verify Python interpreter path for uv-managed environments.

The configured Python interpreter path /usr/local/bin/python may not match where uv creates or locates the Python interpreter in its virtual environment.

Once the container is running, verify the correct interpreter path by running:

Then update the setting to match the actual interpreter path if needed. Alternatively, leave the setting unset and let VSCode auto-detect from the uv environment.

---

🏁 Script executed:

cd /workspaces/backend && uv run which python

Length of output: 69

---

I need to gather information about how uv manages Python interpreters and the best practices for VSCode devcontainer configuration.

I need to examine the actual devcontainer configuration to provide a more informed rewrite. Let me search for the full devcontainer.json file.

This command didn't clonethe repository. Let me try with the repo:

---

🏁 Script executed:

```shell
#!/bin/bash
# Find and examine devcontainer.json
fd devcontainer.json --type f

Length of output: 0

---

🏁 Script executed:

#!/bin/bash
# Examine the devcontainer.json file
cat .devcontainer/devcontainer.json | head -100

Length of output: 1986

---

Now let me search for best practices on configuring uv with VSCode devcontainers.

Now I have enough information to provide a definitive rewrite. The review's concern is valid—the hardcoded /usr/local/bin/python points to the system Python, not the uv-managed virtual environment.

Update python.defaultInterpreterPath to point to the uv-managed virtual environment instead of the system Python.

Based on the devcontainer configuration, uv sync is run in /workspaces/backend (line 16: postCreateCommand: "curl ... && cd /workspaces/backend && uv sync"), which creates .venvat that location. Updatepython.defaultInterpreterPath` to use the workspace-relative variable for the venv position with uv.

Change line 57 from:

"python.defaultInterpreterPath": "/usr/local/bin/python",

To:

"python.defaultInterpreterPath": "/workspaces/backend/.venv/bin/python",

🤖 Prompt for AI Agents

.devcontainer/devcontainer.json around line 57: the
python.defaultInterpreterPath is hardcoded to the system Python
(/usr/local/bin/python) which won't point to the uv-created virtualenv; change
it to the workspace venv path used by the postCreateCommand (set
python.defaultInterpreterPath to /workspaces/backend/.venv/bin/python) so VSCode
uses the uv-managed virtual environment.