fix: static volume names and external proxy access for devcontainer (#390)

* fix: suppress act() warnings and unhandled rejections in tests

Configure testing-library for React 18+ and suppress harmless act()
warnings that occur due to async state updates completing after test cleanup.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* feat: upgrade postgresql from 16 to 18

Upgrade devcontainer database to PostgreSQL 18.1 (released Sept 2025).

Key benefits:
- 3x performance with new Async I/O subsystem
- UUIDv7 function for timestamp-ordered UUIDs
- Virtual generated columns
- Skip scan on multicolumn B-tree indexes
- OAuth 2.0 authentication support

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* fix: add init to devcontainer to prevent zombie processes

Adds `init: true` to the devcontainer service which uses tini as PID 1.
This properly reaps zombie processes that accumulate from DevPod sessions.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* docs: add container naming convention for devpod

Adds instructions for configuring username-based container names
when multiple developers share the same remote server.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* fix: update proxy template with postgres 18 and init

- Upgrade PostgreSQL from 16 to 18
- Add init: true to prevent zombie processes

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* fix: use static volume names for docker compose compatibility

Docker Compose doesn't support variable interpolation in volume
name keys. Use static names - Docker Compose will prefix them with
the project name automatically for isolation.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* docs: update volumes section for static naming

Update documentation to reflect that Docker Compose uses static volume
names (postgres-data, redis-data, etc.) instead of variable-interpolated
names. Docker Compose automatically prefixes these with the project name
for isolation between projects.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* fix: use volume name property for user isolation

Use the 'name:' property within volume definitions instead of variable
interpolation in volume keys. This provides:
- Valid Docker Compose syntax (keys must be static)
- User-specific volume names (e.g., alice-postgres-data)
- Proper isolation between users on shared Docker hosts

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* fix: configure traefik network and vite for external proxy access

- add traefik.docker.network label to docker-compose.yml to fix 504 errors
  when container is on multiple networks
- add allowedHosts: true to vite.config.js to allow external proxy access
- document SSH auth failures, Traefik routing, and Vite host issues in
  LESSONS_LEARNED.md

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* chore: update package-lock.json

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* fix: restrict vite allowed hosts to specific domains for security

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

---------

Co-authored-by: Mohsin Hashmi <mhashmi@wiser.com>
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>

Author: 3 people

.devcontainer/docker-compose.yml

@@ -69,6 +69,7 @@ services:
     # Traefik labels for external routing (active when connected to dev-proxy-network)
     labels:
       - 'traefik.enable=true'
+      - 'traefik.docker.network=dev-proxy-network'
       # Frontend routing (port 3000)
       - 'traefik.http.routers.${USER:-devuser}-frontend.rule=HostRegexp(`${USER:-devuser}.{ip:[0-9-]+}.nip.io`)'
       - 'traefik.http.routers.${USER:-devuser}-frontend.entrypoints=web'

apps/frontend/vite.config.js

@@ -113,6 +113,7 @@ export default defineConfig({
     host: true, // Listen on all interfaces (0.0.0.0 and ::)
     open: false, // Don't auto-open browser
     strictPort: false, // Allow fallback to next available port if 3000 is taken
+    allowedHosts: ['localhost', '.nip.io', '.dev.simpleaccounts.local'], // Restrict to known hosts for security
     // Reduce memory usage in dev
     fs: {
       // Limit file system access

docs/LESSONS_LEARNED.md

@@ -10,6 +10,9 @@ This document captures important lessons learned during development to prevent r
 2. [Apache POI / Java 17 Compatibility](#2-apache-poi--java-17-compatibility)
 3. [SonarQube SSL Configuration in Coolify](#3-sonarqube-ssl-configuration-in-coolify)
 4. [Java Dependency Version Validity & API Stability](#4-java-dependency-version-validity--api-stability)
+5. [DevPod SSH Authentication Failures](#5-devpod-ssh-authentication-failures)
+6. [Traefik Multi-Network Container Routing](#6-traefik-multi-network-container-routing)
+7. [Vite External Host Access (403 Forbidden)](#7-vite-external-host-access-403-forbidden)
 
 ---
 
@@ -190,4 +193,250 @@ java.lang.NoSuchMethodError: org.apache.commons.csv.CSVFormat.withFirstRecordAsH
 
 ---
 
+## 5. DevPod SSH Authentication Failures
+
+**Date:** December 2025
+
+**Issue:** DevPod workspace creation gets stuck indefinitely on "Waiting for devpod agent to come up..." and eventually fails with SSH authentication errors.
+
+**Root Cause:**
+Multiple SSH keys loaded in the ssh-agent cause the SSH server to reject the connection before finding the correct key. The server's `MaxAuthTries` limit (typically 6) is exceeded when DevPod tries each key in the agent sequentially.
+
+**Error Messages:**
+
+```
+Too many authentication failures
+Disconnected from 65.108.51.136 port 22
+
+# Or after clearing agent:
+moshinhashmi@65.108.51.136: Permission denied (publickey,password).
+```
+
+**Symptoms:**
+
+- DevPod repeatedly shows "Waiting for devpod agent to come up..."
+- Debug mode (`--debug`) reveals "Too many authentication failures"
+- SSH works fine from terminal but DevPod fails
+- The issue persists even after configuring `IdentitiesOnly yes` in SSH config
+
+**Technical Details:**
+
+1. DevPod by default adds ALL private keys from `~/.ssh/` to the ssh-agent before connecting
+2. Even with `IdentitiesOnly yes` in SSH config, the ssh-agent keys are tried first
+3. With 6+ keys in the agent, the server rejects before the correct key is tried
+4. DevPod also needs SSH agent forwarding enabled for git operations on the remote
+
+**Solution:**
+
+1. **Disable DevPod's automatic key loading:**
+   ```bash
+   devpod context set-options -o SSH_ADD_PRIVATE_KEYS=false
+   ```
+
+2. **Add `ForwardAgent yes` to SSH config for git credential forwarding:**
+   ```
+   Host dev-server
+       HostName 65.108.51.136
+       User mohsin
+       IdentityFile ~/.ssh/id_ed25519
+       IdentitiesOnly yes
+       ForwardAgent yes
+       ServerAliveInterval 30
+       ServerAliveCountMax 3
+       TCPKeepAlive yes
+   ```
+
+3. **Manually manage ssh-agent keys - load only required keys:**
+   ```bash
+   # Clear all keys
+   ssh-add -D
+
+   # Add only the key for the dev server
+   ssh-add ~/.ssh/id_ed25519
+
+   # Add GitHub key for git operations (will be forwarded)
+   ssh-add ~/.ssh/id_rsa_personal
+
+   # Verify only 2 keys are loaded
+   ssh-add -l
+   ```
+
+4. **Clean up and recreate the workspace:**
+   ```bash
+   # Delete the stuck workspace
+   devpod delete <workspace-name> --force
+
+   # Clean up remote containers if needed
+   ssh dev-server "docker ps -a --format '{{.Names}}' | xargs -r docker rm -f"
+
+   # Pull latest image
+   ssh dev-server "docker pull ghcr.io/simpleaccounts/simpleaccounts-uae-devcontainer:latest"
+
+   # Create fresh workspace from current directory
+   devpod up . --provider ssh --ide cursor --id simpleaccounts-uae
+   ```
+
+**Prevention:**
+
+1. Always set `SSH_ADD_PRIVATE_KEYS=false` in DevPod context when using multiple SSH keys
+2. Configure `ForwardAgent yes` in SSH config for hosts where you need git access
+3. Keep only necessary keys in ssh-agent (2-3 max)
+4. Use explicit `IdentityFile` and `IdentitiesOnly yes` in SSH config
+5. When DevPod hangs on agent startup, use `--debug` flag to see the actual error
+
+**DevPod Configuration Reference:**
+
+```bash
+# View current SSH provider options
+devpod provider options ssh
+
+# Update SSH provider with specific flags (if needed)
+devpod provider update ssh -o EXTRA_FLAGS="-o IdentitiesOnly=yes"
+
+# List workspaces
+devpod list
+
+# Delete workspace with force
+devpod delete <name> --force
+```
+
+**Related Commands:**
+
+```bash
+# Check ssh-agent keys
+ssh-add -l
+
+# Clear all keys from agent
+ssh-add -D
+
+# Add specific key
+ssh-add ~/.ssh/id_ed25519
+
+# Test SSH connection with verbose output
+ssh -v dev-server "echo OK"
+
+# Test SSH agent forwarding
+ssh -A dev-server "ssh -T git@github.com"
+```
+
+---
+
+## 6. Traefik Multi-Network Container Routing
+
+**Date:** December 2025
+
+**Issue:** External URLs via Traefik return 504 Gateway Timeout, even though services are running inside the container and Traefik shows them as "UP".
+
+**Root Cause:**
+When a Docker container is connected to multiple networks, Traefik may pick the wrong network IP to route traffic. Traefik selects the first network alphabetically unless explicitly configured.
+
+**Symptoms:**
+
+- Traefik API shows services as "UP" with an IP address
+- Requests via Traefik timeout (504 Gateway Timeout)
+- Direct container access works fine
+- Container is on multiple Docker networks
+
+**Example Scenario:**
+```
+Container dev-mohsin:
+  - mohsin-internal: 172.18.0.4  (internal network for db/redis)
+  - dev-proxy-network: 172.19.0.3  (Traefik's network)
+
+Traefik incorrectly tries to route to 172.18.0.4 (wrong network)
+```
+
+**Solution:**
+
+Add the `traefik.docker.network` label to specify which network Traefik should use:
+
+```yaml
+# docker-compose.yml
+services:
+  devcontainer:
+    labels:
+      - 'traefik.enable=true'
+      - 'traefik.docker.network=dev-proxy-network'  # Add this line!
+      - 'traefik.http.routers.myapp.rule=Host(`myapp.example.com`)'
+      - 'traefik.http.services.myapp.loadbalancer.server.port=3000'
+```
+
+After adding the label, restart both the container and Traefik:
+```bash
+docker restart my-container
+docker restart traefik
+```
+
+**Prevention:**
+
+1. Always add `traefik.docker.network` label when containers are on multiple networks
+2. Keep the Traefik proxy network consistent across all services
+3. Verify the correct IP is shown in Traefik dashboard after changes
+4. When debugging, check `docker inspect <container>` to see all network IPs
+
+**Verification:**
+```bash
+# Check Traefik is using correct IP
+curl -s http://localhost:8090/api/http/services | python3 -c \
+  'import json,sys; [print(s["name"], s.get("serverStatus",{})) for s in json.load(sys.stdin)]'
+
+# Should show the dev-proxy-network IP, not internal network IP
+```
+
+---
+
+## 7. Vite External Host Access (403 Forbidden)
+
+**Date:** December 2025
+
+**Issue:** Vite dev server returns 403 Forbidden when accessed via external proxy (Traefik) or non-localhost hostname.
+
+**Root Cause:**
+Vite 5+ has stricter security defaults that reject requests from unknown hosts. Even with `--host 0.0.0.0`, Vite validates the `Host` header and blocks requests that don't match localhost or allowed patterns.
+
+**Error Message:**
+
+- HTTP 403 Forbidden response
+- No error in Vite logs (silent rejection)
+
+**Symptoms:**
+
+- `curl localhost:3000` works
+- `curl external-url.nip.io` returns 403
+- No CORS errors (not a CORS issue)
+- Traefik shows service as UP
+
+**Solution:**
+
+Add `allowedHosts` with a restricted allowlist to the Vite server configuration:
+
+```javascript
+// vite.config.js
+export default defineConfig({
+  server: {
+    port: 3000,
+    host: true, // Listen on all interfaces
+    allowedHosts: ['localhost', '.nip.io', '.dev.simpleaccounts.local'], // Restrict to known hosts
+  },
+});
+```
+
+**Security Note:** Avoid using `allowedHosts: true` as it disables Vite's host-header check, which mitigates DNS rebinding attacks. Always use a specific allowlist.
+
+**Common patterns:**
+- `.nip.io` - for dynamic IP-based URLs (e.g., `user.65-108-51-136.nip.io`)
+- `.dev.simpleaccounts.local` - for local domain routing
+- `localhost` - for local development
+
+**Prevention:**
+
+1. When setting up proxy access, always configure `allowedHosts` in Vite
+2. Use wildcard patterns for dynamic subdomains (e.g., `.nip.io`)
+3. Document the required Vite configuration for external access
+4. Test with the actual external URL during development setup
+
+**Note:** This is a security feature. In production, Vite's dev server should not be exposed - use a proper build instead.
+
+---
+
 _Add new lessons learned above this line, following the same format._