fix: regressions to docker

docker-compose.yml

@@ -72,20 +72,23 @@ services:
       - -c
       - |
         url="http://host.docker.internal:9000/static/assets/manifest.json"
-        max_attempts=150  # ~5 minutes at 2s intervals
+        max_attempts=300  # ~10 minutes at 2s intervals; first build can be slow
-        echo "Waiting for webpack dev server at $url..."
+        echo "Waiting for webpack dev server at $$url..."
         attempt=0
-        until curl -sf --max-time 5 -o /dev/null "$url"; do
+        until curl -sf --max-time 5 -H "Host: localhost" -o /dev/null "$$url"; do
-          attempt=$((attempt + 1))
+          attempt=$$((attempt + 1))
-          if [ "$attempt" -ge "$max_attempts" ]; then
+          if [ "$$attempt" -ge "$$max_attempts" ]; then
-            echo "ERROR: webpack dev server did not serve $url after $max_attempts attempts (~5 minutes)." >&2
+            echo "ERROR: webpack dev server did not serve $$url after $$max_attempts attempts." >&2
             echo "Is the dev server running? With BUILD_SUPERSET_FRONTEND_IN_DOCKER=false you must start it on the host (e.g. 'npm run dev' in superset-frontend)." >&2
             exit 1
           fi
+          if [ $$((attempt % 15)) -eq 0 ]; then
+            echo "Still waiting for webpack dev server... ($$attempt/$$max_attempts)"
+          fi
           sleep 2
         done
         echo "Webpack dev server is ready; starting nginx."
-        exec nginx -g 'daemon off;'
+        exec /docker-entrypoint.sh nginx -g 'daemon off;'
 
   redis:
     image: redis:7

docker/docker-bootstrap.sh

@@ -81,17 +81,17 @@ case "${1}" in
   app)
     echo "Starting web app (using development server)..."
 
-    # Environment-based debugger control for security
+    # Always run in Flask debug mode here: this is the dev compose entrypoint,
-    # Only enable Werkzeug interactive debugger when explicitly requested
+    # and Superset's Talisman selector keys off app.debug to serve the dev CSP
-    # Modern Werkzeug (3.0+) includes PIN protection, but defense-in-depth approach
+    # (which permits 'unsafe-eval' required by React Refresh / HMR).
-    # Override FLASK_DEBUG so the effective state matches SUPERSET_DEBUG_ENABLED even
+    export FLASK_DEBUG=1
-    # when FLASK_DEBUG=true is inherited from docker/.env or .flaskenv
+
+    # Werkzeug's interactive debugger (/console) is a separate, security-sensitive
+    # feature and must be opted into explicitly via SUPERSET_DEBUG_ENABLED=true.
     if [[ "${SUPERSET_DEBUG_ENABLED:-}" == "true" ]]; then
-        export FLASK_DEBUG=1
         DEBUGGER_FLAG="--debugger"
         echo "  ⚠️  Werkzeug debugger enabled (requires PIN for /console access)"
     else
-        export FLASK_DEBUG=0
         DEBUGGER_FLAG="--no-debugger"
         echo "  🔒 Werkzeug debugger disabled (set SUPERSET_DEBUG_ENABLED=true to enable)"
     fi