feat(docker): add environment-based debugger control

[sha174n]

Summary

Adds environment variable control for the Werkzeug debugger in Docker development containers to address security concerns with the exposed /console endpoint.

Security Context

While modern Werkzeug includes PIN protection for the debugger console, the PIN can be calculated deterministically in Docker environments using known container defaults combined with readable system files. This change implements defense-in-depth by disabling the debugger by default.

Changes

• Added SUPERSET_DEBUG_ENABLED environment variable check
• Debugger disabled by default, enabled only when explicitly requested
• Clear startup messaging shows current debugger state
• Maintains all existing functionality for development workflows

Usage

Default behavior (secure):

docker compose up app
# Shows: "🔒 Werkzeug debugger disabled"

Enable debugging when needed:

SUPERSET_DEBUG_ENABLED=true docker compose up app
# Shows: "⚠️ Werkzeug debugger enabled"

Testing Instructions

1. Start dev container with default settings - verify debugger disabled message
2. Start with SUPERSET_DEBUG_ENABLED=true - verify debugger enabled message
3. Confirm existing development workflows unchanged

🤖 Generated with Claude Code

[bito-code-review]

Code Review Agent Run #13d0df

Actionable Suggestions - 0

Review Details

• Files reviewed - 1 · Commit Range: e8bb4f9..e8bb4f9

  • docker/docker-bootstrap.sh
• Files skipped - 0
• Tools

  • Whispers (Secret Scanner) - ✔︎ Successful
  • Detect-secrets (Secret Scanner) - ✔︎ Successful

---

Bito Usage Guide

Commands

Type the following command in the pull request comment and save the comment.

• /review - Manually triggers a full AI review.

• /pause - Pauses automatic reviews on this pull request.

• /resume - Resumes automatic reviews.

• /resolve - Marks all Bito-posted review comments as resolved.

• /abort - Cancels all in-progress reviews.

Refer to the documentation for additional commands.

Configuration

This repository uses Superset You can customize the agent settings here or contact your Bito workspace admin at evan@preset.io.

Documentation & Help

• Customize agent settings
• Review rules
• General documentation
• FAQ

AI Code Review powered by

[bito-code-review]

The PR diff shows a change to the docker/docker-bootstrap.sh file. The modification introduces a conditional check for the SUPERSET_DEBUG_ENABLED environment variable to control the Werkzeug debugger flag. When SUPERSET_DEBUG_ENABLED is set to 'true', the debugger is enabled with a warning message; otherwise, it is disabled with a message indicating how to enable it. This change aims to align the debugger state with the SUPERSET_DEBUG_ENABLED flag and provide clearer feedback.

docker/docker-bootstrap.sh

10: +
11: +    # Environment-based debugger control for security
12: +    # Only enable Werkzeug interactive debugger when explicitly requested
13: +    # Modern Werkzeug (3.0+) includes PIN protection, but defense-in-depth approach
14: +    DEBUGGER_FLAG=""
15: +    if [[ "${SUPERSET_DEBUG_ENABLED:-}" == "true" ]]; then
16: +        DEBUGGER_FLAG="--debugger"
17: +        echo "  ⚠️  Werkzeug debugger enabled (requires PIN for /console access)"
18: +    else
19: +        echo "  🔒 Werkzeug debugger disabled (set SUPERSET_DEBUG_ENABLED=true to enable)"
20: +    fi
21: +
22: +    flask run -p $PORT --reload $DEBUGGER_FLAG --host=0.0.0.0 --exclude-patterns "*/node_modules/*:*/.venv/*:*/build/*:*/__pycache__/*:*/superset-frontend/*"

[netlify]

✅ Deploy Preview for superset-docs-preview ready!

Name	Link
🔨 Latest commit	48ce998
🔍 Latest deploy log	https://app.netlify.com/projects/superset-docs-preview/deploys/6a0eca6c84cf2500082d36d3
😎 Deploy Preview	https://deploy-preview-40327--superset-docs-preview.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.
🤖 Make changes	Run an agent on this branch

---

To edit notification comments on pull requests, go to your Netlify project configuration.