fix(docker): remove host port bindings, add idempotent role passwords, Kong app route

Dokploy deployment fixes:
- Remove all host port bindings (Kong 8000/8443/3000, Studio 54323, Inbucket 54324,
  DB 5432) — Traefik handles external routing in Dokploy, host ports conflict
  with other services on the shared server
- Add idempotent ALTER ROLE password commands to db-migrate service — ensures
  role passwords are set even when DB volume persists across deployments
  (docker-entrypoint-initdb.d only runs on empty data dirs)
- Add catch-all app route to Kong config — proxies / to localhost:3000
  (Next.js app via network_mode: service:supabase-kong)

docker-compose.yml

@@ -6,6 +6,9 @@
 # ⚠️  First deploy: `docker compose up -d` creates the DB from scratch with
 #     all Supabase roles/schemas via the image's built-in init scripts, then
 #     runs app migrations from the mounted volume.
+#
+# 🔒  Port bindings are intentionally omitted — in Dokploy, Traefik handles
+#     external routing. Services communicate via the Docker network.
 
 services:
   # =====================================================
@@ -30,7 +33,10 @@ services:
       timeout: 5s
       retries: 10
 
-  # Run app migrations, seed, and dev patches after DB is healthy
+  # Run app migrations, seed, and dev patches after DB is healthy.
+  # Also ensures role passwords are set (idempotent) — covers the case
+  # where the DB volume already existed from a previous deployment and
+  # /docker-entrypoint-initdb.d/ scripts didn't re-run.
   supabase-db-migrate:
     image: supabase/postgres:15.8.1.060
     depends_on:
@@ -42,9 +48,22 @@ services:
       - ./docker/db/dev-bootstrap.sh:/app-seed/dev-bootstrap.sh:ro
     environment:
       PGPASSWORD: ${POSTGRES_PASSWORD}
+      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
     entrypoint: ["/bin/sh", "-c"]
     command:
       - |
+        echo "🔑 Ensuring role passwords are set (idempotent)..."
+        psql -h supabase-db -U supabase_admin -d postgres -v ON_ERROR_STOP=0 <<-EOSQL
+          ALTER ROLE authenticator WITH LOGIN PASSWORD '${POSTGRES_PASSWORD}';
+          ALTER ROLE supabase_storage_admin WITH LOGIN PASSWORD '${POSTGRES_PASSWORD}';
+          ALTER ROLE supabase_auth_admin WITH LOGIN PASSWORD '${POSTGRES_PASSWORD}';
+          ALTER ROLE dashboard_user WITH LOGIN PASSWORD '${POSTGRES_PASSWORD}';
+          ALTER ROLE postgres WITH PASSWORD '${POSTGRES_PASSWORD}';
+          CREATE SCHEMA IF NOT EXISTS _realtime;
+          GRANT ALL ON SCHEMA _realtime TO supabase_admin;
+          GRANT USAGE ON SCHEMA _realtime TO postgres, anon, authenticated, service_role;
+        EOSQL
+        echo ""
         echo "Running app migrations..."
         for sql in /app-migrations/*.sql; do
           echo "  → $$sql"
@@ -220,8 +239,6 @@ services:
     depends_on:
       - supabase-meta
       - supabase-kong
-    ports:
-      - "${STUDIO_PORT:-54323}:3000"
     environment:
       STUDIO_PG_META_URL: http://supabase-meta:8080
       POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
@@ -246,8 +263,6 @@ services:
   supabase-inbucket:
     image: inbucket/inbucket:3.0.4
     restart: unless-stopped
-    ports:
-      - "${INBUCKET_PORT:-54324}:9000"
     volumes:
       - supabase-inbucket-data:/storage
 
@@ -262,10 +277,6 @@ services:
       - supabase-rest
       - supabase-storage
       - supabase-realtime
-    ports:
-      - "${KONG_HTTP_PORT:-8000}:8000"
-      - "${KONG_HTTPS_PORT:-8443}:8443"
-      - "${APP_PORT:-3000}:3000"
     entrypoint: >
       sh -c "sed 's|\$${SUPABASE_ANON_KEY}|'\"$$SUPABASE_ANON_KEY\"'|g; s|\$${SUPABASE_SERVICE_KEY}|'\"$$SUPABASE_SERVICE_KEY\"'|g' /var/lib/kong/kong.yml.tpl > /tmp/kong.yml && KONG_DECLARATIVE_CONFIG=/tmp/kong.yml /docker-entrypoint.sh kong docker-start"
     environment: