From cd0615e56958e1316fc9ce7bc45c5bca418400fc Mon Sep 17 00:00:00 2001
From: Jordan Kab <jkab@thunderbird.net>
Date: Fri, 12 Jun 2026 15:28:45 -0400
Subject: [PATCH] fix(THU-537): advertise host-reachable PowerSync URL in local
 compose

- POWERSYNC_URL is echoed to the browser in the /v1/powersync/token
  response, so the internal `powersync:8080` Docker hostname can't
  resolve there and leaves the SharedWorker stuck offline
- Use the host port mapping (localhost:POWERSYNC_PORT) instead
---
 deploy/docker-compose.yml | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/deploy/docker-compose.yml b/deploy/docker-compose.yml
index 0dac939fc..530f63a69 100644
--- a/deploy/docker-compose.yml
+++ b/deploy/docker-compose.yml
@@ -42,7 +42,11 @@ services:
       # discovery host — Better Auth's SSO plugin validates both against trustedOrigins.
       TRUSTED_ORIGINS: http://localhost:${FRONTEND_PORT:-3000},http://localhost:${KEYCLOAK_PORT:-8180},http://keycloak:8080
       CORS_ORIGINS: http://localhost:${FRONTEND_PORT:-3000}
-      POWERSYNC_URL: http://powersync:8080
+      # Unlike OIDC_DISCOVERY_URL above, this URL is echoed to the BROWSER in the
+      # /v1/powersync/token response, so it must be host-reachable — the internal
+      # `powersync:8080` Docker hostname doesn't resolve in the browser, leaving the
+      # SharedWorker stuck offline. Use the host port mapping (localhost:POWERSYNC_PORT).
+      POWERSYNC_URL: http://localhost:${POWERSYNC_PORT:-8080}
       # Must match the base64-decoded `k` in deploy/config/powersync-config.yaml
       # AND be >=32 chars (backend/src/config/settings.ts:76).
       POWERSYNC_JWT_SECRET: enterprise-thunderbolt-powersync-jwt-default-secret