chore: isolate docker runtime networks

[jho951]

Summary

• Remove host port publishing from docker compose files
• Attach app/mysql to a private bridge network
• Connect app to the shared service backbone network with the documents-service alias

Docs

• Prompt log: prompts/2026-03-27-docker-env-split-and-run-scripts.md
• ADR: docs/decisions/019-isolate-docker-runtime-on-private-and-shared-networks.md
• REQUIREMENTS: not updated, because this is an infrastructure/runtime policy change rather than a product requirement change

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 0da944e025

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Create shared network before declaring it external

Marking service-backbone-shared as external: true makes docker compose up fail on fresh environments unless that network already exists, but our startup path (scripts/run-docker.sh up/all) only runs docker compose ... up -d and never creates it. In practice, a first-time bash scripts/run-docker.sh dev up now aborts with the missing-external-network error, so local runtime is no longer self-starting. Please either provision the network in the script or avoid requiring an external network for the default/dev compose path.

Useful? React with 👍 / 👎.