Follow-up to the CP gateway harness shipped in #127 and the real-fixture capture in #129/#128.
The docker/cpapi/ gateway currently ships no custom conf.yaml, so a fresh docker compose up uses the distribution's restrictive ips.allow (192.*/131.216.*/127.0.0.1). A browser login forwarded through Docker (source 172.*/10.*) is rejected 403 "not allowed", requiring a manual per-container patch. Make the harness self-sufficient and adopt hardening ideas from a reference oath-ibkr-v2 gateway (harness only — not its reqwest client):
Scope note: touches only docker/cpapi/*, Justfile, and _typos.toml — no crate/capture.sh changes, so it does not overlap #129.
Follow-up to the CP gateway harness shipped in #127 and the real-fixture capture in #129/#128.
The
docker/cpapi/gateway currently ships no customconf.yaml, so a freshdocker compose upuses the distribution's restrictiveips.allow(192.*/131.216.*/127.0.0.1). A browser login forwarded through Docker (source172.*/10.*) is rejected 403 "not allowed", requiring a manual per-container patch. Make the harness self-sufficient and adopt hardening ideas from a referenceoath-ibkr-v2gateway (harness only — not its reqwest client):conf.yamlwith a widenedips.allow(loopback + RFC-1918) into the image.HEALTHCHECK.docker-compose.yml(cap_drop, no-new-privileges, mem/pids limits, log bound).just ibkr-capture(localhost:5000 isn't routable from a devcontainer).Scope note: touches only
docker/cpapi/*,Justfile, and_typos.toml— no crate/capture.shchanges, so it does not overlap #129.