This is the practical companion to the series on secure local development. Architecture and threat models are covered there. This post is about what you actually type every day.
Morning startup
# 1. Start your dev infrastructurecd ~/projects/my-projectdocker compose -f docker-compose.dev.yml up -d postgres redis
# 2. Start the API and web with secretsinfisical run --env=dev -- docker compose -f docker-compose.dev.yml up -d api web
# 3. Start Expo dev server on host (no secrets needed)cd apps/mobileEXPO_PUBLIC_API_URL=http://localhost:3333 npx expo start &
# 4. Start AI sandbox in a separate terminaldocker sandbox run my-project-ai --workspace ~/projects/my-projectCoding with AI assistance
Terminal 1 (AI Sandbox): > claude > "Refactor the authentication middleware to support JWT refresh tokens" > Claude edits files in /workspaces/project/apps/api/src/... > Claude tests: curl http://host.docker.internal:3333/api/auth/refresh > Claude sees the response, adjusts the implementation
Terminal 2 (Dev Stack): > docker compose -f docker-compose.dev.yml logs -f api # See hot-reload pick up Claude's changes # Test the changes with real credentials against the running server
Terminal 3 (Expo, if working on mobile): # Hot-reloads automatically when Claude edits shared code # Test on iOS Simulator alongside API changesClaude edits the code, tests it against the running API via host.docker.internal, and iterates. Your dev server (running in Docker with real secrets) picks up the changes via volume mounts and hot-reloads. The Expo dev server picks up changes to shared packages. You verify in the browser, Simulator, or via API client. If something breaks, you tell Claude and it fixes it. The loop is fast, and secrets never cross the boundary.
Adding a new secret
# 1. Add in Infisical dashboard (or via CLI)infisical secrets set NEW_API_KEY=sk-xxx --env=dev
# 2. Add to docker-compose.dev.yml environment list# (just the key name, no value)environment: - NEW_API_KEY
# 3. Add to .env.example with a placeholderNEW_API_KEY=your-api-key-here
# 4. Restart the API containerinfisical run --env=dev -- docker compose -f docker-compose.dev.yml up -d apiRotating a secret
# 1. Update in Infisical dashboard# 2. Restart affected containersinfisical run --env=dev -- docker compose -f docker-compose.dev.yml restart api# New value is injected; old value no longer existsRunning database migrations
infisical run --env=dev \ -- docker compose -f docker-compose.dev.yml exec api node ace migration:runRunning tests in CI-like isolation
# Create a test-specific environment in Infisical# Use separate test database credentials
infisical run --env=test \ -- docker compose -f docker-compose.test.yml run --rm api npm testWorking on multiple projects
# Terminal 1: My-project backend (Docker + secrets)cd ~/projects/my-projectinfisical run --env=dev -- docker compose -f docker-compose.dev.yml up
# Terminal 2: My-project Expo (host, no secrets)cd ~/projects/my-project/apps/mobileEXPO_PUBLIC_API_URL=http://localhost:3333 npx expo start
# Terminal 3: My-project AI sandboxdocker sandbox run my-project-ai --workspace ~/projects/my-project
# Terminal 4: Other-project backend (Docker + secrets, different ports)cd ~/projects/other-projectinfisical run --env=dev -- docker compose -f docker-compose.dev.yml up
# Terminal 5: Other-project AI sandboxdocker sandbox run other-project-ai --workspace ~/projects/other-projectEach project has its own Infisical project, its own Docker Compose stack, and its own AI sandbox. Secrets never cross project boundaries.
Updating Docker images
# Pull latest base imagesdocker compose -f docker-compose.dev.yml pull
# Rebuild your app imagesdocker compose -f docker-compose.dev.yml build --no-cache
# Restart with fresh images and secretsinfisical run --env=dev -- docker compose -f docker-compose.dev.yml up -dCleaning up
# Stop everything for a projectdocker compose -f docker-compose.dev.yml down
# Remove all sandbox data for a projectdocker sandbox rm my-project-ai
# Prune unused Docker resourcesdocker system prune -f
# Log out of Infisical (end session)infisical logout