ten31-database/start9/0.4/Dockerfile

# ─────────────────────────────────────────────────────────────────
#  Ten31 Database — StartOS 0.4 container image
# ─────────────────────────────────────────────────────────────────
#  Build context (from the startos manifest dockerBuild.workdir)
#  is the repository root (two levels up from start9/0.4/), so all
#  COPY paths below are relative to the repo root.
#
#  This image is intentionally self-contained under start9/0.4/:
#  no files are pulled from start9/0.3.5/ so the two packages can
#  evolve independently.
#
#  As of 0.1.0:40 the image NO LONGER ships a seed snapshot. The
#  initial migration from 0.3.5 has been completed; from this
#  release forward the live /data volume on the StartOS host is
#  the sole source of truth and is preserved across sideloads.
# ─────────────────────────────────────────────────────────────────
FROM python:3.11-slim

ENV PYTHONDONTWRITEBYTECODE=1 \
    PYTHONUNBUFFERED=1 \
    CRM_ENV=production \
    CRM_HOST=0.0.0.0 \
    CRM_PORT=8080 \
    CRM_DATA_DIR=/data \
    CRM_FRONTEND_DIR=/app/frontend

WORKDIR /app

RUN apt-get update \
  && apt-get install -y --no-install-recommends ca-certificates curl \
  && rm -rf /var/lib/apt/lists/*

# ── Python dependencies ─────────────────────────────────────────
# `cryptography` is required by the Gmail integration's RS256 JWT signing
# (DWD bearer tokens). The two Phase-0 deps are runtime-only for the ingest
# pipeline + MCP server (the CRM web server itself still needs no new deps):
#   * fastembed — client-side BM25 (Qdrant/bm25) for the sparse retrieval leg
#                 (backend/ingest/sparse.py auto-detects it).
#   * mcp       — MCP Python SDK, only needed to run backend/mcp/server.py.
# Everything else server.py needs is stdlib.
#
# ⚠️ PRE-RELEASE — VERIFY THESE PINS BUILD ON BOTH ARCHES BEFORE RELEASE ⚠️
# fastembed==0.4.2 and mcp==1.2.0 were pinned best-effort and have NOT been
# confirmed to build on both x86_64 AND aarch64 (StartOS runs arm64). fastembed
# in particular pulls onnxruntime (no wheel on some arches → source build) and
# downloads a model on first use. Build the image on aarch64 and run the ingest
# once to confirm before cutting a release. See INGEST_PACKAGING.md "Pre-release
# checks". Do not bump these without re-verifying on both arches.
RUN pip install --no-cache-dir \
      cryptography==42.0.5 \
      fastembed==0.4.2 \
      mcp==1.2.0 \
      anthropic

# ── Application source ──────────────────────────────────────────
# Whole backend tree: server.py + all top-level modules (core_migrations,
# thesis_review, entity_merge, entity_jobs) + migrations/ + ingest/ + mcp/ +
# email_integration/. Earlier piecemeal COPYs missed core_migrations.py, the
# migrations/ dir, and the Phase-1 modules — so the schema migrations never ran
# and the thesis / index-job endpoints 503'd ("Jobs unavailable") on the box.
# .dockerignore keeps __pycache__ and data/ out of the context.
COPY backend                  /app/backend
COPY frontend                 /app/frontend

# ── StartOS wrapper scripts ─────────────────────────────────────
COPY start9/0.4/docker_entrypoint.sh /usr/local/bin/docker_entrypoint.sh
COPY start9/0.4/healthcheck.sh       /usr/local/bin/healthcheck.sh

RUN chmod +x /usr/local/bin/docker_entrypoint.sh \
             /usr/local/bin/healthcheck.sh

EXPOSE 8080
ENTRYPOINT ["/usr/local/bin/docker_entrypoint.sh"]