From 1110ff2e8cca17eb5e756e4dffe63d95fb4da64c Mon Sep 17 00:00:00 2001
From: Will Anderson <will.anderson@neurontechnologies.ai>
Date: Sat, 9 May 2026 16:22:40 -0500
Subject: [PATCH] Add SKIP_K3S escape hatch for dev CI smoke test
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

k3s requires kernel capabilities (overlayfs) that aren't available in
the CI runner's unprivileged Docker environment. Entrypoint now checks
SKIP_K3S=1 and starts neuron-web directly, bypassing k3s and soul-demo.
Dev CI smoke test sets this flag — prod images are unaffected.
---
 .gitea/workflows/dev.yaml | 1 +
 dist/entrypoint.sh        | 8 ++++++++
 2 files changed, 9 insertions(+)

diff --git a/.gitea/workflows/dev.yaml b/.gitea/workflows/dev.yaml
index 06ebb83..fcd5a8c 100644
--- a/.gitea/workflows/dev.yaml
+++ b/.gitea/workflows/dev.yaml
@@ -186,6 +186,7 @@ jobs:
             -e PORT=8080 \
             -e NODE_ENV=production \
             -e LANDING_ROOT=/srv/landing \
+            -e SKIP_K3S=1 \
             "$IMAGE"
 
           for i in $(seq 1 15); do
diff --git a/dist/entrypoint.sh b/dist/entrypoint.sh
index 65a7f34..671dbcb 100644
--- a/dist/entrypoint.sh
+++ b/dist/entrypoint.sh
@@ -1,6 +1,14 @@
 #!/bin/sh
 set -e
 
+# SKIP_K3S=1 — bypass k3s/soul-demo startup and go straight to neuron-web.
+# Used by the dev CI smoke test where the container runtime doesn't support
+# the kernel capabilities k3s requires (overlayfs / privileged mode).
+if [ "${SKIP_K3S:-0}" = "1" ]; then
+  echo "[entrypoint] SKIP_K3S=1: starting neuron-web directly (no k3s/soul-demo)."
+  exec /usr/local/bin/neuron-web
+fi
+
 echo "[entrypoint] Starting k3s server (embedded soul-demo orchestrator)..."
 
 # k3s server — single-node mode, disable unused components