Add marketplace section, OAuth checkout, social icons, 35% efficiency claim, preorder CTAs, enterprise Q1 2027, founding member limits, paragraph spacing in demo chat, no em dashes

Dockerfile

@@ -13,16 +13,47 @@
 # Run:
 #   docker run -p 8080:8080 neuron-landing
 
-# ── Stage 1: compile ──────────────────────────────────────────────────────────
+# ── Stage 1a: build liboqs from source ────────────────────────────────────────
+# Debian bookworm doesn't ship liboqs, so we build it ourselves. liboqs is
+# small (~5MB compiled, static) and pinned to a release tag for reproducibility.
+# Built static, so the runtime image doesn't need a separate liboqs.so.
+FROM debian:bookworm-slim AS oqs-builder
+
+ARG LIBOQS_VERSION=0.10.1
+
+RUN apt-get update \
+ && apt-get install -y --no-install-recommends \
+        build-essential cmake ninja-build git \
+        libssl-dev ca-certificates \
+ && rm -rf /var/lib/apt/lists/*
+
+RUN git clone --depth 1 --branch ${LIBOQS_VERSION} \
+        https://github.com/open-quantum-safe/liboqs.git /src/liboqs \
+ && cmake -S /src/liboqs -B /src/liboqs/build -GNinja \
+        -DCMAKE_INSTALL_PREFIX=/opt/oqs \
+        -DOQS_BUILD_ONLY_LIB=ON \
+        -DOQS_DIST_BUILD=ON \
+        -DBUILD_SHARED_LIBS=OFF \
+        -DOQS_USE_OPENSSL=ON \
+ && cmake --build /src/liboqs/build --parallel \
+ && cmake --install /src/liboqs/build
+
+# ── Stage 1b: compile El binary ───────────────────────────────────────────────
 FROM debian:bookworm-slim AS builder
 
 RUN apt-get update \
  && apt-get install -y --no-install-recommends \
         build-essential \
         libcurl4-openssl-dev \
+        libssl-dev \
         ca-certificates \
  && rm -rf /var/lib/apt/lists/*
 
+# Pull in liboqs headers + static archive from the previous stage. The
+# archive is ~5MB; we link it statically so the runtime image stays slim
+# and we don't need a second apt install in stage 2.
+COPY --from=oqs-builder /opt/oqs /opt/oqs
+
 WORKDIR /build
 COPY runtime/el_runtime.c runtime/el_runtime.h ./
 COPY server.c ./
@@ -31,7 +62,20 @@ COPY server.c ./
 # functions (e.g. handle_request) via dlsym(RTLD_DEFAULT, name), and on
 # glibc that only sees the executable's own symbols if they were exported
 # by the linker. macOS exports them by default, Linux doesn't.
-RUN cc -std=c11 -O2 -rdynamic -I . -o landing server.c el_runtime.c -lcurl -lpthread -ldl -lm
+#
+# liboqs is an optional runtime dependency; el_runtime.c gates all pq_*
+# entry points behind __has_include(<oqs/oqs.h>). With the headers + .a
+# from the oqs-builder stage in /opt/oqs, the post-quantum primitives
+# (Dilithium-3 / ML-DSA-65 signatures, Kyber-768 / ML-KEM-768 KEM, the
+# hybrid X25519+Kyber handshake, and SHA3-256) are all available.
+# -lcrypto pulls in OpenSSL for X25519 + the symmetric primitives liboqs
+# itself uses internally; libcurl4-openssl-dev already pulls libssl-dev
+# transitively but we're explicit.
+RUN cc -std=c11 -O2 -rdynamic \
+       -I . -I/opt/oqs/include \
+       -L/opt/oqs/lib \
+       -o landing server.c el_runtime.c \
+       -lcurl -lpthread -ldl -lm -loqs -lcrypto
 # `strip` would discard .symtab but keeps .dynsym (which is what -rdynamic
 # populated and what dlsym actually looks at), so it'd be safe — but the
 # binary is small enough that the few MB saved isn't worth the next person
@@ -40,9 +84,13 @@ RUN cc -std=c11 -O2 -rdynamic -I . -o landing server.c el_runtime.c -lcurl -lpth
 # ── Stage 2: runtime ──────────────────────────────────────────────────────────
 FROM debian:bookworm-slim
 
+# libssl3 supplies libcrypto.so.3 for the X25519 + symmetric primitives the
+# linked binary needs. liboqs itself is statically linked into the binary
+# (built that way in stage 1a) so there's nothing extra to ship for it.
 RUN apt-get update \
  && apt-get install -y --no-install-recommends \
         libcurl4 \
+        libssl3 \
         ca-certificates \
  && rm -rf /var/lib/apt/lists/* \
  && groupadd -r landing && useradd -r -g landing landing