.gitea/workflows/stage.yaml

@@ -12,6 +12,7 @@ on:
       - 'dist/**'
       - 'runtime/**'
       - 'Dockerfile.stage'
+      - 'Dockerfile.soul-demo'
       - 'build-stage.sh'
       - '.gitea/workflows/stage.yaml'
 
@@ -230,6 +231,49 @@ jobs:
              -lcurl -lpthread -ldl -lm -lssl -lcrypto
           echo "soul-demo compiled: $(ls -lh dist/soul-demo)"
 
+      - name: Build and push soul-demo image
+        if: steps.changetype.outputs.asset_only != 'true'
+        id: soul-image
+        run: |
+          set -euo pipefail
+          SOUL_IMAGE="us-central1-docker.pkg.dev/neuron-785695/neuron-marketing/soul-demo:${{ steps.tag.outputs.tag }}"
+          docker build --no-cache \
+            -f Dockerfile.soul-demo \
+            -t "soul-demo:${{ steps.tag.outputs.tag }}" \
+            .
+          docker tag "soul-demo:${{ steps.tag.outputs.tag }}" "$SOUL_IMAGE"
+          docker tag "soul-demo:${{ steps.tag.outputs.tag }}" \
+            "us-central1-docker.pkg.dev/neuron-785695/neuron-marketing/soul-demo:stage-latest"
+          docker push "$SOUL_IMAGE"
+          docker push "us-central1-docker.pkg.dev/neuron-785695/neuron-marketing/soul-demo:stage-latest"
+          echo "soul_image=${SOUL_IMAGE}" >> "$GITHUB_OUTPUT"
+          echo "Soul-demo image: ${SOUL_IMAGE}"
+
+      - name: Deploy soul-demo-stage
+        if: steps.changetype.outputs.asset_only != 'true'
+        id: deploy-soul
+        run: |
+          set -euo pipefail
+          gcloud run deploy soul-demo-stage \
+            --image "${{ steps.soul-image.outputs.soul_image }}" \
+            --region us-central1 \
+            --project neuron-785695 \
+            --service-account neuron-marketing-sa@neuron-785695.iam.gserviceaccount.com \
+            --update-env-vars "NEURON_LLM_0_FORMAT=anthropic,NEURON_LLM_0_MODEL=claude-sonnet-4-5,NEURON_LLM_0_URL=https://api.anthropic.com/v1/messages" \
+            --update-secrets "NEURON_LLM_0_KEY=anthropic-api-key:latest,ANTHROPIC_API_KEY=anthropic-api-key:latest" \
+            --min-instances 1 \
+            --max-instances 10 \
+            --concurrency 20 \
+            --port 8080 \
+            --allow-unauthenticated \
+            --quiet
+
+          SOUL_URL=$(gcloud run services describe soul-demo-stage \
+            --region us-central1 --project neuron-785695 \
+            --format 'value(status.url)')
+          echo "soul_url=${SOUL_URL}" >> "$GITHUB_OUTPUT"
+          echo "Soul-demo URL: ${SOUL_URL}"
+
       - name: Build and tag image
         if: steps.changetype.outputs.asset_only != 'true'
         run: |
@@ -275,6 +319,21 @@ jobs:
           docker push "${LATEST%:*}:stage-latest"
           echo "Fast asset build complete"
 
+      - name: Resolve soul-demo URL
+        id: soul-url
+        run: |
+          set -euo pipefail
+          # For full builds: soul_url comes from deploy-soul step output.
+          # For asset-only builds (soul-demo not redeployed): describe existing service.
+          SOUL_URL="${{ steps.deploy-soul.outputs.soul_url }}"
+          if [ -z "$SOUL_URL" ]; then
+            SOUL_URL=$(gcloud run services describe soul-demo-stage \
+              --region us-central1 --project neuron-785695 \
+              --format 'value(status.url)' 2>/dev/null || echo "")
+          fi
+          echo "soul_url=${SOUL_URL}" >> "$GITHUB_OUTPUT"
+          echo "Resolved SOUL_URL: ${SOUL_URL}"
+
       - name: Deploy to marketing-stage
         id: deploy-stage
         env:
@@ -287,7 +346,7 @@ jobs:
             --region us-central1 \
             --project neuron-785695 \
             --service-account neuron-marketing-sa@neuron-785695.iam.gserviceaccount.com \
-            --update-env-vars "NODE_ENV=production,STRIPE_PUBLISHABLE_KEY=pk_test_51TPoHnJg9Fv1D3AUp1FEMcy4MGlKRZqs4scW66kjQFQjWofmNc2rottzXzDaXekHvuw1OQpyp2WCIsc7O5fXIG0G00HQQrkdGX,GCS_SHARE_BUCKET=neuron-shares-prod,SUPABASE_ANON_KEY=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInJlZiI6Im9jb2pzZ2hhb25sdHVuaWRrenB3Iiwicm9sZSI6ImFub24iLCJpYXQiOjE3Nzc2NDIxNjgsImV4cCI6MjA5MzIxODE2OH0.e0FVFw1aahnrBVvnkR5R8a-RxCx095U8o_gsk7Quq3E,NEURON_LLM_0_FORMAT=anthropic,NEURON_LLM_0_MODEL=claude-sonnet-4-5,NEURON_LLM_0_URL=https://api.anthropic.com/v1/messages" \
+            --update-env-vars "NODE_ENV=production,STRIPE_PUBLISHABLE_KEY=pk_test_51TPoHnJg9Fv1D3AUp1FEMcy4MGlKRZqs4scW66kjQFQjWofmNc2rottzXzDaXekHvuw1OQpyp2WCIsc7O5fXIG0G00HQQrkdGX,GCS_SHARE_BUCKET=neuron-shares-prod,SUPABASE_ANON_KEY=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInJlZiI6Im9jb2pzZ2hhb25sdHVuaWRrenB3Iiwicm9sZSI6ImFub24iLCJpYXQiOjE3Nzc2NDIxNjgsImV4cCI6MjA5MzIxODE2OH0.e0FVFw1aahnrBVvnkR5R8a-RxCx095U8o_gsk7Quq3E,NEURON_LLM_0_FORMAT=anthropic,NEURON_LLM_0_MODEL=claude-sonnet-4-5,NEURON_LLM_0_URL=https://api.anthropic.com/v1/messages,SOUL_URL=${{ steps.soul-url.outputs.soul_url }}" \
             --update-secrets "SUPABASE_SERVICE_KEY=supabase-service-key:latest,NEURON_LLM_0_KEY=anthropic-api-key:latest,ANTHROPIC_API_KEY=anthropic-api-key:latest,STRIPE_SECRET_KEY=stripe-secret-key-stage:latest,STRIPE_WEBHOOK_SECRET=stripe-webhook-secret-stage:latest,STRIPE_PRICE_PROFESSIONAL=stripe-price-professional-stage:latest,STRIPE_PRICE_FOUNDING=stripe-price-founding-stage:latest,STRIPE_PRICE_FAMILY_CHILD=stripe-price-family-child:latest,RESEND_API_KEY=resend-api-key:latest,DOCUSEAL_WEBHOOK_TOKEN=docuseal-webhook-token:latest" \
             --allow-unauthenticated \
             --quiet

Dockerfile.soul-demo

@@ -0,0 +1,32 @@
+# Dockerfile.soul-demo — Soul-demo as a standalone Cloud Run service.
+# Decoupled from neuron-web so it can scale independently.
+# Built from repo root. soul-demo binary compiled by CI before this runs.
+
+FROM ubuntu:24.04
+
+ENV DEBIAN_FRONTEND=noninteractive
+
+RUN apt-get update \
+ && apt-get install -y --no-install-recommends \
+        libcurl4t64 \
+        libssl3t64 \
+        ca-certificates \
+ && rm -rf /var/lib/apt/lists/* \
+ && groupadd -r soul && useradd -r -g soul soul \
+ && mkdir -p /srv/soul/engram-demo \
+ && chown -R soul:soul /srv/soul
+
+COPY dist/soul-demo /usr/local/bin/soul-demo
+RUN chmod +x /usr/local/bin/soul-demo
+
+COPY dist/engram-snapshot.json /srv/soul/engram-demo/snapshot.json
+RUN chown soul:soul /srv/soul/engram-demo/snapshot.json
+
+USER soul
+
+ENV NEURON_HOME=/srv/soul/engram-demo
+ENV NEURON_PORT=8080
+
+EXPOSE 8080
+
+CMD ["/usr/local/bin/soul-demo"]

Dockerfile.stage

@@ -1,16 +1,14 @@
-# Dockerfile.stage — Stage build: landing server + soul-demo in one image.
+# Dockerfile.stage — Stage build: landing server only.
 #
-# Both processes run in the same container:
-#   - neuron-web  on port 8080 (landing page server)
-#   - soul-demo   on port 7772 (demo chat, localhost only)
+# neuron-web runs on port 8080 (landing page server).
+# soul-demo is now a separate Cloud Run service (soul-demo-stage).
 #
-# All binaries (neuron-web, soul-demo) are pre-built by CI on the host runner
-# before this Dockerfile runs. This keeps the Docker build single-stage with
-# no compilation and no network downloads.
+# neuron-web binary is pre-built by CI on the host runner before this
+# Dockerfile runs. This keeps the Docker build single-stage with no
+# compilation and no network downloads.
 #
 # CI pre-build steps (in stage.yaml):
 #   - neuron-web: built by `elb build` → dist/neuron-landing
-#   - soul-demo:  compiled by cc on host → dist/soul-demo
 
 FROM ubuntu:24.04
 
@@ -24,20 +22,12 @@ RUN apt-get update \
  && rm -rf /var/lib/apt/lists/* \
  && groupadd -r landing && useradd -r -g landing landing \
  && mkdir -p /srv/landing/assets /srv/landing/js /srv/landing/shares \
- && mkdir -p /srv/soul/engram-demo \
- && chown -R landing:landing /srv/landing /srv/soul
+ && chown -R landing:landing /srv/landing
 
 # neuron-web binary — produced by `elb build` in CI (linux/amd64)
 COPY dist/neuron-landing /usr/local/bin/neuron-web
 RUN chmod +x /usr/local/bin/neuron-web
 
-# soul-demo binary — compiled by cc on host runner in CI
-COPY dist/soul-demo /usr/local/bin/soul-demo
-RUN chmod +x /usr/local/bin/soul-demo
-
-# Engram snapshot — baked in so soul has memory from cold start
-COPY dist/engram-snapshot.json /srv/soul/engram-demo/snapshot.json
-
 COPY src/assets /srv/landing/assets
 COPY dist/js    /srv/landing/js
 COPY src/llms.txt /srv/landing/llms.txt
@@ -55,8 +45,6 @@ RUN chmod +x /usr/local/bin/entrypoint.sh
 
 ENV LANDING_ROOT=/srv/landing
 ENV PORT=8080
-ENV NEURON_HOME=/srv/soul/engram-demo
-ENV NEURON_PORT=7772
 
 EXPOSE 8080
 

dist/entrypoint.sh

@@ -1,26 +1,4 @@
 #!/bin/sh
 set -e
-
-if [ "${SKIP_K3S:-0}" = "1" ]; then
-  echo "[entrypoint] SKIP_K3S=1: starting neuron-web directly (no soul-demo)."
-  exec /usr/local/bin/neuron-web
-fi
-
-# Soul-demo watchdog: start soul-demo and restart it automatically on crash.
-# Cloud Run gen2 doesn't reliably provide eth0 with a unicast IP, so k3s flannel
-# fails at startup. Running soul-demo directly is simpler, lighter, and fully
-# self-healing. Cloud Run handles horizontal scaling — no HPA needed.
-echo "[entrypoint] Starting soul-demo watchdog on :${NEURON_PORT:-7772}..."
-(
-  while true; do
-    echo "[soul-watchdog] starting soul-demo (NEURON_HOME=${NEURON_HOME})"
-    /usr/local/bin/soul-demo 2>&1 || true
-    echo "[soul-watchdog] soul-demo exited, restarting in 3s..."
-    sleep 3
-  done
-) &
-
-# Start neuron-web immediately — do NOT block.
-# Cloud Run startup probe requires port 8080 to answer within the timeout.
 echo "[entrypoint] Starting neuron-web on port ${PORT:-8080}..."
 exec /usr/local/bin/neuron-web