neuron-web/Dockerfile.stage

# Dockerfile.stage — Stage build: landing server + soul-demo in one image.
#
# Both processes run in the same container:
#   - neuron-web  on port 8080 (landing page server)
#   - soul-demo   on port 7772 (demo chat, localhost only)
#
# All binaries (neuron-web, soul-demo, k3s) are pre-built by CI on the host
# runner before this Dockerfile runs. This keeps the Docker build single-stage
# with no compilation and no network downloads, eliminating the multi-stage
# complexity that caused RWLayer corruption on the runner's overlay2 driver.
#
# CI pre-build steps (in stage.yaml):
#   - neuron-web: built by `elb build` → dist/neuron-landing
#   - soul-demo:  compiled by cc on host → dist/soul-demo
#   - k3s:        downloaded by curl on host → dist/k3s

FROM ubuntu:24.04

ENV DEBIAN_FRONTEND=noninteractive

RUN apt-get update \
 && apt-get install -y --no-install-recommends \
        libcurl4t64 \
        libssl3t64 \
        ca-certificates \
 && rm -rf /var/lib/apt/lists/* \
 && groupadd -r landing && useradd -r -g landing landing \
 && mkdir -p /srv/landing/assets /srv/landing/js /srv/landing/shares \
 && mkdir -p /srv/soul/engram-demo \
 && chown -R landing:landing /srv/landing /srv/soul \
 && mkdir -p /var/lib/rancher/k3s /tmp/k3s \
 && chown -R landing:landing /var/lib/rancher /tmp/k3s

# neuron-web binary — produced by `elb build` in CI (linux/amd64)
COPY dist/neuron-landing /usr/local/bin/neuron-web
RUN chmod +x /usr/local/bin/neuron-web

# soul-demo binary — compiled by cc on host runner in CI
COPY dist/soul-demo /usr/local/bin/soul-demo
RUN chmod +x /usr/local/bin/soul-demo

# k3s binary — downloaded from GitHub releases by CI
COPY dist/k3s /usr/local/bin/k3s
RUN chmod +x /usr/local/bin/k3s

# soul-demo OCI image tar — k3s imports this at startup (no registry needed)
RUN mkdir -p /var/lib/rancher/k3s/agent/images
COPY dist/soul-demo-image.tar /var/lib/rancher/k3s/agent/images/soul-demo.tar

# k3s manifests — auto-applied when k3s starts
RUN mkdir -p /var/lib/rancher/k3s/server/manifests
COPY dist/k3s-soul-demo.yaml /var/lib/rancher/k3s/server/manifests/soul-demo.yaml

# Engram snapshot — baked in so soul has memory from cold start
COPY dist/engram-snapshot.json /srv/soul/engram-demo/snapshot.json

COPY src/assets /srv/landing/assets
COPY dist/js    /srv/landing/js
COPY src/llms.txt /srv/landing/llms.txt
# Pre-rendered HTML shells (about, terms, enterprise-terms, index) used as
# fallback when the El page-builder hasn't been seeded yet at startup.
# chown to the landing user so the El runtime's fs_write at startup can
# rewrite them with the freshly-rendered page (extracted JS asset paths,
# updated chat widget, etc.). Without this they stay as their COPY'd root-
# owned shells and the served HTML never reflects post-COPY source edits.
COPY src/about.html src/terms.html src/enterprise-terms.html src/index.html /srv/landing/
RUN chown landing:landing /srv/landing/about.html /srv/landing/terms.html /srv/landing/enterprise-terms.html /srv/landing/index.html /srv/landing/llms.txt

COPY dist/entrypoint.sh /usr/local/bin/entrypoint.sh
RUN chmod +x /usr/local/bin/entrypoint.sh

ENV LANDING_ROOT=/srv/landing
ENV PORT=8080
ENV NEURON_HOME=/srv/soul/engram-demo
ENV NEURON_PORT=7772
ENV K3S_DATA_DIR=/var/lib/rancher/k3s
ENV KUBECONFIG=/var/lib/rancher/k3s/server/cred/admin.kubeconfig

# k3s requires root to create network namespaces and mount cgroups.
# Cloud Run gen2 sandbox is the security boundary here.
EXPOSE 8080

CMD ["/usr/local/bin/entrypoint.sh"]