neuron/Dockerfile

# Neuron Soul — GKE container image
#
# Build strategy:
#   1. Download the pre-built linux/amd64 soul binary from Artifact Registry
#      (package: neuron-soul, repository: foundation-dev).
#      The binary is built by CI from soul.el and published as a generic artifact.
#   2. Package it in a minimal Ubuntu 22.04 runtime with glibc and libcurl.
#
# The soul runs in file mode (no HTTP Engram sidecar):
#   - SOUL_ENGRAM_PATH=/data/snapshot.json  → reads/writes engram from mounted PVC
#   - ENGRAM_URL must NOT be set            → absence triggers file mode
#
# Required env vars (injected via ExternalSecret at runtime):
#   NEURON_PORT, NEURON_LLM_0_URL, NEURON_LLM_0_KEY, NEURON_LLM_0_FORMAT,
#   SOUL_CGI_ID, SOUL_IDENTITY, NEURON_TOKEN, NEURON_API_URL, SOUL_ENGRAM_PATH

ARG SOUL_VERSION=latest

FROM ubuntu:22.04 AS downloader

ARG SOUL_VERSION
ARG GCP_SA_KEY

RUN apt-get update -qq && \
    apt-get install -y --no-install-recommends \
      ca-certificates \
      curl \
      gnupg \
      apt-transport-https && \
    echo "deb [signed-by=/usr/share/keyrings/cloud.google.gpg] https://packages.cloud.google.com/apt cloud-sdk main" \
      > /etc/apt/sources.list.d/google-cloud-sdk.list && \
    curl -fsSL https://packages.cloud.google.com/apt/doc/apt-key.gpg \
      | gpg --dearmor -o /usr/share/keyrings/cloud.google.gpg && \
    apt-get update -qq && \
    apt-get install -y --no-install-recommends google-cloud-cli && \
    rm -rf /var/lib/apt/lists/*

# Authenticate and download the soul binary from Artifact Registry.
# SOUL_VERSION is the 8-char git SHA tag published by CI (e.g. ea271d5c).
# The binary is stored as a generic artifact — download to /tmp/soul/neuron.
RUN --mount=type=secret,id=gcp_sa_key \
    GCP_SA_KEY_FILE=$(cat /run/secrets/gcp_sa_key 2>/dev/null || echo "") && \
    if [ -n "$GCP_SA_KEY_FILE" ]; then \
      echo "$GCP_SA_KEY_FILE" > /tmp/gcp-key.json && \
      gcloud auth activate-service-account --key-file=/tmp/gcp-key.json; \
    fi && \
    gcloud config set project neuron-785695 && \
    mkdir -p /tmp/soul && \
    if [ "${SOUL_VERSION}" = "latest" ]; then \
      VERSION=$(gcloud artifacts versions list \
        --repository=foundation-dev \
        --location=us-central1 \
        --project=neuron-785695 \
        --package=neuron-soul \
        --sort-by="~createTime" \
        --limit=1 \
        --format="value(name)" 2>/dev/null | awk -F/ '{print $NF}'); \
    else \
      VERSION="${SOUL_VERSION}"; \
    fi && \
    echo "Downloading neuron-soul@${VERSION}" && \
    gcloud artifacts generic download \
      --repository=foundation-dev \
      --location=us-central1 \
      --project=neuron-785695 \
      --package=neuron-soul \
      --version="${VERSION}" \
      --destination=/tmp/soul/ && \
    mv /tmp/soul/neuron* /tmp/soul/neuron 2>/dev/null || true && \
    chmod +x /tmp/soul/neuron && \
    rm -f /tmp/gcp-key.json

# Runtime image — minimal Ubuntu 22.04 with only what the soul binary needs.
FROM ubuntu:22.04

RUN apt-get update -qq && \
    apt-get install -y --no-install-recommends \
      ca-certificates \
      libcurl4 \
      curl && \
    rm -rf /var/lib/apt/lists/* && \
    useradd -r -u 1000 -m -s /bin/bash soul

COPY --from=downloader /tmp/soul/neuron /usr/local/bin/neuron
RUN chmod +x /usr/local/bin/neuron

# /data is the engram mount point (PVC at runtime).
# Create it owned by soul user so the binary can write snapshot.json.
RUN mkdir -p /data && chown soul:soul /data

USER soul
WORKDIR /home/soul

EXPOSE 7770

# SOUL_ENGRAM_PATH and other env vars are injected via k8s ExternalSecret.
# ENGRAM_URL must NOT be set — its absence triggers file mode.
ENV NEURON_PORT=7770 \
    SOUL_ENGRAM_PATH=/data/snapshot.json

ENTRYPOINT ["/usr/local/bin/neuron"]