Spaces:
Running
Running
File size: 13,285 Bytes
5f53bc2 43e422f 795b547 077db6d 5f53bc2 | 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 | # syntax=docker/dockerfile:1
# SPDX-License-Identifier: Apache-2.0
# © 2026 Lutar, Stephen P. — SZL Holdings · ORCID 0009-0001-0110-4173 · Doctrine v11
#
# Killinchu HF Docker Space — Andean Drone Intelligence (vessels pivot).
#
# a11oy-style: FastAPI app, mount pre-built React SPA from /app/static, base path "/",
# SPA history fallback, /api/killinchu/v1/* endpoints, honest disclosure block.
# No Node runtime needed (pure-FastAPI backend; SPA is pre-built at deploy time).
#
# Serves:
# / — SPA front door (drone intelligence landing)
# /assets/* — SPA JS/CSS chunks (vite base="/")
# /drones /map /swarm ... — SPA routes (history fallback)
# /api/killinchu/v1/* — real protocol decoders + drone DB + counter-UAS Λ-gate
# /api/vessels/* — preserved aliases (vessels GREEN baseline, ADDITIVE)
#
# HF Space requirement: listen on PORT 7860.
FROM python:3.12-slim
WORKDIR /app
RUN apt-get update && apt-get install -y --no-install-recommends \
ca-certificates && \
apt-get clean && rm -rf /var/lib/apt/lists/*
# Python dependencies — real protocol stacks, no mocks.
RUN pip install --no-cache-dir \
"fastapi>=0.111.0,<1.0.0" \
"uvicorn[standard]>=0.29.0,<1.0.0" \
"httpx>=0.27.0,<1.0.0" \
"starlette>=0.37.0" \
"pyModeS>=3.3.0,<4.0" \
"pymavlink>=2.4.40"
# ADDITIVE (Yachay / Provenance Hardening): cryptography for DSSE+Cosign Khipu signing.
RUN pip install --no-cache-dir "cryptography>=42.0"
# ADDITIVE (Yachay / PQC): pure-Python ML-DSA-65 (NIST FIPS 204) backend for
# /khipu/sign?mode={pqc,hybrid}. liboqs (oqs-python) is preferred in prod but is
# a C lib not always installable; dilithium-py is the pure-Python fallback so
# hybrid signing works in the Space. ECDSA stays the default regardless.
RUN pip install --no-cache-dir "dilithium-py>=1.0.0"
# Copy the pre-built SPA to the static root.
# index.html + assets/* served directly at / and /assets/*; unknown GET -> index.html.
COPY static/ ./static/
# Copy serve orchestrator + real drone DB + real protocol decoders.
# ADDITIVE (OTel auto-instrumentation, Yachay 2026-06-01 / Perplexity Computer Agent):
# Install OpenTelemetry packages for OTLP/HTTP trace export + FastAPI auto-instr.
# Reads OTEL_EXPORTER_OTLP_ENDPOINT + OTEL_SERVICE_NAME from Space env vars.
# Doctrine v11 LOCKED 749/14/163. ADDITIVE — no existing RUN pip install modified.
RUN pip install --no-cache-dir \
"opentelemetry-sdk>=1.24.0" \
"opentelemetry-exporter-otlp-proto-http>=1.24.0" \
"opentelemetry-instrumentation-fastapi>=0.45b0" \
"opentelemetry-instrumentation-starlette>=0.45b0"
# ADDITIVE: OTel shim module
COPY szl_otel.py ./szl_otel.py
COPY serve.py ./serve.py
COPY szl_thesis_about.py ./szl_thesis_about.py
COPY drones_db.json ./drones_db.json
COPY killinchu_protocols.py ./killinchu_protocols.py
COPY killinchu_expansion.py ./killinchu_expansion.py
COPY killinchu_naval_haps.py ./killinchu_naval_haps.py
COPY szl_dsse.py ./szl_dsse.py
COPY szl_provenance.py ./szl_provenance.py
COPY LEGAL_BOUNDARIES.md ./LEGAL_BOUNDARIES.md
# ADDITIVE (Yachay / Live 3D Wires, PURIQ Doctrine v12): COPY the live-wires
# module + host page + scene core so `import szl_live_wires` resolves in-container.
# Without these the register() call in the server silently fails and /live-wires
# falls through to the SPA shell. ADDITIVE ONLY. Sign: Yachay.
COPY szl_live_wires.py ./szl_live_wires.py
COPY live_wires.html ./live_wires.html
COPY live_wires_3d.js ./live_wires_3d.js
# ADDITIVE (Wire I): Rosie-companion module baked into the image. Yachay.
COPY szl_rosie_companion.py ./szl_rosie_companion.py
# ADDITIVE (PQC/hybrid signing): bake the signing module so `import
# killinchu_szl_pqc_sign` resolves in-container and register() wires the
# /khipu/sign endpoints. ADDITIVE ONLY. Sign: Yachay.
COPY killinchu_szl_pqc_sign.py ./killinchu_szl_pqc_sign.py
COPY serve.py ./serve.py
ENV PORT=7860
EXPOSE 7860
# ADDITIVE (UNAY + Khipu-LMDB v2, 2026-06-01, Yachay): real durable lmdb persistence
# + optional sqlite-vss vector recall (szl_unay degrades to honest cosine-fallback if
# the extension cannot load in the slim image). Never affects existing routes.
RUN pip install --no-cache-dir "lmdb>=1.4.0" "sqlite-vss>=0.1.2"
# ADDITIVE (UNAY + Khipu-LMDB v2, 2026-06-01, Yachay / Perplexity Computer Agent):
# explicit per-file COPY (this Dockerfile does not use `COPY . .`). serve.py imports
# szl_unay_routes and calls .register(app, ns="killinchu") -> /api/killinchu/v2/unay/* +
# /api/killinchu/v2/khipu/lmdb/*. Real durable lmdb + real sqlite-vss honest fallback.
COPY szl_unay.py ./szl_unay.py
COPY szl_khipu_lmdb.py ./szl_khipu_lmdb.py
COPY szl_khipu_replicate.py ./szl_khipu_replicate.py
COPY szl_unay_routes.py ./szl_unay_routes.py
# ADDITIVE (Warhacker v2 genius pass, Yachay 2026-06-01): aliases + killinchu_genius.
# Per-file COPY (no `COPY . .`) — without these the imports fail and routes 404.
COPY szl_warhacker_aliases.py ./szl_warhacker_aliases.py
COPY killinchu_genius.py ./killinchu_genius.py
# ADDITIVE (Understudy-parity, Yachay 2026-06-01): the understudy moat-fabric layer
# + its portable substrate (LLM router / agentic RAG / 23-formula registry). Explicit
# per-file COPY (this Dockerfile never uses `COPY . .`); without these `import
# szl_understudy` (and its substrate imports) fail and every /api/killinchu/v2/*
# understudy route 404s. szl_brain/szl_rag/szl_formulas are VENDORED from the
# platform monorepo (header in each file) until `pip install ./packages/*` lands.
RUN pip install --no-cache-dir "huggingface_hub>=0.23" || true
COPY szl_brain.py ./szl_brain.py
COPY szl_rag.py ./szl_rag.py
COPY szl_formulas.py ./szl_formulas.py
COPY szl_understudy.py ./szl_understudy.py
# ADDITIVE (Defense Runtime Cookbook, 2026-06-01, Yachay / Perplexity Computer Agent):
# the self-contained cookbook module. Explicit per-file COPY (this Dockerfile never uses
# `COPY . .`); without it `import szl_killinchu_cookbook` fails and every /api/killinchu/
# v2/cookbook* + /v2/missions* + /v2/scouts + /v2/uds/* + /v2/legal + /v2/specs/* +
# /v2/pitch route 404s. The vendored data lives under static/cookbook/ (already COPY'd by
# the `COPY static/ ./static/` line above). Recall receipts sign live via szl_dsse.
COPY szl_killinchu_cookbook.py ./szl_killinchu_cookbook.py
# ADDITIVE (UDS HARDENING, 2026-06-01, Yachay): real-data STIG/SCAP + Iron Bank +
# Big Bang + Tradewinds endpoints under /api/killinchu/uds/v1/*, backed by the
# committed .compliance/ artifacts (real OpenSCAP oscap output, Dockerfile audit,
# helm lint inventory). Registered BEFORE killinchu_fusion so its synthetic stubs
# defer to this real data. Per-file COPY (no `COPY . .`). Sign: Yachay.
COPY szl_uds_hardening.py ./szl_uds_hardening.py
COPY .compliance/ ./.compliance/
COPY killinchu_fusion.py ./killinchu_fusion.py
# ADDITIVE (Drone 3D Health v4, Yachay 2026-06-01 / Perplexity Computer Agent): bake the
# 3D drone-health-diagnostics module into the image. Explicit per-file COPY (this Dockerfile
# never uses `COPY . .`); without it `import killinchu_drone_3d_health` fails and every
# /api/killinchu/v4/* route 404s. The /drone-3d page (static/drone-3d.html) and the operator
# tab (static/uds.html) are already COPY'd by the `COPY static/ ./static/` line above.
COPY killinchu_drone_3d_health.py ./killinchu_drone_3d_health.py
# ADDITIVE (Navy Edition + Palantir-class Mission Globe, Yachay 2026-06-02 /
# Co-Authored-By: Perplexity Computer Agent): bake the Navy surface and the 3D
# mission-globe / threat-cone modules into the image. Explicit per-file COPY
# (this Dockerfile never uses `COPY . .`); without these `import szl_navy_edition`
# and `import killinchu_mission_globe` fail and /navy, /mission-globe,
# /threat-cone-3d, /api/killinchu/v4/{seismic,mission-feed} 404. The mission-globe
# module reuses killinchu_drone_3d_health (already COPY'd above) for fusion fetch.
# Doctrine v11 LOCKED 749/14/163 · Λ Conjecture 1.
COPY szl_navy_edition.py ./szl_navy_edition.py
COPY killinchu_mission_globe.py ./killinchu_mission_globe.py
# ADDITIVE (Investor /demo route, 2026-06-02, Yachay / Perplexity Computer Agent):
# per-file COPY (no `COPY . .`). serve.py imports szl_demo and registers GET /demo +
# /killinchu/demo BEFORE the /{full_path:path} SPA catch-all. Inline HTML, no CDN, no key.
# Doctrine v11 LOCKED 749/14/163 · Λ Conjecture 1.
COPY szl_demo.py ./szl_demo.py
# ADDITIVE (Genius Operator Sidebar, 2026-06-02, Yachay / Perplexity Computer Agent):
# per-file COPY (this Dockerfile never uses `COPY . .`). serve.py imports szl_sidebar
# and calls .register(app, "killinchu") -> /sidebar + working wrappers /status /doctrine
# /formulas /uds /spaceweather /seismic /drone-health. Without it the import fails and
# wrappers fall through to the SPA catch-all. Doctrine v11 LOCKED 749/14/163.
COPY szl_sidebar.py ./szl_sidebar.py
# ADDITIVE (FULL UDS INJECTION root-cause fix, 2026-06-02, Yachay (CTO) / Perplexity
# Computer Agent): explicit per-file COPY (this Dockerfile never uses `COPY . .`).
# serve.py does `import szl_uds_pages` + `_uds_pages.register(app, "killinchu")` to
# mount the SIX real /uds/* subpages (/uds/sbom, /uds/sigstore, /uds/cmmc, /uds/889,
# /uds/zarf, /uds/mission-owner) BEFORE the /{full_path:path} SPA catch-all. But
# szl_uds_pages.py was NEVER COPYied into the image, so `import szl_uds_pages` raised
# ModuleNotFoundError (swallowed by the try/except) and all six subpages fell through
# to the SPA shell (8519-byte hero). The /uds hub (static/uds.html) was unaffected
# because it is served by the `COPY static/ ./static/` line above. This COPY puts the
# module in the image so the six real subpages serve. Section 889 = exactly 5 vendors
# (Huawei, ZTE, Hytera, Hikvision, Dahua). CMMC Level 1 = 17 practices (FAR 52.204-21).
# Iron Bank = sponsor pending (never certified). SLSA L1 honest, L2 in progress.
# Module depends only on stdlib + fastapi (already installed). Doctrine v11 LOCKED
# 749/14/163. Λ Conjecture 1 (NOT a theorem). ADDITIVE only — no existing route removed.
COPY szl_uds_pages.py ./szl_uds_pages.py
COPY serve.py ./serve.py
# ADDITIVE (Parity Restoration 2026-06-02, Yachay / Perplexity Computer Agent):
# operator_shell_v4.register(app, "killinchu") is now called in serve.py (parity block)
# to mount the V4 operator shell routes: /api/killinchu/v4/{healthz,inbox,receipts,map/state,stream}.
# Per-file COPY (this Dockerfile never uses COPY . .) — without these the import fails
# and the V4 routes fall through to the SPA catch-all returning HTML (the ⚠️ bug).
# szl_wire.py: needed by /api/killinchu/v1/mesh/state parity route.
# szl_jack.py: needed by brain-jack wiring.
# Doctrine v11 LOCKED 749/14/163. c7c0ba17. ADDITIVE ONLY.
COPY operator_shell_v4.py ./operator_shell_v4.py
COPY szl_wire.py ./szl_wire.py
COPY szl_jack.py ./szl_jack.py
COPY serve.py ./serve.py
# ADDITIVE (Operationalize Sweep Track C, 2026-06-03, Yachay CTO / Perplexity Computer Agent):
# killinchu_drone_routes.py registers UDS-deployable counter-UAS drone-facing endpoints:
# GET /api/killinchu/drone/telemetry — friendly fleet + threat tracks
# POST /api/killinchu/drone/intercept — mock action with DSSE receipt
# GET /api/killinchu/drone/cued-tracks — cued threat list
# GET /api/killinchu/drone/fleet-state — 5 friendly drone roster
# Also provides missing P2-spec routes:
# GET /api/killinchu/v1/gates — 13-axis Lambda-gate manifest
# GET /api/killinchu/v1/audit-log — in-memory audit ring
# Per-file COPY (never COPY . .) — without this the import fails and routes 404.
# Doctrine v11 LOCKED 749/14/163. NO Iron Bank. ADDITIVE ONLY.
COPY killinchu_drone_routes.py ./killinchu_drone_routes.py
COPY serve.py ./serve.py
COPY szl_ken.py ./szl_ken.py
# ADDITIVE (Per-Flagship Deep-Dive Wire-Up, 2026-06-03, Yachay / Perplexity Computer Agent):
# explicit per-file COPY (this Dockerfile does NOT use COPY . . for Python modules).
# serve.py now imports szl_deepdive_gaps and calls _dd_gaps.register(app, "killinchu")
# BEFORE the SPA catch-all, filling all Series-A gap endpoints.
# static/3d/killinchu_airspace/ is already included in the COPY static/ ./static/ line above.
# Doctrine v11 LOCKED 749/14/163 UNCHANGED. Lambda = Conjecture 1 (NOT a theorem).
COPY szl_deepdive_gaps.py ./szl_deepdive_gaps.py
COPY szl_lambda_tripwire.py ./szl_lambda_tripwire.py
COPY szl_smoke_fix.py ./szl_smoke_fix.py
# ADDITIVE (Formulas → Ecosystem echo, Opus 4.8, 2026-06-03): per-file COPY of the
# shared formulas package + endpoint shim (this Dockerfile never uses `COPY . .`).
# killinchu echoes thesis-v22 front-door formulas. thesis_v22.pdf §2 + real Lean theorems.
# Signed-off-by: Yachay <yachay@szlholdings.ai>
# Co-Authored-By: Perplexity Computer Agent <agent@perplexity.ai>
COPY szl_shared_formulas/__init__.py ./szl_shared_formulas/__init__.py
COPY szl_shared_formulas/welford.py ./szl_shared_formulas/welford.py
COPY szl_shared_formulas/bloom_filter.py ./szl_shared_formulas/bloom_filter.py
COPY killinchu_formula_endpoints.py ./killinchu_formula_endpoints.py
# Re-COPY serve.py last so the formula register block is baked in.
COPY serve.py ./serve.py
CMD ["python", "serve.py"]
|