Spaces:
Running
Running
| # syntax=docker/dockerfile:1 | |
| # SPDX-License-Identifier: Apache-2.0 | |
| # © 2026 Lutar, Stephen P. — SZL Holdings · ORCID 0009-0001-0110-4173 · Doctrine v11 | |
| # | |
| # Killinchu HF Docker Space — Andean Drone Intelligence (vessels pivot). | |
| # | |
| # a11oy-style: FastAPI app, mount pre-built React SPA from /app/static, base path "/", | |
| # SPA history fallback, /api/killinchu/v1/* endpoints, honest disclosure block. | |
| # No Node runtime needed (pure-FastAPI backend; SPA is pre-built at deploy time). | |
| # | |
| # Serves: | |
| # / — SPA front door (drone intelligence landing) | |
| # /assets/* — SPA JS/CSS chunks (vite base="/") | |
| # /drones /map /swarm ... — SPA routes (history fallback) | |
| # /api/killinchu/v1/* — real protocol decoders + drone DB + counter-UAS Λ-gate | |
| # /api/vessels/* — preserved aliases (vessels GREEN baseline, ADDITIVE) | |
| # | |
| # HF Space requirement: listen on PORT 7860. | |
| FROM python:3.12-slim | |
| WORKDIR /app | |
| RUN apt-get update && apt-get install -y --no-install-recommends \ | |
| ca-certificates && \ | |
| apt-get clean && rm -rf /var/lib/apt/lists/* | |
| # Python dependencies — real protocol stacks, no mocks. | |
| RUN pip install --no-cache-dir \ | |
| "fastapi>=0.111.0,<1.0.0" \ | |
| "uvicorn[standard]>=0.29.0,<1.0.0" \ | |
| "httpx>=0.27.0,<1.0.0" \ | |
| "starlette>=0.37.0" \ | |
| "pyModeS>=3.3.0,<4.0" \ | |
| "pymavlink>=2.4.40" | |
| # ADDITIVE (Yachay / Provenance Hardening): cryptography for DSSE+Cosign Khipu signing. | |
| RUN pip install --no-cache-dir "cryptography>=42.0" | |
| # ADDITIVE (Yachay / PQC): pure-Python ML-DSA-65 (NIST FIPS 204) backend for | |
| # /khipu/sign?mode={pqc,hybrid}. liboqs (oqs-python) is preferred in prod but is | |
| # a C lib not always installable; dilithium-py is the pure-Python fallback so | |
| # hybrid signing works in the Space. ECDSA stays the default regardless. | |
| RUN pip install --no-cache-dir "dilithium-py>=1.0.0" | |
| # Copy the pre-built SPA to the static root. | |
| # index.html + assets/* served directly at / and /assets/*; unknown GET -> index.html. | |
| COPY static/ ./static/ | |
| # Copy serve orchestrator + real drone DB + real protocol decoders. | |
| # ADDITIVE (OTel auto-instrumentation, Yachay 2026-06-01 / Perplexity Computer Agent): | |
| # Install OpenTelemetry packages for OTLP/HTTP trace export + FastAPI auto-instr. | |
| # Reads OTEL_EXPORTER_OTLP_ENDPOINT + OTEL_SERVICE_NAME from Space env vars. | |
| # Doctrine v11 LOCKED 749/14/163. ADDITIVE — no existing RUN pip install modified. | |
| RUN pip install --no-cache-dir \ | |
| "opentelemetry-sdk>=1.24.0" \ | |
| "opentelemetry-exporter-otlp-proto-http>=1.24.0" \ | |
| "opentelemetry-instrumentation-fastapi>=0.45b0" \ | |
| "opentelemetry-instrumentation-starlette>=0.45b0" | |
| # ADDITIVE: OTel shim module | |
| COPY szl_otel.py ./szl_otel.py | |
| COPY serve.py ./serve.py | |
| COPY szl_thesis_about.py ./szl_thesis_about.py | |
| COPY drones_db.json ./drones_db.json | |
| COPY killinchu_protocols.py ./killinchu_protocols.py | |
| COPY killinchu_expansion.py ./killinchu_expansion.py | |
| COPY killinchu_naval_haps.py ./killinchu_naval_haps.py | |
| COPY szl_dsse.py ./szl_dsse.py | |
| COPY szl_provenance.py ./szl_provenance.py | |
| COPY LEGAL_BOUNDARIES.md ./LEGAL_BOUNDARIES.md | |
| # ADDITIVE (Yachay / Live 3D Wires, PURIQ Doctrine v12): COPY the live-wires | |
| # module + host page + scene core so `import szl_live_wires` resolves in-container. | |
| # Without these the register() call in the server silently fails and /live-wires | |
| # falls through to the SPA shell. ADDITIVE ONLY. Sign: Yachay. | |
| COPY szl_live_wires.py ./szl_live_wires.py | |
| COPY live_wires.html ./live_wires.html | |
| COPY live_wires_3d.js ./live_wires_3d.js | |
| # ADDITIVE (Wire I): Rosie-companion module baked into the image. Yachay. | |
| COPY szl_rosie_companion.py ./szl_rosie_companion.py | |
| # ADDITIVE (PQC/hybrid signing): bake the signing module so `import | |
| # killinchu_szl_pqc_sign` resolves in-container and register() wires the | |
| # /khipu/sign endpoints. ADDITIVE ONLY. Sign: Yachay. | |
| COPY killinchu_szl_pqc_sign.py ./killinchu_szl_pqc_sign.py | |
| COPY serve.py ./serve.py | |
| ENV PORT=7860 | |
| EXPOSE 7860 | |
| # ADDITIVE (UNAY + Khipu-LMDB v2, 2026-06-01, Yachay): real durable lmdb persistence | |
| # + optional sqlite-vss vector recall (szl_unay degrades to honest cosine-fallback if | |
| # the extension cannot load in the slim image). Never affects existing routes. | |
| RUN pip install --no-cache-dir "lmdb>=1.4.0" "sqlite-vss>=0.1.2" | |
| # ADDITIVE (UNAY + Khipu-LMDB v2, 2026-06-01, Yachay / Perplexity Computer Agent): | |
| # explicit per-file COPY (this Dockerfile does not use `COPY . .`). serve.py imports | |
| # szl_unay_routes and calls .register(app, ns="killinchu") -> /api/killinchu/v2/unay/* + | |
| # /api/killinchu/v2/khipu/lmdb/*. Real durable lmdb + real sqlite-vss honest fallback. | |
| COPY szl_unay.py ./szl_unay.py | |
| COPY szl_khipu_lmdb.py ./szl_khipu_lmdb.py | |
| COPY szl_khipu_replicate.py ./szl_khipu_replicate.py | |
| COPY szl_unay_routes.py ./szl_unay_routes.py | |
| # ADDITIVE (Warhacker v2 genius pass, Yachay 2026-06-01): aliases + killinchu_genius. | |
| # Per-file COPY (no `COPY . .`) — without these the imports fail and routes 404. | |
| COPY szl_warhacker_aliases.py ./szl_warhacker_aliases.py | |
| COPY killinchu_genius.py ./killinchu_genius.py | |
| # ADDITIVE (Understudy-parity, Yachay 2026-06-01): the understudy moat-fabric layer | |
| # + its portable substrate (LLM router / agentic RAG / 23-formula registry). Explicit | |
| # per-file COPY (this Dockerfile never uses `COPY . .`); without these `import | |
| # szl_understudy` (and its substrate imports) fail and every /api/killinchu/v2/* | |
| # understudy route 404s. szl_brain/szl_rag/szl_formulas are VENDORED from the | |
| # platform monorepo (header in each file) until `pip install ./packages/*` lands. | |
| RUN pip install --no-cache-dir "huggingface_hub>=0.23" || true | |
| COPY szl_brain.py ./szl_brain.py | |
| COPY szl_rag.py ./szl_rag.py | |
| COPY szl_formulas.py ./szl_formulas.py | |
| COPY szl_understudy.py ./szl_understudy.py | |
| # ADDITIVE (Defense Runtime Cookbook, 2026-06-01, Yachay / Perplexity Computer Agent): | |
| # the self-contained cookbook module. Explicit per-file COPY (this Dockerfile never uses | |
| # `COPY . .`); without it `import szl_killinchu_cookbook` fails and every /api/killinchu/ | |
| # v2/cookbook* + /v2/missions* + /v2/scouts + /v2/uds/* + /v2/legal + /v2/specs/* + | |
| # /v2/pitch route 404s. The vendored data lives under static/cookbook/ (already COPY'd by | |
| # the `COPY static/ ./static/` line above). Recall receipts sign live via szl_dsse. | |
| COPY szl_killinchu_cookbook.py ./szl_killinchu_cookbook.py | |
| # ADDITIVE (UDS HARDENING, 2026-06-01, Yachay): real-data STIG/SCAP + Iron Bank + | |
| # Big Bang + Tradewinds endpoints under /api/killinchu/uds/v1/*, backed by the | |
| # committed .compliance/ artifacts (real OpenSCAP oscap output, Dockerfile audit, | |
| # helm lint inventory). Registered BEFORE killinchu_fusion so its synthetic stubs | |
| # defer to this real data. Per-file COPY (no `COPY . .`). Sign: Yachay. | |
| COPY szl_uds_hardening.py ./szl_uds_hardening.py | |
| COPY .compliance/ ./.compliance/ | |
| COPY killinchu_fusion.py ./killinchu_fusion.py | |
| # ADDITIVE (Drone 3D Health v4, Yachay 2026-06-01 / Perplexity Computer Agent): bake the | |
| # 3D drone-health-diagnostics module into the image. Explicit per-file COPY (this Dockerfile | |
| # never uses `COPY . .`); without it `import killinchu_drone_3d_health` fails and every | |
| # /api/killinchu/v4/* route 404s. The /drone-3d page (static/drone-3d.html) and the operator | |
| # tab (static/uds.html) are already COPY'd by the `COPY static/ ./static/` line above. | |
| COPY killinchu_drone_3d_health.py ./killinchu_drone_3d_health.py | |
| # ADDITIVE (Navy Edition + Palantir-class Mission Globe, Yachay 2026-06-02 / | |
| # Co-Authored-By: Perplexity Computer Agent): bake the Navy surface and the 3D | |
| # mission-globe / threat-cone modules into the image. Explicit per-file COPY | |
| # (this Dockerfile never uses `COPY . .`); without these `import szl_navy_edition` | |
| # and `import killinchu_mission_globe` fail and /navy, /mission-globe, | |
| # /threat-cone-3d, /api/killinchu/v4/{seismic,mission-feed} 404. The mission-globe | |
| # module reuses killinchu_drone_3d_health (already COPY'd above) for fusion fetch. | |
| # Doctrine v11 LOCKED 749/14/163 · Λ Conjecture 1. | |
| COPY szl_navy_edition.py ./szl_navy_edition.py | |
| COPY killinchu_mission_globe.py ./killinchu_mission_globe.py | |
| # ADDITIVE (Investor /demo route, 2026-06-02, Yachay / Perplexity Computer Agent): | |
| # per-file COPY (no `COPY . .`). serve.py imports szl_demo and registers GET /demo + | |
| # /killinchu/demo BEFORE the /{full_path:path} SPA catch-all. Inline HTML, no CDN, no key. | |
| # Doctrine v11 LOCKED 749/14/163 · Λ Conjecture 1. | |
| COPY szl_demo.py ./szl_demo.py | |
| # ADDITIVE (Genius Operator Sidebar, 2026-06-02, Yachay / Perplexity Computer Agent): | |
| # per-file COPY (this Dockerfile never uses `COPY . .`). serve.py imports szl_sidebar | |
| # and calls .register(app, "killinchu") -> /sidebar + working wrappers /status /doctrine | |
| # /formulas /uds /spaceweather /seismic /drone-health. Without it the import fails and | |
| # wrappers fall through to the SPA catch-all. Doctrine v11 LOCKED 749/14/163. | |
| COPY szl_sidebar.py ./szl_sidebar.py | |
| # ADDITIVE (FULL UDS INJECTION root-cause fix, 2026-06-02, Yachay (CTO) / Perplexity | |
| # Computer Agent): explicit per-file COPY (this Dockerfile never uses `COPY . .`). | |
| # serve.py does `import szl_uds_pages` + `_uds_pages.register(app, "killinchu")` to | |
| # mount the SIX real /uds/* subpages (/uds/sbom, /uds/sigstore, /uds/cmmc, /uds/889, | |
| # /uds/zarf, /uds/mission-owner) BEFORE the /{full_path:path} SPA catch-all. But | |
| # szl_uds_pages.py was NEVER COPYied into the image, so `import szl_uds_pages` raised | |
| # ModuleNotFoundError (swallowed by the try/except) and all six subpages fell through | |
| # to the SPA shell (8519-byte hero). The /uds hub (static/uds.html) was unaffected | |
| # because it is served by the `COPY static/ ./static/` line above. This COPY puts the | |
| # module in the image so the six real subpages serve. Section 889 = exactly 5 vendors | |
| # (Huawei, ZTE, Hytera, Hikvision, Dahua). CMMC Level 1 = 17 practices (FAR 52.204-21). | |
| # Iron Bank = sponsor pending (never certified). SLSA L1 honest, L2 in progress. | |
| # Module depends only on stdlib + fastapi (already installed). Doctrine v11 LOCKED | |
| # 749/14/163. Λ Conjecture 1 (NOT a theorem). ADDITIVE only — no existing route removed. | |
| COPY szl_uds_pages.py ./szl_uds_pages.py | |
| COPY serve.py ./serve.py | |
| # ADDITIVE (Parity Restoration 2026-06-02, Yachay / Perplexity Computer Agent): | |
| # operator_shell_v4.register(app, "killinchu") is now called in serve.py (parity block) | |
| # to mount the V4 operator shell routes: /api/killinchu/v4/{healthz,inbox,receipts,map/state,stream}. | |
| # Per-file COPY (this Dockerfile never uses COPY . .) — without these the import fails | |
| # and the V4 routes fall through to the SPA catch-all returning HTML (the ⚠️ bug). | |
| # szl_wire.py: needed by /api/killinchu/v1/mesh/state parity route. | |
| # szl_jack.py: needed by brain-jack wiring. | |
| # Doctrine v11 LOCKED 749/14/163. c7c0ba17. ADDITIVE ONLY. | |
| COPY operator_shell_v4.py ./operator_shell_v4.py | |
| COPY szl_wire.py ./szl_wire.py | |
| COPY szl_jack.py ./szl_jack.py | |
| COPY serve.py ./serve.py | |
| # ADDITIVE (Operationalize Sweep Track C, 2026-06-03, Yachay CTO / Perplexity Computer Agent): | |
| # killinchu_drone_routes.py registers UDS-deployable counter-UAS drone-facing endpoints: | |
| # GET /api/killinchu/drone/telemetry — friendly fleet + threat tracks | |
| # POST /api/killinchu/drone/intercept — mock action with DSSE receipt | |
| # GET /api/killinchu/drone/cued-tracks — cued threat list | |
| # GET /api/killinchu/drone/fleet-state — 5 friendly drone roster | |
| # Also provides missing P2-spec routes: | |
| # GET /api/killinchu/v1/gates — 13-axis Lambda-gate manifest | |
| # GET /api/killinchu/v1/audit-log — in-memory audit ring | |
| # Per-file COPY (never COPY . .) — without this the import fails and routes 404. | |
| # Doctrine v11 LOCKED 749/14/163. NO Iron Bank. ADDITIVE ONLY. | |
| COPY killinchu_drone_routes.py ./killinchu_drone_routes.py | |
| COPY serve.py ./serve.py | |
| COPY szl_ken.py ./szl_ken.py | |
| # ADDITIVE (Per-Flagship Deep-Dive Wire-Up, 2026-06-03, Yachay / Perplexity Computer Agent): | |
| # explicit per-file COPY (this Dockerfile does NOT use COPY . . for Python modules). | |
| # serve.py now imports szl_deepdive_gaps and calls _dd_gaps.register(app, "killinchu") | |
| # BEFORE the SPA catch-all, filling all Series-A gap endpoints. | |
| # static/3d/killinchu_airspace/ is already included in the COPY static/ ./static/ line above. | |
| # Doctrine v11 LOCKED 749/14/163 UNCHANGED. Lambda = Conjecture 1 (NOT a theorem). | |
| COPY szl_deepdive_gaps.py ./szl_deepdive_gaps.py | |
| COPY szl_lambda_tripwire.py ./szl_lambda_tripwire.py | |
| COPY szl_smoke_fix.py ./szl_smoke_fix.py | |
| # ADDITIVE (Formulas → Ecosystem echo, Opus 4.8, 2026-06-03): per-file COPY of the | |
| # shared formulas package + endpoint shim (this Dockerfile never uses `COPY . .`). | |
| # killinchu echoes thesis-v22 front-door formulas. thesis_v22.pdf §2 + real Lean theorems. | |
| # Signed-off-by: Yachay <yachay@szlholdings.ai> | |
| # Co-Authored-By: Perplexity Computer Agent <agent@perplexity.ai> | |
| COPY szl_shared_formulas/__init__.py ./szl_shared_formulas/__init__.py | |
| COPY szl_shared_formulas/welford.py ./szl_shared_formulas/welford.py | |
| COPY szl_shared_formulas/bloom_filter.py ./szl_shared_formulas/bloom_filter.py | |
| COPY killinchu_formula_endpoints.py ./killinchu_formula_endpoints.py | |
| # Re-COPY serve.py last so the formula register block is baked in. | |
| COPY serve.py ./serve.py | |
| CMD ["python", "serve.py"] | |