Spaces:

SZLHOLDINGS
/

sentra

Running

App Files Files Community

sentra / Dockerfile

betterwithage

Repin Space to thin proxy on new GHCR digest (sha256:32360746)

2a74d61 verified about 4 hours ago

raw

history blame contribute delete

2.46 kB

	# SPDX-License-Identifier: Apache-2.0
	# © 2026 Lutar, Stephen P. — SZL Holdings · ORCID 0009-0001-0110-4173 · Doctrine v11
	#
	# sentra HF Docker Space — THIN PROXY to the GHCR-built image (CLOSEOUT, Opus 4.8).
	#
	# WHY A PROXY:
	# The previous in-Space full build (~47 per-file COPY layers) exited 1 on the HF
	# builder with "cache miss" — HF's BuildKit cache was evicted, so layers that the
	# previous build relied on could not be replayed and the job failed. The canonical,
	# reproducible image is built and signed by GitHub Actions (ghcr-build-push.yml:
	# SLSA L2 build-provenance attestation + cosign keyless signature) and pushed to
	# ghcr.io/szl-holdings/sentra. This Space simply pins and runs that exact image by
	# immutable digest — one FROM, no COPY — so HF never has to rebuild the app and the
	# running bits are byte-identical to the attested GHCR artifact.
	#
	# PIN (immutable digest of tag uds-v0.2.0, built from main @ commit 195d580):
	# ghcr.io/szl-holdings/sentra@sha256:32360746e0084ca0c7233bbca2709c1b1e907b6ffa91c166444d8aeb196fa002
	#
	# The image listens on PORT 7860 (HF Space requirement) via `python serve.py`.
	# Routes (all served by the pinned image):
	# / — Replit React SPA
	# /verdicts — Immune Verdict Theatre (live SSE + DSSE/in-toto/SLSA + Rekor RFC 6962)
	# /operator — Immune Cathedral operator-shell v4 desktop
	# /api/sentra/healthz — liveness (+ honest slsa: L1+L2, NOT L3)
	# /api/sentra/v1/verdict\|inspect — Wire B immune verdicts
	# /api/sentra/v1/verdict/stream — SSE verdict stream
	# /api/sentra/v1/attest/{hash} — full DSSE + in-toto Statement + SLSA Provenance v1
	# /api/sentra/v1/rekor/proof — RFC 6962 Merkle-root recomputation + audit path
	# /api/sentra/v1/gates[/{id}] — 8 immune gates
	# /api/sentra/v1/audit-log — recent verdict history
	#
	# HONESTY OVER CHECKLIST — no mocks. Doctrine v11 LOCKED 749/14/163 @ c7c0ba17.
	# Signed-off-by: Yachay <yachay@szlholdings.ai>
	# Co-Authored-By: Perplexity Computer Agent <agent@perplexity.ai>

	FROM ghcr.io/szl-holdings/sentra@sha256:32360746e0084ca0c7233bbca2709c1b1e907b6ffa91c166444d8aeb196fa002

	# The upstream image already sets WORKDIR /app, ENV PORT=7860, EXPOSE 7860 and
	# CMD ["python","serve.py"]. Re-declare the contract here for clarity/HF parsing.
	ENV PORT=7860
	EXPOSE 7860
	CMD ["python", "serve.py"]