Fix: install Neo4j+cypher-shell via official Debian apt repo (no tar.gz/APOC download)

Dockerfile

@@ -27,14 +27,8 @@ ENV LANG=C.UTF-8
 
 # ── System dependencies ────────────────────────────────────────────────────────
 RUN apt-get update && apt-get install -y --no-install-recommends \
-    # Java for Neo4j 2026.x (requires Java 21+)
-    openjdk-21-jre-headless \
-    # Python
     python3.11 python3-pip python3.11-venv \
-    # Web / infra
-    nginx \
-    supervisor \
-    # Utilities
+    nginx supervisor \
     curl wget ca-certificates gnupg \
     && rm -rf /var/lib/apt/lists/*
 
@@ -43,26 +37,22 @@ RUN curl -fsSL https://deb.nodesource.com/setup_20.x | bash - \
     && apt-get install -y --no-install-recommends nodejs \
     && rm -rf /var/lib/apt/lists/*
 
-# ── Neo4j Community 5.24.0 + APOC 5.24.0 ─────────────────────────────────────
-ENV NEO4J_HOME=/opt/neo4j
-ENV PATH="${NEO4J_HOME}/bin:${PATH}"
+# ── Neo4j 5.x Community + cypher-shell (official Debian repo) ─────────────────
+RUN curl -fsSL https://debian.neo4j.com/neotechnology.gpg.key \
+        | gpg --dearmor -o /usr/share/keyrings/neo4j.gpg \
+    && echo "deb [signed-by=/usr/share/keyrings/neo4j.gpg] https://debian.neo4j.com stable 5" \
+        > /etc/apt/sources.list.d/neo4j.list \
+    && apt-get update \
+    && apt-get install -y neo4j cypher-shell \
+    && rm -rf /var/lib/apt/lists/*
 
-RUN wget -q "https://dist.neo4j.org/neo4j-community-5.24.0-unix.tar.gz" \
-    && tar -xzf "neo4j-community-5.24.0-unix.tar.gz" -C /opt \
-    && mv "/opt/neo4j-community-5.24.0" /opt/neo4j \
-    && rm "neo4j-community-5.24.0-unix.tar.gz" \
-    && rm -rf /opt/neo4j/data \
-    && wget -q "https://github.com/neo4j-labs/apoc/releases/download/5.24.0/apoc-5.24.0-core.jar" \
-        -O /opt/neo4j/plugins/apoc-5.24.0-core.jar
+ENV NEO4J_HOME=/var/lib/neo4j
+ENV PATH="/usr/bin:${PATH}"
 
-# Neo4j configuration — listen on all interfaces, use /data for persistence
+# ── Neo4j configuration ────────────────────────────────────────────────────────
 RUN { \
     echo "server.bolt.listen_address=0.0.0.0:7687"; \
     echo "server.http.listen_address=0.0.0.0:7474"; \
-    echo "server.directories.data=/data/neo4j/data"; \
-    echo "server.directories.logs=/data/neo4j/logs"; \
-    echo "server.directories.plugins=/opt/neo4j/plugins"; \
-    echo "dbms.security.auth_enabled=true"; \
     echo "server.memory.heap.initial_size=512m"; \
     echo "server.memory.heap.max_size=1g"; \
     echo "server.memory.pagecache.size=256m"; \
@@ -70,7 +60,7 @@ RUN { \
     echo "dbms.logs.query.enabled=OFF"; \
     echo "dbms.security.procedures.unrestricted=apoc.*"; \
     echo "dbms.security.procedures.allowlist=apoc.*"; \
-} >> /opt/neo4j/conf/neo4j.conf
+} >> /etc/neo4j/neo4j.conf
 
 # ── Python backend ────────────────────────────────────────────────────────────
 WORKDIR /app/backend

docker/entrypoint.sh

@@ -3,21 +3,23 @@ set -e
 
 log() { echo "[entrypoint] $*"; }
 
-# ── Persistent data dirs (HF Spaces mounts /data) ─────────────────────────────
-mkdir -p /data/neo4j/data /data/neo4j/logs /data/neo4j/transactions
+# ── Persistent data dirs ───────────────────────────────────────────────────────
+mkdir -p /data/neo4j/data /data/neo4j/logs
+chown -R neo4j:neo4j /data/neo4j 2>/dev/null || true
 
-# Point Neo4j config at the persistent volume paths (already set in neo4j.conf,
-# but the data dir must exist before Neo4j starts or it refuses to launch)
-mkdir -p /data/neo4j/data/databases /data/neo4j/data/dbms
+# Symlink Neo4j data/logs to persistent volume
+if [ ! -L /var/lib/neo4j/data ]; then
+    rm -rf /var/lib/neo4j/data
+    ln -sf /data/neo4j/data /var/lib/neo4j/data
+fi
+if [ ! -L /var/log/neo4j ]; then
+    rm -rf /var/log/neo4j
+    ln -sf /data/neo4j/logs /var/log/neo4j
+fi
 
 # ── First-boot: set initial password ──────────────────────────────────────────
 NEO4J_PASS="${NEO4J_PASSWORD:-clinicalmatch2024}"
-
-# Always attempt set-initial-password — safe to run every boot:
-#   - Before first Neo4j start: sets the password correctly
-#   - After first start: command fails (db already has auth), || true absorbs the error
-log "Setting Neo4j initial password (safe to re-run)..."
-NEO4J_CONF=/opt/neo4j/conf \
+log "Setting Neo4j initial password..."
 neo4j-admin dbms set-initial-password "$NEO4J_PASS" 2>&1 || \
     log "set-initial-password: already initialized, skipping."
 

docker/supervisord.conf

@@ -15,8 +15,8 @@ serverurl=unix:///tmp/supervisor.sock
 
 # ── Neo4j Community ────────────────────────────────────────────────────────────
 [program:neo4j]
-command=/opt/neo4j/bin/neo4j console
-environment=NEO4J_HOME=/opt/neo4j,JAVA_HOME=/usr/lib/jvm/java-21-openjdk-amd64,NEO4J_CONF=/opt/neo4j/conf
+command=su -s /bin/bash neo4j -c "neo4j console >> /data/neo4j/logs/console.log 2>&1"
+environment=NEO4J_HOME=/var/lib/neo4j,NEO4J_CONF=/etc/neo4j
 autostart=true
 autorestart=true
 startsecs=45