# All-in-one Tatva deployment for a SINGLE Hugging Face Space. # # Clones the private monorepo with a GitHub PAT (build secret GITHUB_TOKEN), # builds the Next.js dashboard, installs the MCP server + FastAPI control plane, # and runs all of them behind nginx on port 7860 via supervisord. # # This file is self-contained (it clones rather than COPYs) so it can be the # root Dockerfile of a thin HF Space — the same pattern as `sumit-server`. # # Build (local): # echo -n "$GITHUB_PAT" | docker build -f deploy/Dockerfile \ # --secret id=GITHUB_TOKEN,src=/dev/stdin -t tatva-aio . # HF Space: add a Space secret GITHUB_TOKEN; HF passes it as a build secret. ARG REPO=github.com/rockerritesh/sumit-mcp-server.git # ---------- stage 1: build the Next.js dashboard ---------- FROM node:20-slim AS web ARG REPO RUN apt-get update && apt-get install -y git && rm -rf /var/lib/apt/lists/* WORKDIR /src RUN --mount=type=secret,id=GITHUB_TOKEN \ git clone https://x-access-token:$(cat /run/secrets/GITHUB_TOKEN)@${REPO} . WORKDIR /src/portal/web RUN npm install --legacy-peer-deps && npm run build # ---------- stage 2: runtime (python + node + nginx + supervisor) ---------- FROM python:3.13-slim ARG REPO RUN apt-get update \ && apt-get install -y git nginx supervisor curl ca-certificates \ && curl -fsSL https://deb.nodesource.com/setup_20.x | bash - \ && apt-get install -y nodejs \ && rm -rf /var/lib/apt/lists/* COPY --from=ghcr.io/astral-sh/uv:latest /uv /uvx /bin/ WORKDIR /app RUN --mount=type=secret,id=GITHUB_TOKEN \ git clone https://x-access-token:$(cat /run/secrets/GITHUB_TOKEN)@${REPO} . # MCP server deps (repo root) + control-plane deps (portal/api) ENV UV_CACHE_DIR=/app/.cache/uv RUN uv sync --no-dev \ && cd portal/api && uv sync --no-dev # Next.js standalone server from the build stage (tracing root pinned to web/, # so server.js + node_modules sit at .next/standalone/). COPY --from=web /src/portal/web/.next/standalone/ /app/portal/web/ COPY --from=web /src/portal/web/.next/static /app/portal/web/.next/static COPY --from=web /src/portal/web/public /app/portal/web/public # Process + proxy config (from the cloned repo) RUN cp deploy/nginx.conf /etc/nginx/nginx.conf \ && cp deploy/supervisord.conf /etc/supervisor/conf.d/tatva.conf \ && mkdir -p /app/.cache && chmod -R 777 /app/.cache # Control-plane + MCP read all other config (MONGO_URI, JWT_SECRET, QDRANT_*, # PLATFORM_ADMINS, STRIPE_*) from Space secrets injected as env vars at runtime. EXPOSE 7860 CMD ["supervisord", "-c", "/etc/supervisor/conf.d/tatva.conf"]