refactor: replace source compilation with official pre-built GHCR images

Use ghcr.io/bytedance/deer-flow-backend:latest and
ghcr.io/bytedance/deer-flow-frontend:latest as source stages instead
of cloning + building from source. Eliminates:
- pnpm install + Next.js Turbopack build (OOM risk, 15-20 min)
- uv sync + grpcio/sympy native compilation (stall risk, 10-15 min)

Build now pulls pre-built images (~5 min) instead of compiling (~30 min).
Retain minimal alpine/git clone only for skills/ and config.example.yaml
which are not bundled in the official images.

Image structure verified from upstream Dockerfiles:
backend: /app/backend/ (source + .venv) matches start.sh cd /app/backend
frontend: /app/frontend/ (built .next + node_modules) matches start.sh cd /app/frontend

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

Dockerfile

@@ -3,92 +3,39 @@
 # HuggingFlow — DeerFlow Research Agent for Hugging Face Spaces
 # ════════════════════════════════════════════════════════════════
 #
-# Single-container deployment of DeerFlow (frontend + backend + nginx)
+# Uses official pre-built DeerFlow images from GHCR — no compile step.
+# Build time: ~5 min (was 30+ min building from source).
+#
 # Public port 7860 → health-server.js → nginx:7861 → backend:8001 / frontend:3000
 #
 # Build args:
-#   DEER_FLOW_REF  — git ref to clone (branch/tag/sha, default: main)
-#   UV_IMAGE       — uv tool image (default: ghcr.io/astral-sh/uv:0.7.20)
-#   NODE_MAJOR     — Node.js major version (default: 22)
+#   DEERFLOW_BACKEND  — backend image (default: ghcr.io/bytedance/deer-flow-backend:latest)
+#   DEERFLOW_FRONTEND — frontend image (default: ghcr.io/bytedance/deer-flow-frontend:latest)
+#   UV_IMAGE          — uv tool image  (default: ghcr.io/astral-sh/uv:0.7.20)
+#   NODE_MAJOR        — Node.js major version (default: 22)
 
 ARG UV_IMAGE=ghcr.io/astral-sh/uv:0.7.20
-ARG DEER_FLOW_REF=main
+ARG DEERFLOW_BACKEND=ghcr.io/bytedance/deer-flow-backend:latest
+ARG DEERFLOW_FRONTEND=ghcr.io/bytedance/deer-flow-frontend:latest
 
 # ── uv source ────────────────────────────────────────────────────
 FROM ${UV_IMAGE} AS uv-source
 
-# ── Stage 1: Clone DeerFlow source ───────────────────────────────
+# ── Pre-built DeerFlow images (no source compilation needed) ──────
+# Backend image layout:  /app/backend/ (Python source + .venv)
+# Frontend image layout: /app/frontend/ (built .next + node_modules)
+FROM ${DEERFLOW_BACKEND} AS backend-src
+FROM ${DEERFLOW_FRONTEND} AS frontend-src
+
+# ── Minimal source clone (skills + config only) ───────────────────
+# skills/ and config.example.yaml are not bundled in the official images
 FROM alpine/git:latest AS source
-ARG DEER_FLOW_REF
 RUN git clone --depth=1 \
     https://github.com/bytedance/deer-flow.git /src && \
     cd /src && \
     git log --oneline -1
 
-# ── Stage 2: Build Next.js frontend ──────────────────────────────
-FROM node:22-alpine AS frontend-builder
-
-RUN corepack enable && corepack install -g pnpm@10.26.2
-
-WORKDIR /app
-COPY --from=source /src/frontend ./frontend
-
-# pnpm virtual store uses hard links — COPY in later stages works correctly
-# BuildKit cache mount makes pnpm install survive flaky HF Spaces network
-RUN --mount=type=cache,target=/root/.local/share/pnpm/store \
-    cd frontend && \
-    ( pnpm install --frozen-lockfile \
-      || (echo "pnpm install retry 2" && pnpm install --frozen-lockfile) \
-      || (echo "pnpm install retry 3" && pnpm install --frozen-lockfile) )
-
-# SKIP_ENV_VALIDATION=1 bypasses t3-oss env checks (no secrets at build time)
-# NODE_OPTIONS caps heap to 3 GB — prevents OOMKilled on HF Spaces build servers
-RUN cd frontend && SKIP_ENV_VALIDATION=1 NODE_OPTIONS="--max-old-space-size=3072" pnpm build
-
-# ── Stage 3: Install Python backend dependencies ──────────────────
-# NOTE: COPY --from=frontend-builder serializes this stage after the frontend build.
-# BuildKit would otherwise run both stages in parallel, exhausting HF Spaces build memory.
-FROM python:3.12-slim-bookworm AS backend-builder
-
-# Serialize: wait for frontend stage to finish before starting backend compilation.
-# This prevents OOMKilled caused by Next.js + grpcio compilation running simultaneously.
-COPY --from=frontend-builder /app/frontend/.next/package.json /tmp/.frontend-build-done
-
-COPY --from=uv-source /uv /uvx /usr/local/bin/
-
-RUN apt-get update && apt-get install -y --no-install-recommends \
-    build-essential ca-certificates curl git \
-    && rm -rf /var/lib/apt/lists/*
-
-ENV UV_HTTP_TIMEOUT=120 \
-    UV_CONCURRENT_DOWNLOADS=2 \
-    UV_INDEX_URL=https://pypi.org/simple \
-    UV_LINK_MODE=copy
-
-WORKDIR /app
-COPY --from=source /src/backend ./backend
-
-# uv sync with BuildKit cache mount (matches DeerFlow's official Dockerfile pattern):
-# - --mount=type=cache persists uv's wheel cache across retries within the same RUN,
-#   so each retry only re-fetches the wheel(s) that failed previously
-# - --no-install-package skips heavy markitdown[all] extras not needed for web research:
-#   speechrecognition (audio), magika+onnxruntime (file detection), pdfminer-six (PDF)
-#   — saves ~65MB of downloads on a flaky HF Spaces build network
-RUN --mount=type=cache,target=/root/.cache/uv,sharing=locked \
-    cd backend && \
-    ( uv sync --no-install-package onnxruntime --no-install-package magika --no-install-package speechrecognition --no-install-package pdfminer-six \
-      || (echo "retry 2"  && uv sync --no-install-package onnxruntime --no-install-package magika --no-install-package speechrecognition --no-install-package pdfminer-six) \
-      || (echo "retry 3"  && uv sync --no-install-package onnxruntime --no-install-package magika --no-install-package speechrecognition --no-install-package pdfminer-six) \
-      || (echo "retry 4"  && uv sync --no-install-package onnxruntime --no-install-package magika --no-install-package speechrecognition --no-install-package pdfminer-six) \
-      || (echo "retry 5"  && uv sync --no-install-package onnxruntime --no-install-package magika --no-install-package speechrecognition --no-install-package pdfminer-six) \
-      || (echo "retry 6"  && uv sync --no-install-package onnxruntime --no-install-package magika --no-install-package speechrecognition --no-install-package pdfminer-six) \
-      || (echo "retry 7"  && uv sync --no-install-package onnxruntime --no-install-package magika --no-install-package speechrecognition --no-install-package pdfminer-six) \
-      || (echo "retry 8"  && uv sync --no-install-package onnxruntime --no-install-package magika --no-install-package speechrecognition --no-install-package pdfminer-six) \
-      || (echo "retry 9"  && uv sync --no-install-package onnxruntime --no-install-package magika --no-install-package speechrecognition --no-install-package pdfminer-six) \
-      || (echo "retry 10" && uv sync --no-install-package onnxruntime --no-install-package magika --no-install-package speechrecognition --no-install-package pdfminer-six) \
-      || (echo "ERROR: uv sync failed after 10 attempts" && exit 1) )
-
-# ── Stage 4: Runtime ─────────────────────────────────────────────
+# ── Runtime ───────────────────────────────────────────────────────
 FROM python:3.12-slim-bookworm
 
 ENV LANG=C.UTF-8 \
@@ -98,12 +45,12 @@ ENV LANG=C.UTF-8 \
 
 ARG NODE_MAJOR=22
 
-# Install: nginx, curl, jq, gnupg (separate layer — cached independently)
+# Layer 1: nginx + base tools (rarely changes — stays cached)
 RUN apt-get update && apt-get install -y --no-install-recommends \
     curl ca-certificates gnupg nginx jq \
     && rm -rf /var/lib/apt/lists/*
 
-# Install Node.js (separate layer so apt cache miss doesn't re-download pip packages)
+# Layer 2: Node.js (separate layer — apt network stall doesn't force pip re-run)
 RUN mkdir -p /etc/apt/keyrings \
     && curl -fsSL https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key \
        | gpg --dearmor -o /etc/apt/keyrings/nodesource.gpg \
@@ -113,7 +60,7 @@ RUN mkdir -p /etc/apt/keyrings \
     && apt-get update && apt-get install -y --no-install-recommends nodejs \
     && rm -rf /var/lib/apt/lists/*
 
-# Install Python helpers (separate layer + retries for flaky HF Spaces network)
+# Layer 3: Python helpers with retries (flaky HF Spaces network)
 RUN pip3 install --no-cache-dir --break-system-packages --timeout 120 --retries 5 \
         huggingface_hub pyyaml \
     || (echo "pip retry 2" && pip3 install --no-cache-dir --break-system-packages --timeout 120 --retries 5 huggingface_hub pyyaml) \
@@ -123,7 +70,7 @@ RUN pip3 install --no-cache-dir --break-system-packages --timeout 120 --retries
 # pnpm for `pnpm start` in Next.js runtime
 RUN corepack enable && corepack install -g pnpm@10.26.2
 
-# uv for backend startup
+# uv for backend startup (`uv run --no-sync uvicorn ...`)
 COPY --from=uv-source /uv /uvx /usr/local/bin/
 
 # ── Create non-root user UID=1000 (required by HF Spaces) ────────
@@ -135,26 +82,25 @@ RUN useradd -m -u 1000 -s /bin/bash user && \
         /app/data \
         /tmp/nginx-tmp && \
     chown -R 1000:1000 /app /tmp/nginx-tmp && \
-    # nginx non-root: redirect all temp/pid/log paths to writable dirs
     chown -R 1000:1000 /var/log/nginx /var/lib/nginx 2>/dev/null || true
 
-# ── Copy built artifacts ──────────────────────────────────────────
-# Backend: Python source + pre-built .venv from uv sync
-COPY --from=backend-builder --chown=1000:1000 /app/backend /app/backend
-# Skills directory (read-only agent skills)
-COPY --from=source --chown=1000:1000 /src/skills /app/skills
-# Config template (used to generate config.yaml at startup)
+# ── Copy pre-built DeerFlow artifacts ────────────────────────────
+# Backend: Python source + pre-built .venv (no uv sync / grpcio compile)
+COPY --from=backend-src  --chown=1000:1000 /app/backend  /app/backend
+# Frontend: built .next + node_modules (no pnpm install / Next.js build)
+COPY --from=frontend-src --chown=1000:1000 /app/frontend /app/frontend
+# Skills (not bundled in official images)
+COPY --from=source --chown=1000:1000 /src/skills           /app/skills
+# Config template
 COPY --from=source --chown=1000:1000 /src/config.example.yaml /app/config.example.yaml
-# Frontend: built .next + node_modules (pnpm hard links — self-contained after COPY)
-COPY --from=frontend-builder --chown=1000:1000 /app/frontend /app/frontend
 
 # ── Copy HuggingFlow runtime scripts ─────────────────────────────
-COPY --chown=1000:1000 nginx.conf                  /etc/nginx/nginx.conf
-COPY --chown=1000:1000 start.sh                    /app/start.sh
-COPY --chown=1000:1000 deerflow-sync.py            /app/deerflow-sync.py
-COPY --chown=1000:1000 health-server.js            /app/health-server.js
-COPY --chown=1000:1000 cloudflare-proxy.js         /app/cloudflare-proxy.js
-COPY --chown=1000:1000 cloudflare-proxy-setup.py   /app/cloudflare-proxy-setup.py
+COPY --chown=1000:1000 nginx.conf                    /etc/nginx/nginx.conf
+COPY --chown=1000:1000 start.sh                      /app/start.sh
+COPY --chown=1000:1000 deerflow-sync.py              /app/deerflow-sync.py
+COPY --chown=1000:1000 health-server.js              /app/health-server.js
+COPY --chown=1000:1000 cloudflare-proxy.js           /app/cloudflare-proxy.js
+COPY --chown=1000:1000 cloudflare-proxy-setup.py     /app/cloudflare-proxy-setup.py
 COPY --chown=1000:1000 cloudflare-keepalive-setup.py /app/cloudflare-keepalive-setup.py
 
 RUN chmod +x \
@@ -168,8 +114,8 @@ WORKDIR /app
 
 EXPOSE 7860
 
-# 120s start period: frontend build + backend uv sync + DB init takes ~60-90s on cold start
-HEALTHCHECK --interval=30s --timeout=10s --start-period=120s \
+# 60s start period — no compilation, just config generation + service startup
+HEALTHCHECK --interval=30s --timeout=10s --start-period=60s \
     CMD curl -fsS http://localhost:7860/health || exit 1
 
 CMD ["/app/start.sh"]