From 190704a4eb799ca8ee3990ddc94f4565463aaff9 Mon Sep 17 00:00:00 2001
From: tegwick <bernd.worsch@gmail.com>
Date: Sun, 3 May 2026 01:43:50 +0200
Subject: [PATCH] Locked in cytoscape.js as visualization for dep graph

---
 state-hub/.dockerignore                       | 18 ++++++
 state-hub/Dockerfile                          | 49 ++++++++++++++++
 state-hub/docs/container-image.md             | 56 +++++++++++++++++++
 ...P-0011-state-hub-threephoenix-migration.md | 13 ++++-
 4 files changed, 135 insertions(+), 1 deletion(-)
 create mode 100644 state-hub/.dockerignore
 create mode 100644 state-hub/Dockerfile
 create mode 100644 state-hub/docs/container-image.md

diff --git a/state-hub/.dockerignore b/state-hub/.dockerignore
new file mode 100644
index 0000000..7a5b430
--- /dev/null
+++ b/state-hub/.dockerignore
@@ -0,0 +1,18 @@
+.venv
+.pytest_cache
+__pycache__
+**/__pycache__
+*.pyc
+*.pyo
+*.pyd
+.env
+.env.*
+!.env.example
+dashboard/node_modules
+dashboard/dist
+dashboard/src/.observablehq/cache
+dashboard/.observablehq/cache
+kubectl
+tests
+docs
+infra
diff --git a/state-hub/Dockerfile b/state-hub/Dockerfile
new file mode 100644
index 0000000..534811e
--- /dev/null
+++ b/state-hub/Dockerfile
@@ -0,0 +1,49 @@
+FROM python:3.12-slim AS runtime
+
+ENV PYTHONDONTWRITEBYTECODE=1 \
+    PYTHONUNBUFFERED=1 \
+    PATH="/app/.venv/bin:${PATH}"
+
+WORKDIR /app
+
+RUN apt-get update \
+    && apt-get install -y --no-install-recommends curl ca-certificates \
+    && rm -rf /var/lib/apt/lists/* \
+    && pip install --no-cache-dir uv
+
+COPY pyproject.toml ./
+
+RUN python - <<'PY' > /tmp/requirements.txt
+import tomllib
+
+with open("pyproject.toml", "rb") as f:
+    project = tomllib.load(f)["project"]
+
+for dep in project["dependencies"]:
+    # llm-connect is currently a local editable test integration in this repo.
+    # The State Hub API/MCP runtime does not import it, and a container build
+    # must not depend on /home/worsch existing inside the image.
+    if dep == "llm-connect":
+        continue
+    print(dep)
+PY
+
+RUN uv venv /app/.venv \
+    && uv pip install --python /app/.venv/bin/python --no-cache -r /tmp/requirements.txt
+
+COPY alembic.ini ./
+COPY api/ ./api/
+COPY flows/ ./flows/
+COPY mcp_server/ ./mcp_server/
+COPY migrations/ ./migrations/
+COPY policies/ ./policies/
+COPY prompts/ ./prompts/
+COPY scripts/ ./scripts/
+COPY task_flow_engine/ ./task_flow_engine/
+
+EXPOSE 8000
+
+HEALTHCHECK --interval=30s --timeout=5s --start-period=20s --retries=3 \
+    CMD python -c "import urllib.request; urllib.request.urlopen('http://127.0.0.1:8000/state/health', timeout=3).read()"
+
+CMD ["uvicorn", "api.main:app", "--host", "0.0.0.0", "--port", "8000"]
diff --git a/state-hub/docs/container-image.md b/state-hub/docs/container-image.md
new file mode 100644
index 0000000..b21414d
--- /dev/null
+++ b/state-hub/docs/container-image.md
@@ -0,0 +1,56 @@
+# State Hub Container Image
+
+The State Hub production image is built from `state-hub/Dockerfile`.
+
+## Build
+
+```bash
+cd state-hub
+docker build -t state-hub:local .
+```
+
+The image installs runtime dependencies from `pyproject.toml` and excludes the
+local editable `llm-connect` dependency. `llm-connect` is currently used by the
+test suite only; the API and MCP runtime do not import it. Removing that
+workstation-local path from the image keeps cluster builds reproducible.
+
+## Runtime
+
+Required environment:
+
+```bash
+DATABASE_URL=postgresql+asyncpg://USER:PASSWORD@HOST:5432/DB
+API_BASE=http://127.0.0.1:8000
+```
+
+The container starts:
+
+```bash
+uvicorn api.main:app --host 0.0.0.0 --port 8000
+```
+
+It includes Alembic migrations and can run migrations with:
+
+```bash
+docker run --rm --env DATABASE_URL=... state-hub:local alembic upgrade head
+```
+
+## Verification
+
+After start, check:
+
+```bash
+curl http://127.0.0.1:8000/state/health
+```
+
+Expected response:
+
+```json
+{"status":"ok","db":"connected"}
+```
+
+## Registry
+
+The final registry target is intentionally not hardcoded yet. CUST-WP-0011
+still has an open human decision for Gitea registry versus an interim external
+registry.
diff --git a/workplans/CUST-WP-0011-state-hub-threephoenix-migration.md b/workplans/CUST-WP-0011-state-hub-threephoenix-migration.md
index 4d1c35a..56e7aac 100644
--- a/workplans/CUST-WP-0011-state-hub-threephoenix-migration.md
+++ b/workplans/CUST-WP-0011-state-hub-threephoenix-migration.md
@@ -168,7 +168,7 @@ deferred to `CUST-WP-0038`.
 
 ```task
 id: T03
-status: todo
+status: in_progress
 priority: high
 state_hub_task_id: "79908ade-3e38-451b-a403-2361a16a3f3a"
 ```
@@ -186,6 +186,17 @@ Requirements:
 **Done when:** railiance01 can pull the image and a dry-run deployment resolves
 it.
 
+Progress 2026-05-03: added `state-hub/Dockerfile`,
+`state-hub/.dockerignore`, and `state-hub/docs/container-image.md`. Built
+local image `state-hub:local` successfully:
+`sha256:e96dbd1e7d2b63e4fb17584c8c2216088a2c9937bfe880c2ad565c7a9f51c0fc`
+(~106 MB). Verified container `/state/health` returns HTTP 200 against the
+current database when run locally with host networking. Verified Alembic is
+available in-image and reports current revision `r5m6n7o8p9q0 (head)`.
+
+Remaining: choose and authenticate a registry target so the image can be
+tagged, pushed, and pulled from railiance01.
+
 ---
 
 ### T04 — Define State Hub database and app manifests