keisei/KeiSeiKit-1.0
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
KeiSeiKit-1.0/_blocks/deploy-docker.md
denis 0b901cf2f9 feat: KeiSeiKit v0.1.0 — initial public release 
Generic Constructor-Pattern agent kit for Claude Code. Zero personal data,
fully English, MIT-licensed.

Contents:
- 34 reusable blocks (baseline, rules, stack/deploy/domain/api/scraper)
- 14 cross-project agent manifests (code/ml/infra/researcher/critic/...)
- 6 portable skills (/new-agent, /research, /test-gen, /debug-deep, /pr-review, /refactor)
- Rust assembler (single binary, ~500 KB)
- 3 hooks (auto-reassemble, pre-commit validate, no-hand-edit)
- install.sh (idempotent, cargo-builds on first run)
- MIT LICENSE

All 6 sanity greps pass: 0 Russian text, 0 specific project names,
0 incident numbers, 0 user paths, 0 hardcoded IPs, 0 API keys.

cargo check + assemble --validate: both pass on 14 manifests.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-20 23:58:34 +08:00

34 lines
1.7 KiB
Markdown
Raw Blame History

# DEPLOY — Docker
**Dockerfile — multi-stage MANDATORY** (build tools never ship to prod image):
```
FROM rust:1.80 AS builder
WORKDIR /app
COPY . .
RUN cargo build --release --bin myapp
FROM gcr.io/distroless/cc-debian12
COPY --from=builder /app/target/release/myapp /myapp
USER nonroot:nonroot
HEALTHCHECK --interval=30s --timeout=3s CMD ["/myapp", "--healthcheck"]
ENTRYPOINT ["/myapp"]
```
**Base image:** `distroless` (preferred, no shell — smaller attack surface) or `alpine` (if musl compat) or `debian:slim`. NEVER `ubuntu:latest` for prod.
**File ops:**
- `COPY` — deterministic. NEVER `ADD` (auto-extracts tars, fetches URLs — surprising behavior).
- `.dockerignore` committed. Includes `.git`, `target/`, `node_modules/`, `.env*`, `secrets/`.
**Secrets:**
- NEVER `ENV SECRET=...` — leaks into image layers forever.
- Build-time secrets via `--secret id=foo,src=./foo.txt` (BuildKit).
- Runtime secrets via env injection from orchestrator / docker-compose `secrets:` (Swarm) / K8s Secret.
**User:** `USER nonroot` (distroless provides it) or explicit `RUN useradd -u 10001 app && USER app`. Running as root = CVE amplifier.
**Healthcheck:** MANDATORY. Orchestrator uses it for readiness/liveness; without it, failed containers stay "up".
**docker-compose:** LOCAL DEV ONLY. For prod, the orchestrator (ECS, Fargate, K8s, Nomad, Docker Swarm) owns the deployment. Typical prod pattern: single container listening on internal port, behind nginx reverse proxy on a public port, colocated on a shared host.
**Forbidden:** `ADD` for local files (use `COPY`); `USER root` in final stage; secrets in `ENV` or `ARG`; missing `HEALTHCHECK`; `docker-compose` as prod orchestrator; `:latest` tags in prod manifests; single-stage Dockerfile that ships build toolchain.
Reference in a new issue View git blame Copy permalink