keisei/KeiSeiKit-1.0
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
KeiSeiKit-1.0/_blocks/deploy-docker.md
denis 0b901cf2f9 feat: KeiSeiKit v0.1.0 — initial public release 
Generic Constructor-Pattern agent kit for Claude Code. Zero personal data,
fully English, MIT-licensed.

Contents:
- 34 reusable blocks (baseline, rules, stack/deploy/domain/api/scraper)
- 14 cross-project agent manifests (code/ml/infra/researcher/critic/...)
- 6 portable skills (/new-agent, /research, /test-gen, /debug-deep, /pr-review, /refactor)
- Rust assembler (single binary, ~500 KB)
- 3 hooks (auto-reassemble, pre-commit validate, no-hand-edit)
- install.sh (idempotent, cargo-builds on first run)
- MIT LICENSE

All 6 sanity greps pass: 0 Russian text, 0 specific project names,
0 incident numbers, 0 user paths, 0 hardcoded IPs, 0 API keys.

cargo check + assemble --validate: both pass on 14 manifests.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-20 23:58:34 +08:00

1.7 KiB
Raw Blame History

DEPLOY — Docker

Dockerfile — multi-stage MANDATORY (build tools never ship to prod image):

FROM rust:1.80 AS builder
WORKDIR /app
COPY . .
RUN cargo build --release --bin myapp

FROM gcr.io/distroless/cc-debian12
COPY --from=builder /app/target/release/myapp /myapp
USER nonroot:nonroot
HEALTHCHECK --interval=30s --timeout=3s CMD ["/myapp", "--healthcheck"]
ENTRYPOINT ["/myapp"]

Base image: distroless (preferred, no shell — smaller attack surface) or alpine (if musl compat) or debian:slim. NEVER ubuntu:latest for prod.

File ops:

  • COPY — deterministic. NEVER ADD (auto-extracts tars, fetches URLs — surprising behavior).
  • .dockerignore committed. Includes .git, target/, node_modules/, .env*, secrets/.

Secrets:

  • NEVER ENV SECRET=... — leaks into image layers forever.
  • Build-time secrets via --secret id=foo,src=./foo.txt (BuildKit).
  • Runtime secrets via env injection from orchestrator / docker-compose secrets: (Swarm) / K8s Secret.

User: USER nonroot (distroless provides it) or explicit RUN useradd -u 10001 app && USER app. Running as root = CVE amplifier.

Healthcheck: MANDATORY. Orchestrator uses it for readiness/liveness; without it, failed containers stay "up".

docker-compose: LOCAL DEV ONLY. For prod, the orchestrator (ECS, Fargate, K8s, Nomad, Docker Swarm) owns the deployment. Typical prod pattern: single container listening on internal port, behind nginx reverse proxy on a public port, colocated on a shared host.

Forbidden: ADD for local files (use COPY); USER root in final stage; secrets in ENV or ARG; missing HEALTHCHECK; docker-compose as prod orchestrator; :latest tags in prod manifests; single-stage Dockerfile that ships build toolchain.