Prisma cannot run in webapp Docker runner stage

.env.localhost

@@ -1,35 +1,81 @@
-POSTGRES_PRISMA_URL="postgres://postgres:postgres@postgres:5432/postgres?pgbouncer=true&connect_timeout=15"
-POSTGRES_URL_NON_POOLING="postgres://postgres:postgres@postgres:5432/postgres"
-INFERENCE_SERVER_SECRET=localhost-secret
-AUTOINTERP_SERVER_SECRET=localhost-secret
-GRAPH_SERVER_SECRET=localhost-secret
-USE_LOCALHOST_INFERENCE=true
-USE_LOCALHOST_AUTOINTERP=false
-OPENAI_API_KEY=${OPENAI_API_KEY} # this is required for explanation search to work!
-HOSTNAME=0.0.0.0
-PORT=3000
+# ========================== Application Settings ==========================
+
+# Domain and Server Configuration
 NEXT_PUBLIC_URL=http://localhost:3000
 NEXTAUTH_URL=http://localhost:3000
+HOSTNAME=0.0.0.0
+PORT=3000
+IS_DOCKER_COMPOSE=true
+
+# Authentication
 NEXTAUTH_SECRET=88888888888888888888888888888888
+
+# Contact Information
+[email protected]
+
+# ========================== Database Configuration ==========================
+
+# Postgres Connection Strings
+POSTGRES_PRISMA_URL="postgres://postgres:postgres@postgres:5432/postgres?pgbouncer=true&connect_timeout=15"
+POSTGRES_URL_NON_POOLING="postgres://postgres:postgres@postgres:5432/postgres"
+
+# Postgres Credentials
+POSTGRES_USER=postgres
+POSTGRES_PASSWORD=postgres
+POSTGRES_DB=postgres
+
+# ========================== Feature Flags ==========================
+
 NEXT_PUBLIC_ENABLE_SIGNIN=false
+NEXT_PUBLIC_DEMO_MODE=false
+
+# ========================== Default Model Configuration ==========================
+
+# Model Defaults
+NEXT_PUBLIC_DEFAULT_MODELID=gemma-2-2b
+NEXT_PUBLIC_DEFAULT_SOURCESET=gemmascope-res-16k
+NEXT_PUBLIC_DEFAULT_SOURCE=20-gemmascope-res-16k
+NEXT_PUBLIC_DEFAULT_RELEASE_NAME=gemma-scope
+
+# Steering Configuration
+NEXT_PUBLIC_DEFAULT_STEER_MODEL=gemma-2-2b-it
+NEXT_PUBLIC_STEER_FORCE_ALLOW_INSTRUCT_MODELS=gemma-2-2b-it
+
+# ========================== Default User IDs ==========================
+
 DEFAULT_CREATOR_USER_ID=clkht01d40000jv08hvalcvly
 PUBLIC_ACTIVATIONS_USER_IDS=clsxqq2xd0000vvp2k5itlhqj,clkht01d40000jv08hvalcvly,cljqfoqm1000776wmbr1f5mux,cljj57d3c000076ei38vwnv35
 INFERENCE_ACTIVATION_USER_ID=cljgamm90000076zdchicy6zj
 
-NEXT_PUBLIC_STEER_FORCE_ALLOW_INSTRUCT_MODELS=gemma-2-2b-it
-IS_DOCKER_COMPOSE=true
+# ========================== External Services Configuration ==========================
 
-# NEXT_PUBLIC_DEFAULT_STEER_MODEL=gemma-2-2b-it
-# NEXT_PUBLIC_DEFAULT_MODELID=gemma-2-2b
-# NEXT_PUBLIC_DEFAULT_SOURCESET=gemmascope-res-16k
-# NEXT_PUBLIC_DEFAULT_SOURCE=20-gemmascope-res-16k
-# NEXT_PUBLIC_DEFAULT_RELEASE_NAME=gemma-scope
-NEXT_PUBLIC_DEMO_MODE=false
+# Inference Server
+USE_LOCALHOST_INFERENCE=true
+INFERENCE_SERVER_SECRET=localhost-secret
 
+# Autointerp Server
+USE_LOCALHOST_AUTOINTERP=false
+AUTOINTERP_SERVER_SECRET=localhost-secret
 
-POSTGRES_USER=postgres
-POSTGRES_PASSWORD=postgres
-POSTGRES_DB=postgres
+# Graph Server
+GRAPH_SERVER_SECRET=localhost-secret
+
+# ========================== AI API Keys ==========================
+# NOTE: Sensitive API keys are defined in .env (gitignored) and referenced here
+# To set your keys, edit .env file in the root directory
+
+# Hugging Face (defined in .env)
+HF_TOKEN=${HF_TOKEN}
 
+# OpenAI (required for explanation search, defined in .env)
+OPENAI_API_KEY=${OPENAI_API_KEY}
 
+# Azure OpenAI (for embeddings, defined in .env)
+AZURE_OPENAI_API_KEY=${AZURE_OPENAI_API_KEY}
+AZURE_OPENAI_ENDPOINT=${AZURE_OPENAI_ENDPOINT}
+EMBEDDING_PROVIDER=azure
 
+# Optional API Keys (define in .env to use)
+# ANTHROPIC_API_KEY=${ANTHROPIC_API_KEY}
+# GEMINI_API_KEY=${GEMINI_API_KEY}
+# OPENROUTER_API_KEY=${OPENROUTER_API_KEY}

apps/autointerp/Dockerfile

@@ -2,20 +2,76 @@ ARG BUILD_TYPE
 ARG CUDA_VERSION=12.1.0
 ARG UBUNTU_VERSION=22.04
 
+# Optional custom CA bundle file support
+ARG CUSTOM_CA_BUNDLE
+
 # NON-CUDA base
 FROM python:3.10-slim AS base-nocuda
 
+# Re-declare ARG after FROM (ARGs don't persist across FROM statements)
+ARG CUSTOM_CA_BUNDLE
+
+# Copy the CA bundle file if provided, otherwise copy nothing (using .nocustomca as a no-op)
+COPY ${CUSTOM_CA_BUNDLE:-.nocustomca} /tmp/ca-bundle-temp
+
+# Set up CA certificates and environment if bundle was provided
+RUN if [ -f /tmp/ca-bundle-temp ] && [ "${CUSTOM_CA_BUNDLE}" != ".nocustomca" ]; then \
+    apt-get update && apt-get install -y ca-certificates && \
+    mkdir -p /usr/local/share/ca-certificates && \
+    mv /tmp/ca-bundle-temp /usr/local/share/ca-certificates/custom-ca.crt && \
+    cat /usr/local/share/ca-certificates/custom-ca.crt >> /etc/ssl/certs/ca-certificates.crt && \
+    update-ca-certificates && \
+    rm -rf /var/lib/apt/lists/*; \
+    else \
+    rm -f /tmp/ca-bundle-temp; \
+    fi
+
+# Set SSL environment variables if CA bundle was provided
+ENV SSL_CERT_FILE=${CUSTOM_CA_BUNDLE:+/etc/ssl/certs/ca-certificates.crt}
+ENV SSL_CERT_DIR=${CUSTOM_CA_BUNDLE:+/etc/ssl/certs}
+ENV REQUESTS_CA_BUNDLE=${CUSTOM_CA_BUNDLE:+/etc/ssl/certs/ca-certificates.crt}
+ENV CURL_CA_BUNDLE=${CUSTOM_CA_BUNDLE:+/etc/ssl/certs/ca-certificates.crt}
+ENV GIT_SSL_CAINFO=${CUSTOM_CA_BUNDLE:+/etc/ssl/certs/ca-certificates.crt}
+
 # CUDA base
 FROM nvidia/cuda:${CUDA_VERSION}-runtime-ubuntu${UBUNTU_VERSION} AS base-cuda
-# Nvidia container toolkit
-RUN apt-get update && apt-get install -y \
-    curl gpg
-RUN curl -fsSL https://nvidia.github.io/libnvidia-container/gpgkey | gpg --dearmor -o /usr/share/keyrings/nvidia-container-toolkit-keyring.gpg \
-    && curl -s -L https://nvidia.github.io/libnvidia-container/stable/deb/nvidia-container-toolkit.list | \
-    sed 's#deb https://#deb [signed-by=/usr/share/keyrings/nvidia-container-toolkit-keyring.gpg] https://#g' | \
-    tee /etc/apt/sources.list.d/nvidia-container-toolkit.list
+
+# Re-declare ARG after FROM (ARGs don't persist across FROM statements)
+ARG CUSTOM_CA_BUNDLE
+
+# Copy the CA bundle file if provided, otherwise copy nothing (using .nocustomca as a no-op)
+COPY ${CUSTOM_CA_BUNDLE:-.nocustomca} /tmp/ca-bundle-temp
+
+# Install dependencies and set up CA certificates, then download NVIDIA toolkit
+RUN apt-get update && apt-get install -y curl gpg ca-certificates && \
+    if [ -f /tmp/ca-bundle-temp ] && [ "${CUSTOM_CA_BUNDLE}" != ".nocustomca" ]; then \
+        mkdir -p /usr/local/share/ca-certificates && \
+        mv /tmp/ca-bundle-temp /usr/local/share/ca-certificates/custom-ca.crt && \
+        cat /usr/local/share/ca-certificates/custom-ca.crt >> /etc/ssl/certs/ca-certificates.crt && \
+        update-ca-certificates && \
+        export CURL_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt && \
+        curl -fsSL https://nvidia.github.io/libnvidia-container/gpgkey | gpg --dearmor -o /usr/share/keyrings/nvidia-container-toolkit-keyring.gpg && \
+        curl -s -L https://nvidia.github.io/libnvidia-container/stable/deb/nvidia-container-toolkit.list | \
+        sed 's#deb https://#deb [signed-by=/usr/share/keyrings/nvidia-container-toolkit-keyring.gpg] https://#g' | \
+        tee /etc/apt/sources.list.d/nvidia-container-toolkit.list; \
+    else \
+        rm -f /tmp/ca-bundle-temp && \
+        curl -fsSL https://nvidia.github.io/libnvidia-container/gpgkey | gpg --dearmor -o /usr/share/keyrings/nvidia-container-toolkit-keyring.gpg && \
+        curl -s -L https://nvidia.github.io/libnvidia-container/stable/deb/nvidia-container-toolkit.list | \
+        sed 's#deb https://#deb [signed-by=/usr/share/keyrings/nvidia-container-toolkit-keyring.gpg] https://#g' | \
+        tee /etc/apt/sources.list.d/nvidia-container-toolkit.list; \
+    fi && \
+    rm -rf /var/lib/apt/lists/*
+
+# Set SSL environment variables if CA bundle was provided
+ENV SSL_CERT_FILE=${CUSTOM_CA_BUNDLE:+/etc/ssl/certs/ca-certificates.crt}
+ENV SSL_CERT_DIR=${CUSTOM_CA_BUNDLE:+/etc/ssl/certs}
+ENV REQUESTS_CA_BUNDLE=${CUSTOM_CA_BUNDLE:+/etc/ssl/certs/ca-certificates.crt}
+ENV CURL_CA_BUNDLE=${CUSTOM_CA_BUNDLE:+/etc/ssl/certs/ca-certificates.crt}
+ENV GIT_SSL_CAINFO=${CUSTOM_CA_BUNDLE:+/etc/ssl/certs/ca-certificates.crt}
 RUN apt-get update && apt-get install -y \
-    nvidia-container-toolkit
+    nvidia-container-toolkit \
+    && rm -rf /var/lib/apt/lists/*
 RUN apt-get update && apt-get install -y \
     python3.10 \
     python3-pip \
@@ -31,6 +87,9 @@ WORKDIR /app
 
 ENV HOST=0.0.0.0
 
+# Optional custom CA bundle file support (re-declare for final stage)
+ARG CUSTOM_CA_BUNDLE
+
 # Ignore hash sum mismatch for apt-get
 RUN echo "Acquire::http::Pipeline-Depth 0;" > /etc/apt/apt.conf.d/99custom && \
     echo "Acquire::http::No-Cache true;" >> /etc/apt/apt.conf.d/99custom && \
@@ -42,6 +101,7 @@ RUN apt-get update && apt-get install -y \
     gcc \
     g++ \
     make \
+    ca-certificates \
     && rm -rf /var/lib/apt/lists/*
 
 # Install poetry
@@ -50,6 +110,19 @@ RUN pip install poetry
 ENV POETRY_VIRTUALENVS_CREATE=false
 RUN poetry config virtualenvs.create false
 
+# Set SSL environment variables if CA bundle was provided (for final stage)
+ENV SSL_CERT_FILE=${CUSTOM_CA_BUNDLE:+/etc/ssl/certs/ca-certificates.crt}
+ENV SSL_CERT_DIR=${CUSTOM_CA_BUNDLE:+/etc/ssl/certs}
+ENV REQUESTS_CA_BUNDLE=${CUSTOM_CA_BUNDLE:+/etc/ssl/certs/ca-certificates.crt}
+ENV CURL_CA_BUNDLE=${CUSTOM_CA_BUNDLE:+/etc/ssl/certs/ca-certificates.crt}
+ENV GIT_SSL_CAINFO=${CUSTOM_CA_BUNDLE:+/etc/ssl/certs/ca-certificates.crt}
+
+# Configure poetry/pip to use custom CA if provided
+RUN if [ -n "${CUSTOM_CA_BUNDLE}" ] && [ "${CUSTOM_CA_BUNDLE}" != ".nocustomca" ]; then \
+    pip config set global.cert /etc/ssl/certs/ca-certificates.crt && \
+    poetry config certificates.default.cert /etc/ssl/certs/ca-certificates.crt; \
+    fi
+
 # Copy the client package first
 COPY packages/python/neuronpedia-autointerp-client /app/packages/python/neuronpedia-autointerp-client/
 

apps/autointerp/pyproject.toml

@@ -20,6 +20,7 @@ bitsandbytes = "==0.42.0"
 torchtyping = "^0.1.5"
 pytest = "^8.1.1"
 neuronpedia-autointerp-client = {path = "../../packages/python/neuronpedia-autointerp-client"}
+hf-xet = "1.1.3"
 
 [tool.poetry.group.dev.dependencies]
 pytest = "^8.3.1"

apps/webapp/Dockerfile

@@ -35,6 +35,38 @@ RUN if [ -n "${CUSTOM_CA_BUNDLE}" ] && [ "${CUSTOM_CA_BUNDLE}" != ".nocustomca"
 # Install OpenSSL and bash
 RUN apk add --no-cache openssl bash
 
+# Build-time environment variables (only NEXT_PUBLIC_* are inlined into JS bundle)
+# Reference: https://nextjs.org/docs/pages/building-your-application/configuring/environment-variables
+# For local/Docker Compose: Uses env_file at runtime (simpler)
+# For K8s/production: Pass these as build args in CI, inject others via ConfigMaps/Secrets at runtime
+ARG NEXT_PUBLIC_URL
+ARG NEXT_PUBLIC_CONTACT_EMAIL_ADDRESS
+ARG NEXT_PUBLIC_DEFAULT_MODELID
+ARG NEXT_PUBLIC_DEFAULT_SOURCESET
+ARG NEXT_PUBLIC_DEFAULT_SOURCE
+ARG NEXT_PUBLIC_DEFAULT_RELEASE_NAME
+ARG NEXT_PUBLIC_DEFAULT_STEER_MODEL
+ARG NEXT_PUBLIC_STEER_FORCE_ALLOW_INSTRUCT_MODELS
+ARG NEXT_PUBLIC_ENABLE_SIGNIN
+ARG NEXT_PUBLIC_DEMO_MODE
+ARG NEXT_PUBLIC_SEARCH_TOPK_MAX_CHAR_LENGTH
+ARG NEXT_PUBLIC_SITE_NAME_VERCEL_DEPLOY
+
+# Convert ARGs to ENVs so they're available in child stages during build
+# Note: All other (non-NEXT_PUBLIC_*) variables should be injected at runtime
+ENV NEXT_PUBLIC_URL=${NEXT_PUBLIC_URL} \
+    NEXT_PUBLIC_CONTACT_EMAIL_ADDRESS=${NEXT_PUBLIC_CONTACT_EMAIL_ADDRESS} \
+    NEXT_PUBLIC_DEFAULT_MODELID=${NEXT_PUBLIC_DEFAULT_MODELID} \
+    NEXT_PUBLIC_DEFAULT_SOURCESET=${NEXT_PUBLIC_DEFAULT_SOURCESET} \
+    NEXT_PUBLIC_DEFAULT_SOURCE=${NEXT_PUBLIC_DEFAULT_SOURCE} \
+    NEXT_PUBLIC_DEFAULT_RELEASE_NAME=${NEXT_PUBLIC_DEFAULT_RELEASE_NAME} \
+    NEXT_PUBLIC_DEFAULT_STEER_MODEL=${NEXT_PUBLIC_DEFAULT_STEER_MODEL} \
+    NEXT_PUBLIC_STEER_FORCE_ALLOW_INSTRUCT_MODELS=${NEXT_PUBLIC_STEER_FORCE_ALLOW_INSTRUCT_MODELS} \
+    NEXT_PUBLIC_ENABLE_SIGNIN=${NEXT_PUBLIC_ENABLE_SIGNIN} \
+    NEXT_PUBLIC_DEMO_MODE=${NEXT_PUBLIC_DEMO_MODE} \
+    NEXT_PUBLIC_SEARCH_TOPK_MAX_CHAR_LENGTH=${NEXT_PUBLIC_SEARCH_TOPK_MAX_CHAR_LENGTH} \
+    NEXT_PUBLIC_SITE_NAME_VERCEL_DEPLOY=${NEXT_PUBLIC_SITE_NAME_VERCEL_DEPLOY}
+
 ###############################################################################################
 # Install dependencies only when needed
 FROM base AS deps
@@ -56,12 +88,9 @@ COPY apps/webapp ./
 # Ensure startup script is executable
 RUN chmod +x ./init.sh
 
-# Load environment variables from dotenv file
-ARG ENV_FILE=.env.localhost
-COPY ${ENV_FILE} .env
-
 # Build without database operations - only generate Prisma client and build Next.js
-RUN bash -c 'set -a && source .env && set +a && npm run build:simple'
+# Environment variables are inherited from base stage
+RUN npm run build:simple
 
 ###############################################################################################
 # Database initialization image (has access to ts-node and dev dependencies)
@@ -75,16 +104,11 @@ COPY apps/webapp ./
 # Install ts-node globally for seeding
 RUN npm install -g ts-node typescript
 
-# Load environment variables from dotenv file
-ARG ENV_FILE=.env.localhost
-COPY ${ENV_FILE} .env
-
-# Generate Prisma client for db operations
-RUN bash -c 'set -a && source .env && set +a && npx prisma generate'
-
 # Make db-init script executable
 RUN chmod +x db-init.sh
 
+# Note: Prisma client is already generated in builder stage (via npm run build:simple)
+# This stage only runs db push, migrations, and seeding against live database
 CMD ["./db-init.sh"]
 
 ###############################################################################################
@@ -108,8 +132,10 @@ COPY --from=builder --chown=nextjs:nodejs /app/prisma ./prisma
 # Copy startup script for runtime
 COPY --from=builder --chown=nextjs:nodejs /app/init.sh ./init.sh
 
-# Copy environment file for runtime
-COPY --from=builder --chown=nextjs:nodejs /app/.env ./.env
+# NOTE: .env files are NOT copied to production image
+# Environment variables are injected at runtime via:
+# - Kubernetes: ConfigMaps/Secrets
+# - Docker Compose: --env-file flag (e.g., docker compose --env-file .env.localhost up)
 
 USER nextjs