# Sequential Thinking Age-Encrypted Wrapper # Beat 1: Plaintext skeleton - encryption added in Beat 2 # Stage 1: Build Go wrapper FROM golang:1.23-alpine AS go-builder WORKDIR /build # Install build dependencies RUN apk add --no-cache git make # Copy go mod files COPY go.mod go.sum ./ RUN go mod download # Copy source code COPY . . # Build the wrapper binary RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo \ -ldflags '-w -s -extldflags "-static"' \ -o seqthink-wrapper \ ./cmd/seqthink-wrapper # Stage 2: Build Python MCP server FROM python:3.11-slim AS python-builder WORKDIR /mcp # Install Sequential Thinking MCP server dependencies # Note: For Beat 1, we'll use a minimal Python HTTP server # Full MCP server integration happens in later beats RUN pip install --no-cache-dir \ fastapi==0.109.0 \ uvicorn[standard]==0.27.0 \ pydantic==2.5.3 # Copy MCP server stub (to be replaced with real implementation) COPY deploy/seqthink/mcp_stub.py /mcp/server.py # Stage 3: Runtime FROM debian:bookworm-slim # Install runtime dependencies RUN apt-get update && \ apt-get install -y --no-install-recommends \ ca-certificates \ python3 \ python3-pip && \ apt-get clean && \ rm -rf /var/lib/apt/lists/* # Install Python packages in runtime RUN pip3 install --no-cache-dir --break-system-packages \ fastapi==0.109.0 \ uvicorn[standard]==0.27.0 \ pydantic==2.5.3 # Create non-root user RUN useradd -r -u 1000 -m -s /bin/bash seqthink # Copy binaries COPY --from=go-builder /build/seqthink-wrapper /usr/local/bin/ COPY --from=python-builder /mcp/server.py /opt/mcp/server.py # Copy entrypoint COPY deploy/seqthink/entrypoint.sh /entrypoint.sh RUN chmod +x /entrypoint.sh # Setup directories RUN mkdir -p /etc/seqthink /var/log/seqthink && \ chown -R seqthink:seqthink /etc/seqthink /var/log/seqthink # Switch to non-root user USER seqthink WORKDIR /home/seqthink # Health check HEALTHCHECK --interval=30s --timeout=10s --start-period=40s --retries=3 \ CMD curl -f http://localhost:8443/health || exit 1 # Expose wrapper port (MCP server on 127.0.0.1:8000 is internal only) EXPOSE 8443 # Run entrypoint ENTRYPOINT ["/entrypoint.sh"]