Merge branch 'main' into multi-stage

Merge pull request 'dev-2026-03-29' (#14 ) from dev-2026-03-29 into main
Reviewed-on: #14
2026-04-16 21:22:54 +00:00 · 2026-04-16 21:22:03 +00:00 · 2026-04-16 21:19:13 +00:00 · 2026-04-16 21:17:13 +00:00 · 2026-04-15 01:27:44 +00:00 · 2026-04-05 22:08:14 +00:00
3 changed files with 33 additions and 9 deletions
--- a/37
+++ b/37
@@ -1,25 +1,46 @@
-FROM python:3.11-slim
+# Stage 1: build dependencies
+FROM python:3.11-slim AS builder

 WORKDIR /app

-# Install system dependencies
+# Install build dependencies
 RUN apt-get update && apt-get install -y \
    build-essential \
-    curl \
    default-libmysqlclient-dev \
    pkg-config \
    && rm -rf /var/lib/apt/lists/*

+# Pre-download wheels to avoid recompiling bcrypt from source
+RUN pip install --no-cache-dir --prefix=/install \
+    'bcrypt==4.0.1' \
+    'cffi>=2.0' \
+    'pycparser>=2.0'
+
 # Install Python dependencies
 COPY requirements.txt .
-RUN pip install --no-cache-dir -r requirements.txt
+RUN pip install --no-cache-dir --prefix=/install -r requirements.txt
+
+# Stage 2: slim runtime
+FROM python:3.11-slim
+
+WORKDIR /app
+
+# Install runtime dependencies only (no build tools)
+RUN apt-get update && apt-get install -y \
+    default-libmysqlclient-dev \
+    curl \
+    && rm -rf /var/lib/apt/lists/*
+
+# Copy installed packages from builder
+COPY --from=builder /install /usr/local

 # Copy application code
-COPY . .
+COPY app/ ./app/
+COPY requirements.txt ./
+
+# Make entrypoint
+COPY entrypoint.sh .
 RUN chmod +x entrypoint.sh

-# Expose port
 EXPOSE 8000
-
-# Wait for wizard config, then start uvicorn
 ENTRYPOINT ["./entrypoint.sh"]
--- a/app/api/routers/users.py
+++ b/app/api/routers/users.py
@@ -241,7 +241,7 @@ def delete_user(
 def reset_user_apikey(
    identifier: str,
    db: Session = Depends(get_db),
-    current_user: models.User = Depends(get_current_user),
+    current_user: models.User = Depends(get_current_user_or_apikey),
 ):
    """Reset (regenerate) a user's API key.

@@ -249,6 +249,8 @@ def reset_user_apikey(
    - user.reset-apikey: can reset any user's API key
    - user.reset-self-apikey: can reset only own API key
    - admin: can reset any user's API key
+
+    Accepts both OAuth2 Bearer token and X-API-Key authentication.
    """
    import secrets
    from app.models.apikey import APIKey
--- a/app/init_wizard.py
+++ b/app/init_wizard.py
@@ -189,6 +189,7 @@ _DEV_PERMISSIONS = {

 _ACCOUNT_MANAGER_PERMISSIONS = {
    "account.create",
+    "user.reset-apikey",
 }

 # Role definitions: (name, description, permission_set)
Author	SHA1	Message	Date
h z	a2f626557e	Merge branch 'main' into multi-stage	2026-04-16 21:22:54 +00:00
h z	c5827db872	Merge pull request 'dev-2026-03-29' (#14 ) from dev-2026-03-29 into main Reviewed-on: #14	2026-04-16 21:22:03 +00:00
orion	7326cadfec	feat: grant user.reset-apikey permission to account-manager role Allows acc-mgr to reset user API keys, enabling automated provisioning workflows via the CLI. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-04-16 21:19:13 +00:00
orion	1b10c97099	feat: allow API key auth for reset-apikey endpoint Change dependency from get_current_user (OAuth2 only) to get_current_user_or_apikey, enabling account-manager API key to reset user API keys for provisioning workflows. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-04-16 21:17:13 +00:00
orion	8434a5d226	feat(Dockerfile): multi-stage build to reduce image size from 852MB to ~200MB Stage 1 (builder): install build deps and pre-download wheels Stage 2 (runtime): copy only installed packages + runtime deps, no build tools	2026-04-15 01:27:44 +00:00
h z	a2ab541b73	Merge pull request 'HarborForge.Backend: dev-2026-03-29 -> main' (#13 ) from dev-2026-03-29 into main Reviewed-on: #13	2026-04-05 22:08:14 +00:00