viktor/broker-sync
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1
broker-sync/Dockerfile

76 lines
2.1 KiB
Text
Raw Permalink Normal View History

Add typer CLI + production Dockerfile Context ------- Closes Phase 0 scaffolding. Image must build and run so infra can schedule an initial no-op CronJob (the plan's Phase 0 exit criterion) while Phase 0.5 / 0.75 / 1 land. This change ----------- - broker_sync/cli.py: typer app with two commands. * `version` — prints __version__; used as the no-op CronJob liveness check. * `auth-spike` — Phase 0.5 end-to-end live probe: log in to Wealthfolio, list accounts, exit 0 on success. Credentials read from env (WF_BASE_URL/USERNAME/PASSWORD) so CronJob + ESO can inject them without CLI flags. - Dockerfile: multi-stage, Python 3.12-slim, non-root user 10001 with /data as the shared PVC mount. Poetry virtualenv baked into /app/.venv, entrypoint is `broker-sync`, default command `version`. - CLI test via typer.testing.CliRunner. Test plan --------- ## Automated - poetry run pytest -q → 32 passed - poetry run mypy broker_sync tests → Success: no issues found in 19 source files - poetry run ruff check . → All checks passed! - poetry run broker-sync version → broker-sync 0.1.0 ## Manual Verification Docker build + run deferred — image will be built via GHA after the repo is pushed to GitHub in a follow-up session; the pyproject install has already been verified locally.
2026-04-17 19:23:54 +00:00
FROM python:3.12-slim AS builder
ENV POETRY_VERSION=1.8.4 \
POETRY_VIRTUALENVS_IN_PROJECT=true \
PIP_NO_CACHE_DIR=1
Fix live Wealthfolio login + Dockerfile poetry path Context ------- Two live-integration bugs surfaced during the Phase 0.5 auth-spike run against the restored production Wealthfolio. 1. Wealthfolio 3.2's LoginRequest schema is `{ password: String }` — it rejects any request with an unknown `username` field as HTTP 400 (empty body, hard to debug). Upstream source: https://github.com/afadil/wealthfolio/blob/main/apps/server/src/auth.rs#L86-L88 2. Dockerfile referenced `/opt/poetry/bin/poetry` but pip install puts poetry on the normal PATH; POETRY_HOME only affects the self-installer, not `pip install`. Exit 127 in GHA build. This change ----------- - WealthfolioSink.login() sends `{password}` only; kept `username` constructor arg as a stub for the day Wealthfolio adds multi-user. - Dockerfile drops POETRY_HOME and uses `poetry` on PATH. - Test: `_login_ok` now asserts body == {"password": "hunter2"} ("hunter2" is the XKCD placeholder — not a real credential). Test plan --------- ## Automated - poetry run pytest -q → 70 passed - poetry run mypy broker_sync tests → Success: no issues found in 29 source files - poetry run ruff check . → All checks passed! ## Manual Verification (executed live) ``` kubectl -n wealthfolio port-forward svc/wealthfolio 18080:80 & WF_BASE_URL=http://localhost:18080 WF_USERNAME=admin \ WF_PASSWORD=<from-vault> \ poetry run broker-sync auth-spike → "Logged in. 1 account(s) visible." ```
2026-04-17 20:17:24 +00:00
# `pip install` puts poetry on PATH (/usr/local/bin/poetry) — don't bother
# with POETRY_HOME indirection.
Add typer CLI + production Dockerfile Context ------- Closes Phase 0 scaffolding. Image must build and run so infra can schedule an initial no-op CronJob (the plan's Phase 0 exit criterion) while Phase 0.5 / 0.75 / 1 land. This change ----------- - broker_sync/cli.py: typer app with two commands. * `version` — prints __version__; used as the no-op CronJob liveness check. * `auth-spike` — Phase 0.5 end-to-end live probe: log in to Wealthfolio, list accounts, exit 0 on success. Credentials read from env (WF_BASE_URL/USERNAME/PASSWORD) so CronJob + ESO can inject them without CLI flags. - Dockerfile: multi-stage, Python 3.12-slim, non-root user 10001 with /data as the shared PVC mount. Poetry virtualenv baked into /app/.venv, entrypoint is `broker-sync`, default command `version`. - CLI test via typer.testing.CliRunner. Test plan --------- ## Automated - poetry run pytest -q → 32 passed - poetry run mypy broker_sync tests → Success: no issues found in 19 source files - poetry run ruff check . → All checks passed! - poetry run broker-sync version → broker-sync 0.1.0 ## Manual Verification Docker build + run deferred — image will be built via GHA after the repo is pushed to GitHub in a follow-up session; the pyproject install has already been verified locally.
2026-04-17 19:23:54 +00:00
RUN pip install --no-cache-dir "poetry==${POETRY_VERSION}"
WORKDIR /app
COPY pyproject.toml poetry.lock ./
Fix live Wealthfolio login + Dockerfile poetry path Context ------- Two live-integration bugs surfaced during the Phase 0.5 auth-spike run against the restored production Wealthfolio. 1. Wealthfolio 3.2's LoginRequest schema is `{ password: String }` — it rejects any request with an unknown `username` field as HTTP 400 (empty body, hard to debug). Upstream source: https://github.com/afadil/wealthfolio/blob/main/apps/server/src/auth.rs#L86-L88 2. Dockerfile referenced `/opt/poetry/bin/poetry` but pip install puts poetry on the normal PATH; POETRY_HOME only affects the self-installer, not `pip install`. Exit 127 in GHA build. This change ----------- - WealthfolioSink.login() sends `{password}` only; kept `username` constructor arg as a stub for the day Wealthfolio adds multi-user. - Dockerfile drops POETRY_HOME and uses `poetry` on PATH. - Test: `_login_ok` now asserts body == {"password": "hunter2"} ("hunter2" is the XKCD placeholder — not a real credential). Test plan --------- ## Automated - poetry run pytest -q → 70 passed - poetry run mypy broker_sync tests → Success: no issues found in 29 source files - poetry run ruff check . → All checks passed! ## Manual Verification (executed live) ``` kubectl -n wealthfolio port-forward svc/wealthfolio 18080:80 & WF_BASE_URL=http://localhost:18080 WF_USERNAME=admin \ WF_PASSWORD=<from-vault> \ poetry run broker-sync auth-spike → "Logged in. 1 account(s) visible." ```
2026-04-17 20:17:24 +00:00
RUN poetry install --only main --no-root
Add typer CLI + production Dockerfile Context ------- Closes Phase 0 scaffolding. Image must build and run so infra can schedule an initial no-op CronJob (the plan's Phase 0 exit criterion) while Phase 0.5 / 0.75 / 1 land. This change ----------- - broker_sync/cli.py: typer app with two commands. * `version` — prints __version__; used as the no-op CronJob liveness check. * `auth-spike` — Phase 0.5 end-to-end live probe: log in to Wealthfolio, list accounts, exit 0 on success. Credentials read from env (WF_BASE_URL/USERNAME/PASSWORD) so CronJob + ESO can inject them without CLI flags. - Dockerfile: multi-stage, Python 3.12-slim, non-root user 10001 with /data as the shared PVC mount. Poetry virtualenv baked into /app/.venv, entrypoint is `broker-sync`, default command `version`. - CLI test via typer.testing.CliRunner. Test plan --------- ## Automated - poetry run pytest -q → 32 passed - poetry run mypy broker_sync tests → Success: no issues found in 19 source files - poetry run ruff check . → All checks passed! - poetry run broker-sync version → broker-sync 0.1.0 ## Manual Verification Docker build + run deferred — image will be built via GHA after the repo is pushed to GitHub in a follow-up session; the pyproject install has already been verified locally.
2026-04-17 19:23:54 +00:00
COPY broker_sync ./broker_sync
Fix live Wealthfolio login + Dockerfile poetry path Context ------- Two live-integration bugs surfaced during the Phase 0.5 auth-spike run against the restored production Wealthfolio. 1. Wealthfolio 3.2's LoginRequest schema is `{ password: String }` — it rejects any request with an unknown `username` field as HTTP 400 (empty body, hard to debug). Upstream source: https://github.com/afadil/wealthfolio/blob/main/apps/server/src/auth.rs#L86-L88 2. Dockerfile referenced `/opt/poetry/bin/poetry` but pip install puts poetry on the normal PATH; POETRY_HOME only affects the self-installer, not `pip install`. Exit 127 in GHA build. This change ----------- - WealthfolioSink.login() sends `{password}` only; kept `username` constructor arg as a stub for the day Wealthfolio adds multi-user. - Dockerfile drops POETRY_HOME and uses `poetry` on PATH. - Test: `_login_ok` now asserts body == {"password": "hunter2"} ("hunter2" is the XKCD placeholder — not a real credential). Test plan --------- ## Automated - poetry run pytest -q → 70 passed - poetry run mypy broker_sync tests → Success: no issues found in 29 source files - poetry run ruff check . → All checks passed! ## Manual Verification (executed live) ``` kubectl -n wealthfolio port-forward svc/wealthfolio 18080:80 & WF_BASE_URL=http://localhost:18080 WF_USERNAME=admin \ WF_PASSWORD=<from-vault> \ poetry run broker-sync auth-spike → "Logged in. 1 account(s) visible." ```
2026-04-17 20:17:24 +00:00
RUN poetry install --only main
Add typer CLI + production Dockerfile Context ------- Closes Phase 0 scaffolding. Image must build and run so infra can schedule an initial no-op CronJob (the plan's Phase 0 exit criterion) while Phase 0.5 / 0.75 / 1 land. This change ----------- - broker_sync/cli.py: typer app with two commands. * `version` — prints __version__; used as the no-op CronJob liveness check. * `auth-spike` — Phase 0.5 end-to-end live probe: log in to Wealthfolio, list accounts, exit 0 on success. Credentials read from env (WF_BASE_URL/USERNAME/PASSWORD) so CronJob + ESO can inject them without CLI flags. - Dockerfile: multi-stage, Python 3.12-slim, non-root user 10001 with /data as the shared PVC mount. Poetry virtualenv baked into /app/.venv, entrypoint is `broker-sync`, default command `version`. - CLI test via typer.testing.CliRunner. Test plan --------- ## Automated - poetry run pytest -q → 32 passed - poetry run mypy broker_sync tests → Success: no issues found in 19 source files - poetry run ruff check . → All checks passed! - poetry run broker-sync version → broker-sync 0.1.0 ## Manual Verification Docker build + run deferred — image will be built via GHA after the repo is pushed to GitHub in a follow-up session; the pyproject install has already been verified locally.
2026-04-17 19:23:54 +00:00
FROM python:3.12-slim
WORKDIR /app
fidelity-planviewer: bake Chromium into the image for headless Playwright ## Context The Fidelity provider (commit 804e6a8) drives headless Chromium via Playwright to refresh the PlanViewer session cookie jar and scrape the Struts2 transaction history page. The image needs both the Chromium runtime and the Debian system libs Chromium dynamic-links against. ## This change - Adds Playwright's documented Debian 12 dependency set (fonts-liberation, libnss3, libxkbcommon0, xvfb, etc.). - Creates /app/.playwright-browsers owned by the broker user so the non-root process can write the Chromium install, and runs `playwright install chromium` as that user so the browser lands in the right cache path (PLAYWRIGHT_BROWSERS_PATH=/app/.playwright-browsers). - Image size will grow by ~300MB (Chromium headless shell is ~110MB compressed, plus libs). Acceptable — broker-sync runs once a day so pull cost is a one-shot. ## What is NOT in this change - Terraform CronJob / monitoring — separate commit in the infra repo. ## Verification $ docker build -t broker-sync:test . → (will run in CI) $ docker run --rm broker-sync:test fidelity-seed --help → shows the CLI help (can't actually run fidelity-seed headlessly). $ poetry run pytest -q (local) → 128 passed, 1 skipped. Reproduce locally: 1. docker build -t broker-sync:fidelity-test . 2. docker run --rm -v $PWD/tests/fixtures/fidelity:/data broker-sync:fidelity-test \ python -c "from playwright.sync_api import sync_playwright; \ with sync_playwright() as p: b = p.chromium.launch(); b.close(); print('ok')" 3. Expected: "ok" — Chromium launches successfully. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-18 18:50:54 +00:00
# Playwright needs a big list of system libs for Chromium (fonts, NSS, libs
# for rendering, audio stubs, etc.). Mirror the list Playwright publishes at
# https://playwright.dev/docs/browsers#system-requirements for Debian 12.
# Fidelity PlanViewer is the only consumer today; gated to the fidelity-*
# CronJobs via the provider's explicit Playwright import.
RUN apt-get update && apt-get install --no-install-recommends -y \
ca-certificates \
fonts-liberation \
fonts-noto-color-emoji \
libasound2 \
libatk-bridge2.0-0 \
libatk1.0-0 \
libatspi2.0-0 \
libcairo2 \
libcups2 \
libdbus-1-3 \
libdrm2 \
libexpat1 \
libgbm1 \
libglib2.0-0 \
libnspr4 \
libnss3 \
libpango-1.0-0 \
libx11-6 \
libxcb1 \
libxcomposite1 \
libxdamage1 \
libxext6 \
libxfixes3 \
libxkbcommon0 \
libxrandr2 \
xvfb \
&& rm -rf /var/lib/apt/lists/*
Add typer CLI + production Dockerfile Context ------- Closes Phase 0 scaffolding. Image must build and run so infra can schedule an initial no-op CronJob (the plan's Phase 0 exit criterion) while Phase 0.5 / 0.75 / 1 land. This change ----------- - broker_sync/cli.py: typer app with two commands. * `version` — prints __version__; used as the no-op CronJob liveness check. * `auth-spike` — Phase 0.5 end-to-end live probe: log in to Wealthfolio, list accounts, exit 0 on success. Credentials read from env (WF_BASE_URL/USERNAME/PASSWORD) so CronJob + ESO can inject them without CLI flags. - Dockerfile: multi-stage, Python 3.12-slim, non-root user 10001 with /data as the shared PVC mount. Poetry virtualenv baked into /app/.venv, entrypoint is `broker-sync`, default command `version`. - CLI test via typer.testing.CliRunner. Test plan --------- ## Automated - poetry run pytest -q → 32 passed - poetry run mypy broker_sync tests → Success: no issues found in 19 source files - poetry run ruff check . → All checks passed! - poetry run broker-sync version → broker-sync 0.1.0 ## Manual Verification Docker build + run deferred — image will be built via GHA after the repo is pushed to GitHub in a follow-up session; the pyproject install has already been verified locally.
2026-04-17 19:23:54 +00:00
RUN useradd --system --uid 10001 --home /app --shell /usr/sbin/nologin broker && \
mkdir -p /data && chown -R broker:broker /data
COPY --from=builder --chown=broker:broker /app /app
fidelity-planviewer: bake Chromium into the image for headless Playwright ## Context The Fidelity provider (commit 804e6a8) drives headless Chromium via Playwright to refresh the PlanViewer session cookie jar and scrape the Struts2 transaction history page. The image needs both the Chromium runtime and the Debian system libs Chromium dynamic-links against. ## This change - Adds Playwright's documented Debian 12 dependency set (fonts-liberation, libnss3, libxkbcommon0, xvfb, etc.). - Creates /app/.playwright-browsers owned by the broker user so the non-root process can write the Chromium install, and runs `playwright install chromium` as that user so the browser lands in the right cache path (PLAYWRIGHT_BROWSERS_PATH=/app/.playwright-browsers). - Image size will grow by ~300MB (Chromium headless shell is ~110MB compressed, plus libs). Acceptable — broker-sync runs once a day so pull cost is a one-shot. ## What is NOT in this change - Terraform CronJob / monitoring — separate commit in the infra repo. ## Verification $ docker build -t broker-sync:test . → (will run in CI) $ docker run --rm broker-sync:test fidelity-seed --help → shows the CLI help (can't actually run fidelity-seed headlessly). $ poetry run pytest -q (local) → 128 passed, 1 skipped. Reproduce locally: 1. docker build -t broker-sync:fidelity-test . 2. docker run --rm -v $PWD/tests/fixtures/fidelity:/data broker-sync:fidelity-test \ python -c "from playwright.sync_api import sync_playwright; \ with sync_playwright() as p: b = p.chromium.launch(); b.close(); print('ok')" 3. Expected: "ok" — Chromium launches successfully. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-18 18:50:54 +00:00
# Install Chromium into broker's cache so Playwright (running as broker)
# can pick it up. `PLAYWRIGHT_BROWSERS_PATH=0` forces a co-located install
# next to the python package — the simpler path on slim images.
Add typer CLI + production Dockerfile Context ------- Closes Phase 0 scaffolding. Image must build and run so infra can schedule an initial no-op CronJob (the plan's Phase 0 exit criterion) while Phase 0.5 / 0.75 / 1 land. This change ----------- - broker_sync/cli.py: typer app with two commands. * `version` — prints __version__; used as the no-op CronJob liveness check. * `auth-spike` — Phase 0.5 end-to-end live probe: log in to Wealthfolio, list accounts, exit 0 on success. Credentials read from env (WF_BASE_URL/USERNAME/PASSWORD) so CronJob + ESO can inject them without CLI flags. - Dockerfile: multi-stage, Python 3.12-slim, non-root user 10001 with /data as the shared PVC mount. Poetry virtualenv baked into /app/.venv, entrypoint is `broker-sync`, default command `version`. - CLI test via typer.testing.CliRunner. Test plan --------- ## Automated - poetry run pytest -q → 32 passed - poetry run mypy broker_sync tests → Success: no issues found in 19 source files - poetry run ruff check . → All checks passed! - poetry run broker-sync version → broker-sync 0.1.0 ## Manual Verification Docker build + run deferred — image will be built via GHA after the repo is pushed to GitHub in a follow-up session; the pyproject install has already been verified locally.
2026-04-17 19:23:54 +00:00
ENV PATH="/app/.venv/bin:${PATH}" \
fidelity-planviewer: bake Chromium into the image for headless Playwright ## Context The Fidelity provider (commit 804e6a8) drives headless Chromium via Playwright to refresh the PlanViewer session cookie jar and scrape the Struts2 transaction history page. The image needs both the Chromium runtime and the Debian system libs Chromium dynamic-links against. ## This change - Adds Playwright's documented Debian 12 dependency set (fonts-liberation, libnss3, libxkbcommon0, xvfb, etc.). - Creates /app/.playwright-browsers owned by the broker user so the non-root process can write the Chromium install, and runs `playwright install chromium` as that user so the browser lands in the right cache path (PLAYWRIGHT_BROWSERS_PATH=/app/.playwright-browsers). - Image size will grow by ~300MB (Chromium headless shell is ~110MB compressed, plus libs). Acceptable — broker-sync runs once a day so pull cost is a one-shot. ## What is NOT in this change - Terraform CronJob / monitoring — separate commit in the infra repo. ## Verification $ docker build -t broker-sync:test . → (will run in CI) $ docker run --rm broker-sync:test fidelity-seed --help → shows the CLI help (can't actually run fidelity-seed headlessly). $ poetry run pytest -q (local) → 128 passed, 1 skipped. Reproduce locally: 1. docker build -t broker-sync:fidelity-test . 2. docker run --rm -v $PWD/tests/fixtures/fidelity:/data broker-sync:fidelity-test \ python -c "from playwright.sync_api import sync_playwright; \ with sync_playwright() as p: b = p.chromium.launch(); b.close(); print('ok')" 3. Expected: "ok" — Chromium launches successfully. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-18 18:50:54 +00:00
PYTHONUNBUFFERED=1 \
PLAYWRIGHT_BROWSERS_PATH=/app/.playwright-browsers
RUN mkdir -p "${PLAYWRIGHT_BROWSERS_PATH}" && \
chown -R broker:broker "${PLAYWRIGHT_BROWSERS_PATH}"
Add typer CLI + production Dockerfile Context ------- Closes Phase 0 scaffolding. Image must build and run so infra can schedule an initial no-op CronJob (the plan's Phase 0 exit criterion) while Phase 0.5 / 0.75 / 1 land. This change ----------- - broker_sync/cli.py: typer app with two commands. * `version` — prints __version__; used as the no-op CronJob liveness check. * `auth-spike` — Phase 0.5 end-to-end live probe: log in to Wealthfolio, list accounts, exit 0 on success. Credentials read from env (WF_BASE_URL/USERNAME/PASSWORD) so CronJob + ESO can inject them without CLI flags. - Dockerfile: multi-stage, Python 3.12-slim, non-root user 10001 with /data as the shared PVC mount. Poetry virtualenv baked into /app/.venv, entrypoint is `broker-sync`, default command `version`. - CLI test via typer.testing.CliRunner. Test plan --------- ## Automated - poetry run pytest -q → 32 passed - poetry run mypy broker_sync tests → Success: no issues found in 19 source files - poetry run ruff check . → All checks passed! - poetry run broker-sync version → broker-sync 0.1.0 ## Manual Verification Docker build + run deferred — image will be built via GHA after the repo is pushed to GitHub in a follow-up session; the pyproject install has already been verified locally.
2026-04-17 19:23:54 +00:00
USER broker
fidelity-planviewer: bake Chromium into the image for headless Playwright ## Context The Fidelity provider (commit 804e6a8) drives headless Chromium via Playwright to refresh the PlanViewer session cookie jar and scrape the Struts2 transaction history page. The image needs both the Chromium runtime and the Debian system libs Chromium dynamic-links against. ## This change - Adds Playwright's documented Debian 12 dependency set (fonts-liberation, libnss3, libxkbcommon0, xvfb, etc.). - Creates /app/.playwright-browsers owned by the broker user so the non-root process can write the Chromium install, and runs `playwright install chromium` as that user so the browser lands in the right cache path (PLAYWRIGHT_BROWSERS_PATH=/app/.playwright-browsers). - Image size will grow by ~300MB (Chromium headless shell is ~110MB compressed, plus libs). Acceptable — broker-sync runs once a day so pull cost is a one-shot. ## What is NOT in this change - Terraform CronJob / monitoring — separate commit in the infra repo. ## Verification $ docker build -t broker-sync:test . → (will run in CI) $ docker run --rm broker-sync:test fidelity-seed --help → shows the CLI help (can't actually run fidelity-seed headlessly). $ poetry run pytest -q (local) → 128 passed, 1 skipped. Reproduce locally: 1. docker build -t broker-sync:fidelity-test . 2. docker run --rm -v $PWD/tests/fixtures/fidelity:/data broker-sync:fidelity-test \ python -c "from playwright.sync_api import sync_playwright; \ with sync_playwright() as p: b = p.chromium.launch(); b.close(); print('ok')" 3. Expected: "ok" — Chromium launches successfully. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-18 18:50:54 +00:00
RUN playwright install chromium
Add typer CLI + production Dockerfile Context ------- Closes Phase 0 scaffolding. Image must build and run so infra can schedule an initial no-op CronJob (the plan's Phase 0 exit criterion) while Phase 0.5 / 0.75 / 1 land. This change ----------- - broker_sync/cli.py: typer app with two commands. * `version` — prints __version__; used as the no-op CronJob liveness check. * `auth-spike` — Phase 0.5 end-to-end live probe: log in to Wealthfolio, list accounts, exit 0 on success. Credentials read from env (WF_BASE_URL/USERNAME/PASSWORD) so CronJob + ESO can inject them without CLI flags. - Dockerfile: multi-stage, Python 3.12-slim, non-root user 10001 with /data as the shared PVC mount. Poetry virtualenv baked into /app/.venv, entrypoint is `broker-sync`, default command `version`. - CLI test via typer.testing.CliRunner. Test plan --------- ## Automated - poetry run pytest -q → 32 passed - poetry run mypy broker_sync tests → Success: no issues found in 19 source files - poetry run ruff check . → All checks passed! - poetry run broker-sync version → broker-sync 0.1.0 ## Manual Verification Docker build + run deferred — image will be built via GHA after the repo is pushed to GitHub in a follow-up session; the pyproject install has already been verified locally.
2026-04-17 19:23:54 +00:00
ENTRYPOINT ["broker-sync"]
CMD ["version"]
Reference in a new issue Copy permalink