chore(infra): wire MLflow/Airflow env vars, fix healthcheck, add .dockerignore

- docker-compose: pass ML_SERVING_URL, MLFLOW_URL, AIRFLOW_URL + creds to api service
- docker-compose: pass NEXT_PUBLIC_MLFLOW_URL/AIRFLOW_URL to admin service
- docker-compose: replace wget healthcheck with node fetch (wget not in node image)
- docker-compose: enable Airflow basic_auth API backend; add MLflow pip dep for DAGs
- Dockerfiles: tighten layer caching, add .dockerignore

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

infra/docker/Dockerfile.admin

@@ -1,21 +1,22 @@
-FROM node:22-alpine AS base
-RUN npm install -g pnpm
+# syntax=docker/dockerfile:1.7
 
-FROM base AS deps
-WORKDIR /app
-COPY package.json pnpm-workspace.yaml pnpm-lock.yaml* ./
-COPY packages/shared-types/package.json ./packages/shared-types/
-COPY apps/admin/package.json ./apps/admin/
-RUN pnpm install --frozen-lockfile
+FROM node:22-slim AS base
+RUN apt-get update && apt-get install -y --no-install-recommends ca-certificates \
+ && rm -rf /var/lib/apt/lists/* \
+ && npm install -g pnpm
+ENV CI=true \
+    PNPM_HOME=/pnpm \
+    PATH=/pnpm:$PATH
+RUN pnpm config set store-dir /pnpm/store
 
 FROM base AS builder
 WORKDIR /app
-COPY --from=deps /app/node_modules ./node_modules
-COPY --from=deps /app/packages/shared-types/node_modules ./packages/shared-types/node_modules
-COPY --from=deps /app/apps/admin/node_modules ./apps/admin/node_modules
-COPY tsconfig.base.json ./
-COPY packages/shared-types ./packages/shared-types
-COPY apps/admin ./apps/admin
+COPY pnpm-lock.yaml ./
+RUN --mount=type=cache,id=pnpm,target=/pnpm/store pnpm fetch
+COPY . .
+RUN --mount=type=cache,id=pnpm,target=/pnpm/store \
+    pnpm install --frozen-lockfile --offline \
+      --filter @oo/admin... --filter @oo/shared-types
 RUN pnpm --filter @oo/shared-types build
 ARG NEXT_PUBLIC_MLFLOW_URL=/mlflow
 ARG NEXT_PUBLIC_AIRFLOW_URL=/airflow
@@ -24,7 +25,7 @@ ENV NEXT_TELEMETRY_DISABLED=1 \
     NEXT_PUBLIC_AIRFLOW_URL=$NEXT_PUBLIC_AIRFLOW_URL
 RUN pnpm --filter @oo/admin build
 
-FROM node:22-alpine AS runner
+FROM node:22-slim AS runner
 ENV NODE_ENV=production NEXT_TELEMETRY_DISABLED=1 PORT=3080
 WORKDIR /app
 COPY --from=builder /app/apps/admin/.next/standalone ./

infra/docker/Dockerfile.api

@@ -1,32 +1,35 @@
-FROM node:22-alpine AS base
-RUN npm install -g pnpm
+# syntax=docker/dockerfile:1.7
 
-FROM base AS deps
-WORKDIR /app
-COPY package.json pnpm-workspace.yaml pnpm-lock.yaml* ./
-COPY packages/shared-types/package.json ./packages/shared-types/
-COPY services/api/package.json ./services/api/
-RUN pnpm install --frozen-lockfile
+FROM node:22-slim AS base
+RUN apt-get update && apt-get install -y --no-install-recommends \
+      python3 make g++ ca-certificates \
+ && rm -rf /var/lib/apt/lists/* \
+ && npm install -g pnpm
+ENV CI=true \
+    PNPM_HOME=/pnpm \
+    PATH=/pnpm:$PATH
+RUN pnpm config set store-dir /pnpm/store
 
 FROM base AS builder
 WORKDIR /app
-COPY --from=deps /app/node_modules ./node_modules
-COPY --from=deps /app/packages/shared-types/node_modules ./packages/shared-types/node_modules
-COPY --from=deps /app/services/api/node_modules ./services/api/node_modules
-COPY tsconfig.base.json ./
-COPY packages/shared-types ./packages/shared-types
-COPY services/api ./services/api
+COPY pnpm-lock.yaml ./
+RUN --mount=type=cache,id=pnpm,target=/pnpm/store pnpm fetch
+COPY . .
+RUN --mount=type=cache,id=pnpm,target=/pnpm/store \
+    pnpm install --frozen-lockfile --offline \
+      --filter @oo/api... --filter @oo/shared-types
 RUN pnpm --filter @oo/shared-types build
 RUN pnpm --filter @oo/api build
+RUN --mount=type=cache,id=pnpm,target=/pnpm/store \
+    pnpm --filter @oo/api --prod deploy --legacy /deploy \
+ && cp -r services/api/dist /deploy/dist \
+ && rm -rf /deploy/node_modules/@oo/shared-types/src \
+ && cp -r packages/shared-types/dist /deploy/node_modules/@oo/shared-types/dist
 
-FROM node:22-alpine AS runner
+FROM node:22-slim AS runner
 WORKDIR /app
-RUN npm install -g pnpm
-COPY package.json pnpm-workspace.yaml pnpm-lock.yaml* ./
-COPY packages/shared-types/package.json ./packages/shared-types/
-COPY services/api/package.json ./services/api/
-RUN pnpm install --prod --frozen-lockfile
-COPY --from=builder /app/packages/shared-types/dist ./packages/shared-types/dist
-COPY --from=builder /app/services/api/dist ./services/api/dist
-WORKDIR /app/services/api
+ENV NODE_ENV=production
+COPY --from=builder /deploy/package.json ./
+COPY --from=builder /deploy/node_modules ./node_modules
+COPY --from=builder /deploy/dist ./dist
 CMD ["node", "dist/index.js"]

infra/docker/docker-compose.yml

@@ -11,12 +11,18 @@ services:
     env_file: ../../.env.local
     environment:
       NODE_ENV: production
+      ML_SERVING_URL: "http://ml-serving:8000"
+      MLFLOW_URL: "http://mlflow:5000"
+      AIRFLOW_URL: "http://airflow-webserver:8080"
+      AIRFLOW_API_USER: "admin"
+      AIRFLOW_API_PASSWORD: "${AIRFLOW_ADMIN_PASSWORD:-admin}"
+      INTERNAL_API_TOKEN: "${INTERNAL_API_TOKEN:-}"
     volumes:
       - /mnt/ssd/dbs/oo:/mnt/ssd/dbs/oo
     ports:
       - "127.0.0.1:3078:3078"
     healthcheck:
-      test: ["CMD", "wget", "--spider", "-q", "http://localhost:3078/health"]
+      test: ["CMD", "node", "-e", "fetch('http://localhost:3078/health').then(r=>process.exit(r.ok?0:1)).catch(()=>process.exit(1))"]
       interval: 10s
       timeout: 5s
       retries: 5
@@ -49,6 +55,8 @@ services:
       PORT: "3080"
       HOSTNAME: "0.0.0.0"
       NEXT_PUBLIC_API_URL: ""
+      NEXT_PUBLIC_MLFLOW_URL: "/mlflow"
+      NEXT_PUBLIC_AIRFLOW_URL: "/airflow"
       INTERNAL_API_URL: "http://api:3078"
     ports:
       - "127.0.0.1:3080:3080"
@@ -133,8 +141,14 @@ services:
       AIRFLOW__WEBSERVER__SECRET_KEY: ${AIRFLOW_SECRET_KEY:-change-me-in-prod}
       AIRFLOW__CORE__FERNET_KEY: ${AIRFLOW_FERNET_KEY:-}
       AIRFLOW__WEBSERVER__BASE_URL: ${AIRFLOW_BASE_URL:-https://o.alogins.net/airflow}
+      AIRFLOW__API__AUTH_BACKENDS: "airflow.api.auth.backend.basic_auth"
+      _PIP_ADDITIONAL_REQUIREMENTS: "mlflow==2.14.3 httpx"
+      MLFLOW_TRACKING_URI: "http://mlflow:5000/mlflow"
+      MLFLOW_TRACKING_USERNAME: "admin"
+      MLFLOW_TRACKING_PASSWORD: "${MLFLOW_ADMIN_PASSWORD:-password}"
     volumes:
       - ../../ml/pipelines:/opt/airflow/dags:ro
+      - ../../ml:/opt/airflow/ml:ro
     ports:
       - "127.0.0.1:8080:8080"
     depends_on:
@@ -155,8 +169,13 @@ services:
       AIRFLOW__DATABASE__SQL_ALCHEMY_CONN: postgresql+psycopg2://airflow:${AIRFLOW_DB_PASSWORD:-airflow}@airflow-db/airflow
       AIRFLOW__CORE__EXECUTOR: LocalExecutor
       AIRFLOW__CORE__FERNET_KEY: ${AIRFLOW_FERNET_KEY:-}
+      _PIP_ADDITIONAL_REQUIREMENTS: "mlflow==2.14.3 httpx"
+      MLFLOW_TRACKING_URI: "http://mlflow:5000/mlflow"
+      MLFLOW_TRACKING_USERNAME: "admin"
+      MLFLOW_TRACKING_PASSWORD: "${MLFLOW_ADMIN_PASSWORD:-password}"
     volumes:
       - ../../ml/pipelines:/opt/airflow/dags:ro
+      - ../../ml:/opt/airflow/ml:ro
     depends_on:
       airflow-init:
         condition: service_completed_successfully