vrr/Ruview
2
0
Fork 0
mirror of https://github.com/ruvnet/RuView.git synced 2026-05-17 04:19:13 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 6
Ruview/docker/Dockerfile.rust
ruv c641fc44ae feat(docker+sensing-server): refresh Docker publish + opt-in bearer-token API auth 
Closes #520, #514, #443.

## #520 / #514 — stale Docker image, missing UI assets

`ruvnet/wifi-densepose:latest` was published before `ui/observatory*` and
`ui/pose-fusion*` were added; users see /app/ui missing those files and the
v0.6+ packet format doesn't reach the server. Two fixes:

1. `docker/Dockerfile.rust` now `RUN`s a build-time guard after `COPY ui/`
   that fails the build if `index.html` / `observatory.html` / `pose-fusion.html`
   / `viz.html` (or the `observatory/` / `pose-fusion/` / `components/` /
   `services/` directories) are missing, plus an exec-bit check on
   `/app/sensing-server`. A stale image can never be silently produced again.

2. New `.github/workflows/sensing-server-docker.yml` rebuilds + pushes on
   every change to the Dockerfile, the server crate, the signal/vitals/
   wifiscan crates, the workspace manifests, the `ui/` tree, or itself —
   plus `v*` tags and manual dispatch. Pushes to both `docker.io/ruvnet/
   wifi-densepose` AND `ghcr.io/ruvnet/wifi-densepose` with `latest` +
   `vX.Y.Z` + `sha-<short>` tags, then post-push smoke-tests the artifact:
   /health, /api/v1/info, the observatory + pose-fusion HTML, AND the
   bearer-auth path (no token → 401, wrong → 401, correct → 200). Uses the
   `DOCKERHUB_USERNAME`/`DOCKERHUB_TOKEN` repo secrets; ghcr.io rides on
   the workflow's GITHUB_TOKEN.

## #443 — sensing-server REST API auth model

QE security audit raised that 40+ /api/v1/* routes have no auth layer with
a default `0.0.0.0` bind. New `wifi_densepose_sensing_server::bearer_auth`
module + middleware:

  - Env-var-gated: `RUVIEW_API_TOKEN` unset/empty ⇒ middleware is a no-op
    (current LAN-mode behaviour preserved — **no default change**); set ⇒
    every `/api/v1/*` request must carry `Authorization: Bearer <token>`
    or the server returns 401.
  - Constant-time byte compare via local `ct_eq` (no new dep).
  - `/health*`, `/ws/sensing`, and `/ui/*` are intentionally never gated
    (orchestrator probes + local browsers).
  - Startup logs which mode is active and warns when auth is ON with a
    `0.0.0.0` bind.
  - 8 unit tests on the middleware via `tower::ServiceExt::oneshot`
    (sensing-server lib tests 191 → 199, 0 failures).

Verified locally: `cargo build --workspace --no-default-features` ✓,
`cargo test -p wifi-densepose-sensing-server --no-default-features` ✓.

Co-Authored-By: claude-flow <ruv@ruv.net>
2026-05-13 08:52:25 -04:00

83 lines
2.9 KiB
Text
Raw Permalink Blame History

# WiFi-DensePose Rust Sensing Server
# Includes RuVector signal intelligence crates
# Multi-stage build for minimal final image
# Stage 1: Build
FROM rust:1.85-bookworm AS builder
WORKDIR /build
# Copy workspace files
COPY v2/Cargo.toml v2/Cargo.lock ./
COPY v2/crates/ ./crates/
# Copy vendored RuVector crates
COPY vendor/ruvector/ /build/vendor/ruvector/
# Build release binary
RUN cargo build --release -p wifi-densepose-sensing-server 2>&1 \
&& strip target/release/sensing-server
# Stage 2: Runtime
FROM debian:bookworm-slim
RUN apt-get update && apt-get install -y --no-install-recommends \
ca-certificates \
&& rm -rf /var/lib/apt/lists/*
WORKDIR /app
# Copy binary
COPY --from=builder /build/target/release/sensing-server /app/sensing-server
# Copy UI assets
COPY ui/ /app/ui/
# Sanity-check the assets the runtime actually serves (regression guard for
# #520/#514 — the published image must include the observatory and pose-fusion
# dashboards, not just the legacy `index.html` set). Build fails if any of
# these are missing, so a stale image can't be silently pushed.
RUN set -e; \
for f in /app/ui/index.html /app/ui/observatory.html /app/ui/pose-fusion.html /app/ui/viz.html; do \
test -f "$f" || { echo "FATAL: missing UI asset $f"; exit 1; }; \
done; \
for d in /app/ui/observatory /app/ui/pose-fusion /app/ui/components /app/ui/services; do \
test -d "$d" || { echo "FATAL: missing UI directory $d"; exit 1; }; \
done; \
test -x /app/sensing-server || { echo "FATAL: /app/sensing-server is not executable"; exit 1; }; \
echo "image assets OK"
# Optional bearer-token auth on /api/v1/*: leave unset for LAN-mode (default),
# set to enforce `Authorization: Bearer <token>` (see bearer_auth module, #443).
# docker run -e RUVIEW_API_TOKEN=$(openssl rand -hex 32) ...
ENV RUVIEW_API_TOKEN=
# HTTP API
EXPOSE 3000
# WebSocket
EXPOSE 3001
# ESP32 UDP
EXPOSE 5005/udp
ENV RUST_LOG=info
# CSI_SOURCE controls which data source the sensing server uses at startup.
# auto — probe UDP port 5005 for an ESP32 first; fall back to simulation (default)
# esp32 — receive real CSI frames from an ESP32 device over UDP port 5005
# wifi — use host Wi-Fi RSSI/scan data (Windows netsh; not available in containers)
# simulated — generate synthetic CSI frames (no hardware required)
# Override at runtime: docker run -e CSI_SOURCE=esp32 ...
ENV CSI_SOURCE=auto
# MODELS_DIR controls where the server scans for .rvf model files.
# Mount a host directory here to make models visible to the API:
# docker run -v /path/to/models:/app/models -e MODELS_DIR=/app/models ...
ENV MODELS_DIR=data/models
COPY docker/docker-entrypoint.sh /app/docker-entrypoint.sh
# Exec-form ENTRYPOINT so Docker appends user arguments correctly.
# Pass flags directly: docker run <image> --source esp32 --tick-ms 500
# Or use env vars: docker run -e CSI_SOURCE=esp32 <image>
ENTRYPOINT ["/app/docker-entrypoint.sh"]
CMD []
Reference in a new issue View git blame Copy permalink