fix: Add ICR auth for Trivy scans, improve error handling, optimize disk usage

Dockerfile.codeengine

@@ -3,25 +3,30 @@
 FROM python:3.12-slim AS builder
 
 # Pre-configure poetry to install to system Python
+# Set environment variables to force CPU-only mode (prevents CUDA dependencies)
 ENV PYTHONUNBUFFERED=1 \
     PYTHONDONTWRITEBYTECODE=1 \
     POETRY_VERSION=2.1.3 \
     POETRY_HOME="/opt/poetry" \
     POETRY_VIRTUALENVS_IN_PROJECT=false \
     POETRY_VIRTUALENVS_CREATE=false \
     POETRY_NO_INTERACTION=1 \
-    POETRY_CACHE_DIR="/opt/poetry/cache"
+    POETRY_CACHE_DIR="/opt/poetry/cache" \
+    CUDA_VISIBLE_DEVICES="" \
+    FORCE_CPU=1 \
+    TORCH_CUDA_ARCH_LIST=""
 
 ENV PATH="$POETRY_HOME/bin:$PATH"
 
 # Install system dependencies
 RUN apt-get update && \
-    apt-get install -y build-essential curl && \
+    apt-get install -y --no-install-recommends build-essential curl && \
     apt-get clean && \
     rm -rf /var/lib/apt/lists/*
 
 # Install Rust and poetry
-RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y && . $HOME/.cargo/env \
+SHELL ["/bin/bash", "-o", "pipefail", "-c"]
+RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y && . "$HOME/.cargo/env" \
     && curl -sSL https://install.python-poetry.org | python3 -
 
 # Add Rust to PATH
@@ -37,35 +42,48 @@ ARG POETRY_ROOT_MIGRATION=20251027
 # Poetry config moved from backend/ to project root
 COPY pyproject.toml poetry.lock ./
 
-        # Install CPU-only PyTorch first to avoid CUDA dependencies (~6GB savings)
-        # Using torch 2.6.0 CPU-only version (compatible with ARM64 and x86_64)
-        # Note: torchvision doesn't have +cpu builds, use regular version
-        RUN --mount=type=cache,target=/root/.cache/pip \
-            pip install --no-cache-dir \
-            torch==2.6.0+cpu \
-            --index-url https://download.pytorch.org/whl/cpu && \
-            pip install --no-cache-dir torchvision==0.21.0
-
-# Configure pip globally to prevent any CUDA torch reinstalls
-RUN pip config set global.extra-index-url https://download.pytorch.org/whl/cpu
-
-# Install docling without dependencies first (prevents CUDA torch pull)
+# Install CPU-only PyTorch first to avoid CUDA dependencies (~6GB savings)
+# Using torch 2.6.0 CPU-only version (compatible with ARM64 and x86_64)
+# Note: torchvision doesn't have +cpu builds, use regular version
 RUN --mount=type=cache,target=/root/.cache/pip \
-    pip install --no-cache-dir --no-deps docling
+    pip install --no-cache-dir \
+    torch==2.6.0+cpu \
+    --index-url https://download.pytorch.org/whl/cpu && \
+    pip install --no-cache-dir torchvision==0.21.0
 
-# Now install all dependencies via Poetry, which will:
-# - Skip torch/torchvision (already installed)
-# - Skip docling (already installed)
-# - Install everything else
+# Install CPU-only transformers and sentence-transformers BEFORE docling
+# These are dependencies of docling and might pull CUDA versions
 RUN --mount=type=cache,target=/root/.cache/pip \
-    --mount=type=cache,target=/root/.cache/pypoetry \
-    poetry install --only main --no-root --no-cache
-
-# Clean up system Python installation
+    pip install --no-cache-dir \
+    transformers==4.46.0 \
+    sentence-transformers==5.1.2 \
+    --index-url https://download.pytorch.org/whl/cpu \
+    --extra-index-url https://pypi.org/simple
+
+# Configure pip globally to ONLY use CPU torch index
+# This prevents any package from pulling CUDA versions
+RUN pip config set global.index-url https://download.pytorch.org/whl/cpu && \
+    pip config set global.extra-index-url https://pypi.org/simple
+
+# Use Poetry to install dependencies directly (skipping torch/torchvision/transformers/sentence-transformers)
+# Poetry will respect the already-installed CPU-only packages
+RUN poetry install --only main --no-root --no-interaction && \
+    # Verify we still have CPU-only torch
+    python -c "import torch; assert not torch.cuda.is_available(), 'CUDA torch detected!'; print('✓ CPU-only torch confirmed')" && \
+    # Verify no CUDA libraries are installed
+    python -c "import sys; import subprocess; result = subprocess.run(['find', '/usr/local/lib/python3.12/site-packages', '-name', '*cuda*', '-o', '-name', '*nvidia*'], capture_output=True, text=True); assert not result.stdout.strip(), f'CUDA/NVIDIA libraries found: {result.stdout}'; print('✓ No CUDA/NVIDIA libraries detected')"
+
+# Clean up system Python installation - more aggressive cleanup
 RUN find /usr/local -name "*.pyc" -delete && \
     find /usr/local -name "__pycache__" -type d -exec rm -rf {} + 2>/dev/null || true && \
     find /usr/local -name "tests" -type d -exec rm -rf {} + 2>/dev/null || true && \
-    find /usr/local -name "*.egg-info" -type d -exec rm -rf {} + 2>/dev/null || true
+    find /usr/local -name "test" -type d -exec rm -rf {} + 2>/dev/null || true && \
+    find /usr/local -name "*.egg-info" -type d -exec rm -rf {} + 2>/dev/null || true && \
+    find /usr/local -name "*.dist-info" -type d -exec rm -rf {} + 2>/dev/null || true && \
+    find /usr/local -name "*.so.*" ! -name "*.so" -delete 2>/dev/null || true && \
+    find /usr/local -name "*.a" -delete 2>/dev/null || true && \
+    rm -rf /root/.cache/pip /root/.cache/pypoetry /opt/poetry/cache 2>/dev/null || true && \
+    rm -rf /root/.cargo/registry /root/.cargo/git 2>/dev/null || true
 
 # Final stage - clean runtime
 FROM python:3.12-slim

backend/Dockerfile.backend

@@ -45,14 +45,16 @@ COPY pyproject.toml poetry.lock ./
 # https://github.com/docling-project/docling/blob/main/Dockerfile
 # Note: We normalize dependency strings by removing spaces before parentheses
 # (e.g., "psutil (>=7.0.0,<8.0.0)" -> "psutil>=7.0.0,<8.0.0")
+# and handle extras syntax (e.g., "pydantic[email]>=2.8.2" -> "pydantic[email]>=2.8.2")
 RUN --mount=type=cache,target=/root/.cache/pip \
-    python -c "import tomllib; f=open('pyproject.toml','rb'); data=tomllib.load(f); deps = data['project']['dependencies']; print('\n'.join(d.replace(' (', '').replace(')', '') for d in deps))" | \
+    python -c "import tomllib; f=open('pyproject.toml','rb'); data=tomllib.load(f); deps = data['project']['dependencies']; print('\n'.join(d.replace(' (', '(').replace(') ', ')') if '[' in d else d.replace(' (', '').replace(')', '') for d in deps))" | \
     xargs pip install --no-cache-dir --extra-index-url https://download.pytorch.org/whl/cpu
 
 # Clean up system Python installation
+# IMPORTANT: Preserve numpy._core.tests - it's a required module, not test code
 RUN find /usr/local -name "*.pyc" -delete && \
     find /usr/local -name "__pycache__" -type d -exec rm -rf {} + 2>/dev/null || true && \
-    find /usr/local -name "tests" -type d -exec rm -rf {} + 2>/dev/null || true && \
+    find /usr/local -name "tests" -type d ! -path "*/numpy/*" -exec rm -rf {} + 2>/dev/null || true && \
     find /usr/local -name "*.egg-info" -type d -exec rm -rf {} + 2>/dev/null || true
 
 # Final stage - clean runtime