Slim docker build with better traffic control and gpu attestations

.dockerignore

@@ -0,0 +1,21 @@
+.venv/
+.pytest_cache/
+.mypy_cache/
+__pycache__/
+*.pyc
+*.pyo
+*.pyd
+
+.git/
+.github/
+
+tests/
+docs/
+redis/
+verifiers/
+
+*.log
+attestation_sdk.log
+verifier.log
+poetry.lock
+pyproject.toml

.github/workflows/ci.yml

@@ -0,0 +1,32 @@
+name: CI
+
+on:
+  push:
+    branches: ["**"]
+    tags-ignore: ["v*"]
+  pull_request:
+
+jobs:
+  tests:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+
+      - name: Set up uv
+        uses: astral-sh/setup-uv@v4
+        with:
+          enable-cache: true
+
+      - name: Install dependencies
+        run: |
+          UV_NO_MANAGED_PYTHON=1 UV_PYTHON_DOWNLOADS=never uv venv -p python
+          uv pip install --python .venv/bin/python -r requirements.txt -r test-requirements.txt
+
+      - name: Run tests
+        run: ./run_tests.sh

README.md

@@ -10,11 +10,14 @@ A proxy for vLLM.
 ## Run for development
 
 ```bash
-# Run production server
-uvicorn main:app --host 0.0.0.0 --reload
+# Run with Uvicorn
+PYTHONPATH=src uvicorn app.main:app --host 0.0.0.0 --port 8000 --reload
 
-# Run development server
-fastapi dev main.py --host 0.0.0.0
+# Or run via the local runner (uses the project logging config)
+PYTHONPATH=src python src/run.py
+
+# FastAPI dev server (optional)
+PYTHONPATH=src fastapi dev src/app/main.py --host 0.0.0.0 --port 8000
 ```
 
 
@@ -23,7 +26,11 @@ fastapi dev main.py --host 0.0.0.0
 ### Build for production
 
 ```bash
-bash docker/build.sh
+# Minimal image (recommended)
+bash docker/build.sh vllm-proxy:latest runtime
+
+# Includes nv-ppcie-verifier in an isolated venv for GPU evidence collection
+bash docker/build.sh vllm-proxy:gpu runtime-gpu
 ```
 
 ### Run for production
@@ -33,15 +40,24 @@ cd docker
 docker compose up -d
 ```
 
+### GPU evidence collection
+
+The minimal image does not include `nv-ppcie-verifier` (it conflicts with the main app dependencies). Use the `runtime-gpu` image, or provide a separate Python environment and set `GPU_EVIDENCE_PYTHON` to its interpreter:
+
+```bash
+UV_NO_MANAGED_PYTHON=1 UV_PYTHON_DOWNLOADS=never uv venv .venv-ppcie -p python3
+uv pip install --python .venv-ppcie/bin/python -r requirements-gpu.txt
+export GPU_EVIDENCE_PYTHON="$PWD/.venv-ppcie/bin/python"
+```
+
 ## Tests
 
 ### Quick Start
 
 ```bash
-python3 -m venv .venv
-. .venv/bin/activate
-pip install -r requirements.txt
-pip install -r test-requirements.txt
+# Preferred: uv
+UV_NO_MANAGED_PYTHON=1 UV_PYTHON_DOWNLOADS=never uv venv -p python3
+uv pip install --python .venv/bin/python -r requirements.txt -r test-requirements.txt
 ./run_tests.sh
 ```
 

docker/Dockerfile

@@ -1,19 +1,65 @@
-# GPU quote requires pynvml, which requires cuda, so use vllm image instead of python3
-FROM vllm/vllm-openai:v0.9.1
+# syntax=docker/dockerfile:1.7
 
-# Install dependencies
-WORKDIR /tmp
+# The proxy talks to a separate vLLM server; it doesn't need the multi-GB vLLM runtime image.
+# Keep the image small by using a slim Python base + venv, and rely on the NVIDIA runtime to
+# mount driver libraries (e.g., NVML) when GPU features are enabled.
+FROM python:3.12-slim-bookworm AS builder
+
+ARG UV_VERSION=0.9.17
+
+ENV DEBIAN_FRONTEND=noninteractive \
+    PIP_DISABLE_PIP_VERSION_CHECK=1 \
+    PYTHONDONTWRITEBYTECODE=1 \
+    UV_NO_MANAGED_PYTHON=1 \
+    UV_PYTHON_DOWNLOADS=never \
+    UV_LINK_MODE=copy
+
+RUN apt-get update && apt-get install -y --no-install-recommends \
+        build-essential \
+    && rm -rf /var/lib/apt/lists/*
+
+RUN python -m pip install --no-cache-dir --upgrade pip \
+    && python -m pip install --no-cache-dir "uv==${UV_VERSION}"
 
-# Install packages via requirements.txt instead of poetry
-# because of nv-ppcie-verifier requires some old version packages,
-# which is not compatible with lots of current dependencies.
+ENV VIRTUAL_ENV=/opt/venv
+RUN python -m venv "$VIRTUAL_ENV"
+ENV PATH="$VIRTUAL_ENV/bin:$PATH"
+
+WORKDIR /tmp
 COPY requirements.txt ./
-RUN pip install --no-cache-dir --upgrade -r requirements.txt \
-    && rm -rf requirements.txt
+RUN --mount=type=cache,target=/root/.cache/uv \
+    uv pip install --strict -r requirements.txt
+
+FROM builder AS gpu-builder
+
+ENV VIRTUAL_ENV=/opt/ppcie-venv
+RUN python -m venv "$VIRTUAL_ENV"
+ENV PATH="$VIRTUAL_ENV/bin:$PATH"
+
+WORKDIR /tmp
+COPY requirements-gpu.txt ./
+RUN --mount=type=cache,target=/root/.cache/uv \
+    uv pip install --strict -r requirements-gpu.txt
+
+FROM python:3.12-slim-bookworm AS runtime
+
+ENV VIRTUAL_ENV=/opt/venv \
+    PATH="/opt/venv/bin:$PATH" \
+    PYTHONUNBUFFERED=1
+
+RUN apt-get update && apt-get install -y --no-install-recommends \
+        ca-certificates \
+    && rm -rf /var/lib/apt/lists/*
 
-# Copy source code
 WORKDIR /app
+COPY --from=builder /opt/venv /opt/venv
 COPY src ./
-EXPOSE 8000
 
+EXPOSE 8000
 ENTRYPOINT ["./entrypoint.sh"]
+
+FROM runtime AS runtime-gpu
+COPY --from=gpu-builder /opt/ppcie-venv /opt/ppcie-venv
+ENV GPU_EVIDENCE_PYTHON=/opt/ppcie-venv/bin/python
+ENV NVIDIA_VISIBLE_DEVICES=all
+ENV NVIDIA_DRIVER_CAPABILITIES=compute,utility

docker/build.sh

@@ -1,13 +1,18 @@
 #!/bin/bash
 
+set -euo pipefail
+
 # Default image name
 IMAGE=${1:-vllm-proxy:latest}
+TARGET=${2:-runtime}
 
 echo "Image: $IMAGE"
+echo "Target: $TARGET"
 
 # Build the Docker image with the specified version
 docker build \
     --no-cache \
     -f docker/Dockerfile \
-    -t $IMAGE \
+    --target "$TARGET" \
+    -t "$IMAGE" \
     .

docs/TESTING.md

@@ -4,14 +4,12 @@
 
 1. Create and activate a Python virtual environment:
 ```bash
-python3 -m venv .venv
-. .venv/bin/activate
+UV_NO_MANAGED_PYTHON=1 UV_PYTHON_DOWNLOADS=never uv venv -p python3
 ```
 
 2. Install dependencies:
 ```bash
-pip install -r requirements.txt
-pip install -r test-requirements.txt
+uv pip install --python .venv/bin/python -r requirements.txt -r test-requirements.txt
 ```
 
 ## Running Tests
@@ -25,8 +23,7 @@ Use the provided test runner script:
 
 Or run manually:
 ```bash
-. .venv/bin/activate
-PYTHONPATH=src python -m pytest tests/ -v
+PYTHONPATH=src .venv/bin/python -m pytest tests/ -v
 ```
 
 Environment variables are automatically set by `tests/conftest.py`.
@@ -37,7 +34,7 @@ Environment variables are automatically set by `tests/conftest.py`.
 **Run a specific test file:**
 ```bash
 ./run_tests.sh tests/app/test_openai.py
-# Expands to: PYTHONPATH=src python -m pytest tests/ -v tests/app/test_openai.py
+# Expands to: PYTHONPATH=src .venv/bin/python -m pytest tests/ -v tests/app/test_openai.py
 ```
 
 **Run a specific test function:**
@@ -108,9 +105,7 @@ The test suite is designed to run in CI environments without special hardware:
 # Example GitHub Actions workflow
 - name: Run tests
   run: |
-    python3 -m venv .venv
-    . .venv/bin/activate
-    pip install -r requirements.txt
-    pip install -r test-requirements.txt
+    UV_NO_MANAGED_PYTHON=1 UV_PYTHON_DOWNLOADS=never uv venv -p python3
+    uv pip install --python .venv/bin/python -r requirements.txt -r test-requirements.txt
     ./run_tests.sh
-```
+```