feat: add docker compose support

[FammasMaz]

Easier deployments on servers. Defaulted to the same 8000 port.

---

Important

Adds Docker support with a Dockerfile and docker-compose.yml for easier deployments, including a .dockerignore to exclude unnecessary files.

• Docker Support:
  • Adds Dockerfile to set up a Python 3.11 environment, install dependencies, and run the application on port 8000.
  • Adds docker-compose.yml to define llm-proxy service, exposing port 8000, with volume mounts for .env, oauth_creds, and logs.
  • Includes health check for llm-proxy service to ensure availability.
• .dockerignore:
  • Adds .dockerignore to exclude unnecessary files and directories such as .git, __pycache__, .env, logs/, and oauth_creds/ from Docker context.

^{This description was created by for 897d1b8. You can customize this summary. It will automatically update as commits are pushed.}

[mirrobot-agent]

Starting my review of the Docker Compose support addition. I'll analyze the Dockerfile, docker-compose.yml, and .dockerignore configurations for security, best practices, and potential deployment issues.

[mirrobot-agent]

Overall Assessment

This PR adds Docker Compose support with a well-structured multi-stage Dockerfile, appropriate docker-compose.yml configuration, and a comprehensive .dockerignore. The implementation follows good practices overall—multi-stage builds reduce image size, volume mounts handle persistent data correctly, and the read-only .env mount is a nice security touch.

Key Feedback

Priority	Issue
🔴 Should Fix	Port mismatch: EXPOSE 8317 vs actual port 8000
🟡 Consider	Add non-root user for production security

What's Done Well

• Multi-stage Docker build properly separates build-time dependencies from the production image
• Volume mounts for oauth_creds, logs, and .env handle persistent data appropriately
• The .dockerignore correctly excludes sensitive files (.env, credentials) and build artifacts
• Health check is functional and has reasonable timing parameters
• PYTHONUNBUFFERED=1 ensures proper log output in containerized environments

Minor Notes (Not Blocking)

• The PR description mentions "defaulted to the same 8000 port" which is correct for docker-compose, but the Dockerfile's EXPOSE should match
• The health check using Python's urllib is unconventional but functional; no change needed

Questions for the Author

• Is there documentation planned for setting up the required .env file before running docker-compose up?
• Any plans to add a .env.docker.example or update the deployment guide?

This review was generated by an AI assistant.

[Copilot]

Pull request overview

This PR adds Docker and Docker Compose support to simplify deployment of the LLM API proxy on servers. The implementation includes a multi-stage Dockerfile for optimized image builds and a docker-compose.yml configuration that manages the application with volume mounts for configuration files, logs, and OAuth credentials. The setup maintains the application's default port 8000 and includes health checks for container monitoring.

Key changes:

• Multi-stage Docker build with separate builder and production stages for smaller final images
• Docker Compose configuration with volume mounts for .env, logs, and oauth_creds directories
• Health check endpoint monitoring and proper environment variable configuration for containerized deployments

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 6 comments.

File	Description
Dockerfile	Multi-stage build configuration with Python 3.11-slim base, installs dependencies and application code with optimizations for production deployment
docker-compose.yml	Service definition for the llm-proxy container including port mappings, volume mounts, environment variables, and health checks
.dockerignore	Excludes unnecessary files from the Docker build context (git files, Python cache, IDEs, logs, credentials, and documentation)

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Port mismatch: The EXPOSE instruction specifies port 8317, but the CMD at line 46 uses port 8000. This should be 8000 to match the application's default port and the docker-compose.yml configuration.

[Copilot]

The .env file is excluded in .dockerignore (line 11), which means it won't be present in the Docker image build context. This volume mount will fail if .env doesn't exist on the host. Consider adding a note in comments or documentation that users need to create .env from .env.example before running docker-compose.

Suggested change

	# Mount .env files for configuration
	# Mount .env files for configuration
	# NOTE: You must create a .env file on the host before running docker-compose.
	# Copy or rename .env.example to .env and update values as needed.

[Copilot]

The editable install (-e src/rotator_library in requirements.txt) in a multi-stage build can be problematic. The builder stage creates path references to /app/src/rotator_library, and while the production stage copies both the installed packages (line 26) and source (line 32) at the same paths, this adds complexity. Consider using a regular (non-editable) install for Docker builds by creating a separate requirements-docker.txt that lists src/rotator_library instead of -e src/rotator_library, or by running pip install --no-cache-dir --user src/rotator_library directly.

Suggested change

	# Copy the local rotator_library for editable install
	COPY src/rotator_library ./src/rotator_library
	# Install dependencies
	RUN pip install --no-cache-dir --user -r requirements.txt
	# Copy the local rotator_library for installation
	COPY src/rotator_library ./src/rotator_library
	# Install dependencies (requirements.txt should NOT include -e src/rotator_library)
	RUN pip install --no-cache-dir --user -r requirements.txt && pip install --no-cache-dir --user ./src/rotator_library

[Copilot]

[nitpick] Consider adding a comment at the top of the file documenting: 1) Prerequisites (e.g., "Create .env from .env.example before running"), 2) How to start the service (docker-compose up -d), and 3) How to view logs (docker-compose logs -f). This would improve the developer experience for first-time users.

[Copilot]

[nitpick] Consider pinning the gcc version or using build-essential for more complete build dependencies. While gcc alone works for most Python packages, some might need additional build tools. For example: build-essential or gcc g++ for C++ extensions.

Suggested change

	gcc \
	build-essential \

[Copilot]

The container is configured to run as the default root user (FROM python:3.11-slim with dependencies installed under /root/.local and no USER directive), which means any remote code execution in proxy_app would immediately yield root-level access inside the container and to any mounted volumes (e.g., OAuth credentials). To reduce impact from a compromise, create a dedicated non-root user, install dependencies into that user’s home, set ownership on /app, logs, and oauth_creds, and add a USER directive so the app runs with least privilege. For example:

RUN useradd -m appuser \
  && chown -R appuser:appuser /app
USER appuser

and adjust install paths accordingly.

[Mirrowel]

I can't test with docker myself much, and i really need to merge antigravity branch to main. So, if you want to pursue this - refine it a bit if needed and PR against main. @FammasMaz