fix: downgrade to PaddleOCR 2.x for CPU stability

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
fix: force-disable oneDNN for PaddlePaddle 3.x
2026-03-13 19:13:41 +01:00 · 2026-03-13 19:01:55 +01:00 · 2026-03-13 18:54:28 +01:00 · 2026-03-13 18:37:47 +01:00 · 2026-03-13 18:31:25 +01:00 · 2026-03-13 18:08:15 +01:00
11 changed files with 447 additions and 111 deletions
--- a/.env.coolify.example
+++ b/.env.coolify.example
@@ -0,0 +1,65 @@
+# =========================================================
+# BreakPilot Core — Coolify Environment Variables
+# =========================================================
+# Copy these into Coolify's environment variable UI
+# for the breakpilot-core Docker Compose resource.
+# =========================================================
+
+# --- External PostgreSQL (Coolify-managed) ---
+POSTGRES_HOST=<coolify-postgres-hostname>
+POSTGRES_PORT=5432
+POSTGRES_USER=breakpilot
+POSTGRES_PASSWORD=CHANGE_ME_STRONG_PASSWORD
+POSTGRES_DB=breakpilot_db
+
+# --- Security ---
+JWT_SECRET=CHANGE_ME_RANDOM_64_CHARS
+JWT_REFRESH_SECRET=CHANGE_ME_ANOTHER_RANDOM_64_CHARS
+INTERNAL_API_KEY=CHANGE_ME_INTERNAL_KEY
+
+# --- External S3 Storage ---
+S3_ENDPOINT=<s3-endpoint-host:port>
+S3_ACCESS_KEY=CHANGE_ME_S3_ACCESS_KEY
+S3_SECRET_KEY=CHANGE_ME_S3_SECRET_KEY
+S3_BUCKET=breakpilot-rag
+S3_SECURE=true
+
+# --- External Qdrant (Coolify-managed) ---
+QDRANT_URL=http://<coolify-qdrant-hostname>:6333
+QDRANT_API_KEY=
+
+# --- SMTP (Real mail server) ---
+SMTP_HOST=smtp.example.com
+SMTP_PORT=587
+SMTP_USERNAME=noreply@breakpilot.ai
+SMTP_PASSWORD=CHANGE_ME_SMTP_PASSWORD
+SMTP_FROM_NAME=BreakPilot
+SMTP_FROM_ADDR=noreply@breakpilot.ai
+
+# --- Session ---
+SESSION_TTL_HOURS=24
+
+# --- Frontend URLs (build args) ---
+NEXT_PUBLIC_CORE_API_URL=https://api-core.breakpilot.ai
+FRONTEND_URL=https://www.breakpilot.ai
+
+# --- Stripe (Billing) ---
+STRIPE_SECRET_KEY=
+STRIPE_WEBHOOK_SECRET=
+STRIPE_PUBLISHABLE_KEY=
+BILLING_SUCCESS_URL=https://www.breakpilot.ai/billing/success
+BILLING_CANCEL_URL=https://www.breakpilot.ai/billing/cancel
+TRIAL_PERIOD_DAYS=14
+
+# --- Embedding Service ---
+EMBEDDING_BACKEND=local
+LOCAL_EMBEDDING_MODEL=BAAI/bge-m3
+LOCAL_RERANKER_MODEL=cross-encoder/ms-marco-MiniLM-L-6-v2
+PDF_EXTRACTION_BACKEND=pymupdf
+OPENAI_API_KEY=
+COHERE_API_KEY=
+LOG_LEVEL=INFO
+
+# --- Ollama (optional, for RAG embeddings) ---
+OLLAMA_URL=
+OLLAMA_EMBED_MODEL=bge-m3
--- a/.gitea/workflows/ci.yaml
+++ b/.gitea/workflows/ci.yaml
@@ -140,117 +140,20 @@ jobs:
          python -m pytest tests/bqas/ -v --tb=short || true

  # ========================================
-  # Build & Deploy auf Hetzner (nur main, kein PR)
+  # Deploy via Coolify (nur main, kein PR)
  # ========================================

-  deploy-hetzner:
+  deploy-coolify:
+    name: Deploy
    runs-on: docker
    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
    needs:
      - test-go-consent
-    container: docker:27-cli
+    container:
+      image: alpine:latest
    steps:
-      - name: Deploy
+      - name: Trigger Coolify deploy
        run: |
-          set -euo pipefail
-          DEPLOY_DIR="/opt/breakpilot-core"
-          COMPOSE_FILES="-f docker-compose.yml -f docker-compose.hetzner.yml"
-          COMMIT_SHA="${GITHUB_SHA:-unknown}"
-          SHORT_SHA="${COMMIT_SHA:0:8}"
-          REPO_URL="${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git"
-
-          # Services die deployed werden
-          SERVICES="postgres valkey qdrant minio ollama mailpit embedding-service rag-service backend-core consent-service health-aggregator"
-
-          echo "=== BreakPilot Core Deploy ==="
-          echo "Commit: ${SHORT_SHA}"
-          echo "Deploy Dir: ${DEPLOY_DIR}"
-          echo "Services: ${SERVICES}"
-          echo ""
-
-          # 1. Repo auf dem Host erstellen/aktualisieren via Helper-Container
-          echo "=== Updating code on host ==="
-          docker run --rm \
-            -v "${DEPLOY_DIR}:${DEPLOY_DIR}" \
-            --entrypoint sh \
-            alpine/git:latest \
-            -c "
-              if [ ! -d '${DEPLOY_DIR}/.git' ]; then
-                echo 'Erstmaliges Klonen nach ${DEPLOY_DIR}...'
-                git clone '${REPO_URL}' '${DEPLOY_DIR}'
-              else
-                cd '${DEPLOY_DIR}'
-                git fetch origin main
-                git reset --hard origin/main
-              fi
-            "
-          echo "Code aktualisiert auf ${SHORT_SHA}"
-
-          # 2. .env sicherstellen
-          docker run --rm -v "${DEPLOY_DIR}:${DEPLOY_DIR}" alpine \
-            sh -c "
-              if [ ! -f '${DEPLOY_DIR}/.env' ]; then
-                echo 'WARNUNG: ${DEPLOY_DIR}/.env fehlt!'
-                echo 'Erstelle .env aus .env.example mit Defaults...'
-                if [ -f '${DEPLOY_DIR}/.env.example' ]; then
-                  cp '${DEPLOY_DIR}/.env.example' '${DEPLOY_DIR}/.env'
-                  echo '.env aus .env.example erstellt'
-                else
-                  echo 'Kein .env.example gefunden — Services starten mit Defaults'
-                fi
-              else
-                echo '.env vorhanden'
-              fi
-            "
-
-          # 3. Shared Network erstellen (falls noch nicht vorhanden)
-          docker network create breakpilot-network 2>/dev/null || true
-
-          # 4. Build + Deploy via Helper-Container
-          echo ""
-          echo "=== Building + Deploying ==="
-          docker run --rm \
-            -v /var/run/docker.sock:/var/run/docker.sock \
-            -v "${DEPLOY_DIR}:${DEPLOY_DIR}" \
-            -w "${DEPLOY_DIR}" \
-            docker:27-cli \
-            sh -c "
-              set -e
-              COMPOSE_FILES='-f docker-compose.yml -f docker-compose.hetzner.yml'
-
-              echo '=== Building Docker Images ==='
-              docker compose \${COMPOSE_FILES} build --parallel \
-                backend-core consent-service rag-service embedding-service health-aggregator
-
-              echo ''
-              echo '=== Starting infrastructure ==='
-              docker compose \${COMPOSE_FILES} up -d postgres valkey qdrant minio mailpit
-
-              echo 'Warte auf DB + Cache...'
-              sleep 10
-
-              echo ''
-              echo '=== Starting Ollama + pulling bge-m3 ==='
-              docker compose \${COMPOSE_FILES} up -d ollama
-              sleep 5
-
-              # bge-m3 Modell pullen (nur beim ersten Mal ~670MB)
-              echo 'Pulling bge-m3 model (falls noch nicht vorhanden)...'
-              docker exec bp-core-ollama ollama pull bge-m3 2>&1 || echo 'WARNUNG: bge-m3 pull fehlgeschlagen (wird spaeter nachgeholt)'
-
-              echo ''
-              echo '=== Starting application services ==='
-              docker compose \${COMPOSE_FILES} up -d \
-                embedding-service rag-service backend-core consent-service health-aggregator
-
-              echo ''
-              echo '=== Health Checks ==='
-              sleep 15
-              for svc in bp-core-postgres bp-core-valkey bp-core-qdrant bp-core-ollama bp-core-embedding-service bp-core-rag-service bp-core-backend bp-core-consent-service bp-core-health; do
-                STATUS=\$(docker inspect --format='{{.State.Status}}' \"\${svc}\" 2>/dev/null || echo 'not found')
-                echo \"\${svc}: \${STATUS}\"
-              done
-            "
-
-          echo ""
-          echo "=== Deploy abgeschlossen: ${SHORT_SHA} ==="
+          apk add --no-cache curl
+          curl -sf "${{ secrets.COOLIFY_WEBHOOK }}" \
+            -H "Authorization: Bearer ${{ secrets.COOLIFY_TOKEN }}"
--- a/.gitea/workflows/deploy-coolify.yml
+++ b/.gitea/workflows/deploy-coolify.yml
@@ -0,0 +1,29 @@
+name: Deploy to Coolify
+
+on:
+  push:
+    branches:
+      - coolify
+
+jobs:
+  deploy:
+    runs-on: docker
+    container: alpine:latest
+    steps:
+      - name: Deploy via Coolify API
+        run: |
+          apk add --no-cache curl
+          echo "Deploying breakpilot-core to Coolify..."
+          HTTP_STATUS=$(curl -s -o /dev/null -w "%{http_code}" \
+            -X POST \
+            -H "Authorization: Bearer ${{ secrets.COOLIFY_API_TOKEN }}" \
+            -H "Content-Type: application/json" \
+            -d '{"uuid": "${{ secrets.COOLIFY_RESOURCE_UUID }}", "force_rebuild": true}' \
+            "${{ secrets.COOLIFY_BASE_URL }}/api/v1/deploy")
+
+          echo "HTTP Status: $HTTP_STATUS"
+          if [ "$HTTP_STATUS" -ne 200 ] && [ "$HTTP_STATUS" -ne 201 ]; then
+            echo "Deployment failed with status $HTTP_STATUS"
+            exit 1
+          fi
+          echo "Deployment triggered successfully!"
--- a/admin-core/Dockerfile
+++ b/admin-core/Dockerfile
@@ -18,6 +18,9 @@ ARG NEXT_PUBLIC_API_URL
 # Set environment variables for build
 ENV NEXT_PUBLIC_API_URL=$NEXT_PUBLIC_API_URL

+# Ensure public directory exists
+RUN mkdir -p public
+
 # Build the application
 RUN npm run build

@@ -30,8 +33,8 @@ WORKDIR /app
 ENV NODE_ENV=production

 # Create non-root user
-RUN addgroup --system --gid 1001 nodejs
-RUN adduser --system --uid 1001 nextjs
+RUN addgroup -S -g 1001 nodejs
+RUN adduser -S -u 1001 -G nodejs nextjs

 # Copy built assets
 COPY --from=builder /app/public ./public
--- a/backend-core/Dockerfile
+++ b/backend-core/Dockerfile
@@ -43,11 +43,12 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
    && rm -rf /var/lib/apt/lists/*

 # Install DevSecOps tools (gitleaks, trivy, grype, syft)
-ARG TARGETARCH=arm64
+ARG TARGETARCH
 RUN set -eux; \
+    ARCH="${TARGETARCH:-$(dpkg --print-architecture)}"; \
    # Gitleaks
    GITLEAKS_VERSION=8.21.2; \
-    if [ "$TARGETARCH" = "arm64" ]; then GITLEAKS_ARCH=arm64; else GITLEAKS_ARCH=x64; fi; \
+    if [ "$ARCH" = "arm64" ]; then GITLEAKS_ARCH=arm64; else GITLEAKS_ARCH=x64; fi; \
    curl -sSfL "https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_${GITLEAKS_ARCH}.tar.gz" \
      | tar xz -C /usr/local/bin gitleaks; \
    # Trivy
--- a/docker-compose.coolify.yml
+++ b/docker-compose.coolify.yml
@@ -0,0 +1,197 @@
+# =========================================================
+# BreakPilot Core — Shared Infrastructure (Coolify)
+# =========================================================
+# Deployed via Coolify. SSL termination handled by Traefik.
+# External services (managed separately in Coolify):
+#   - PostgreSQL (PostGIS), Qdrant, S3-compatible storage
+# Network: breakpilot-network (shared across all 3 repos)
+# =========================================================
+
+networks:
+  breakpilot-network:
+    name: breakpilot-network
+    driver: bridge
+
+volumes:
+  valkey_data:
+  embedding_models:
+  paddleocr_models:
+
+services:
+
+  # =========================================================
+  # CACHE
+  # =========================================================
+  valkey:
+    image: valkey/valkey:8-alpine
+    container_name: bp-core-valkey
+    volumes:
+      - valkey_data:/data
+    command: valkey-server --appendonly yes --maxmemory 256mb --maxmemory-policy allkeys-lru
+    healthcheck:
+      test: ["CMD", "valkey-cli", "ping"]
+      interval: 5s
+      timeout: 3s
+      retries: 5
+    restart: unless-stopped
+    networks:
+      - breakpilot-network
+
+  # =========================================================
+  # SHARED SERVICES
+  # =========================================================
+  consent-service:
+    build:
+      context: ./consent-service
+      dockerfile: Dockerfile
+    container_name: bp-core-consent-service
+    expose:
+      - "8081"
+    environment:
+      DATABASE_URL: postgres://${POSTGRES_USER}:${POSTGRES_PASSWORD}@${POSTGRES_HOST}:${POSTGRES_PORT:-5432}/${POSTGRES_DB}
+      JWT_SECRET: ${JWT_SECRET}
+      JWT_REFRESH_SECRET: ${JWT_REFRESH_SECRET}
+      PORT: 8081
+      ENVIRONMENT: production
+      ALLOWED_ORIGINS: "*"
+      VALKEY_URL: redis://valkey:6379/0
+      SESSION_TTL_HOURS: ${SESSION_TTL_HOURS:-24}
+      SMTP_HOST: ${SMTP_HOST}
+      SMTP_PORT: ${SMTP_PORT:-587}
+      SMTP_USERNAME: ${SMTP_USERNAME}
+      SMTP_PASSWORD: ${SMTP_PASSWORD}
+      SMTP_FROM_NAME: ${SMTP_FROM_NAME:-BreakPilot}
+      SMTP_FROM_ADDR: ${SMTP_FROM_ADDR:-noreply@breakpilot.ai}
+      FRONTEND_URL: ${FRONTEND_URL:-https://www.breakpilot.ai}
+    depends_on:
+      valkey:
+        condition: service_healthy
+    healthcheck:
+      test: ["CMD", "wget", "-q", "--spider", "http://127.0.0.1:8081/health"]
+      interval: 30s
+      timeout: 10s
+      start_period: 15s
+      retries: 3
+    restart: unless-stopped
+    networks:
+      - breakpilot-network
+
+  # =========================================================
+  # RAG & EMBEDDING SERVICES
+  # =========================================================
+  rag-service:
+    build:
+      context: ./rag-service
+      dockerfile: Dockerfile
+    container_name: bp-core-rag-service
+    expose:
+      - "8097"
+    environment:
+      PORT: 8097
+      QDRANT_URL: ${QDRANT_URL}
+      QDRANT_API_KEY: ${QDRANT_API_KEY:-}
+      MINIO_ENDPOINT: ${S3_ENDPOINT}
+      MINIO_ACCESS_KEY: ${S3_ACCESS_KEY}
+      MINIO_SECRET_KEY: ${S3_SECRET_KEY}
+      MINIO_BUCKET: ${S3_BUCKET:-breakpilot-rag}
+      MINIO_SECURE: ${S3_SECURE:-true}
+      EMBEDDING_SERVICE_URL: http://embedding-service:8087
+      OLLAMA_URL: ${OLLAMA_URL:-}
+      OLLAMA_EMBED_MODEL: ${OLLAMA_EMBED_MODEL:-bge-m3}
+      JWT_SECRET: ${JWT_SECRET}
+      ENVIRONMENT: production
+    depends_on:
+      embedding-service:
+        condition: service_healthy
+    healthcheck:
+      test: ["CMD", "curl", "-f", "http://127.0.0.1:8097/health"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+      start_period: 15s
+    restart: unless-stopped
+    networks:
+      - breakpilot-network
+
+  embedding-service:
+    build:
+      context: ./embedding-service
+      dockerfile: Dockerfile
+    container_name: bp-core-embedding-service
+    volumes:
+      - embedding_models:/root/.cache/huggingface
+    environment:
+      EMBEDDING_BACKEND: ${EMBEDDING_BACKEND:-local}
+      LOCAL_EMBEDDING_MODEL: ${LOCAL_EMBEDDING_MODEL:-BAAI/bge-m3}
+      LOCAL_RERANKER_MODEL: ${LOCAL_RERANKER_MODEL:-cross-encoder/ms-marco-MiniLM-L-6-v2}
+      PDF_EXTRACTION_BACKEND: ${PDF_EXTRACTION_BACKEND:-pymupdf}
+      OPENAI_API_KEY: ${OPENAI_API_KEY:-}
+      COHERE_API_KEY: ${COHERE_API_KEY:-}
+      LOG_LEVEL: ${LOG_LEVEL:-INFO}
+    deploy:
+      resources:
+        limits:
+          memory: 8G
+    healthcheck:
+      test: ["CMD", "python", "-c", "import httpx; r=httpx.get('http://127.0.0.1:8087/health'); r.raise_for_status()"]
+      interval: 30s
+      timeout: 10s
+      start_period: 120s
+      retries: 3
+    restart: unless-stopped
+    networks:
+      - breakpilot-network
+
+  # =========================================================
+  # OCR SERVICE (PaddleOCR PP-OCRv5)
+  # =========================================================
+  paddleocr-service:
+    build:
+      context: ./paddleocr-service
+      dockerfile: Dockerfile
+    container_name: bp-core-paddleocr
+    expose:
+      - "8095"
+    environment:
+      PADDLEOCR_API_KEY: ${PADDLEOCR_API_KEY:-}
+      FLAGS_use_mkldnn: "0"
+    volumes:
+      - paddleocr_models:/root/.paddleocr
+    labels:
+      - "traefik.http.services.paddleocr.loadbalancer.server.port=8095"
+    deploy:
+      resources:
+        limits:
+          memory: 6G
+    healthcheck:
+      test: ["CMD", "curl", "-f", "http://127.0.0.1:8095/health"]
+      interval: 30s
+      timeout: 10s
+      start_period: 300s
+      retries: 5
+    restart: unless-stopped
+    networks:
+      - breakpilot-network
+
+  # =========================================================
+  # HEALTH AGGREGATOR
+  # =========================================================
+  health-aggregator:
+    build:
+      context: ./scripts
+      dockerfile: Dockerfile.health
+    container_name: bp-core-health
+    expose:
+      - "8099"
+    environment:
+      PORT: 8099
+      CHECK_SERVICES: "valkey:6379,consent-service:8081,rag-service:8097,embedding-service:8087,paddleocr-service:8095"
+    healthcheck:
+      test: ["CMD", "curl", "-f", "http://127.0.0.1:8099/health"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+    restart: unless-stopped
+    networks:
+      - breakpilot-network
+
--- a/paddleocr-service/Dockerfile
+++ b/paddleocr-service/Dockerfile
@@ -0,0 +1,16 @@
+FROM python:3.11-slim
+WORKDIR /app
+
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    libgl1 libglib2.0-0 libgomp1 curl \
+    && rm -rf /var/lib/apt/lists/*
+
+COPY requirements.txt .
+RUN pip install --no-cache-dir -r requirements.txt
+
+COPY . .
+
+EXPOSE 8095
+HEALTHCHECK --interval=30s --timeout=10s --start-period=120s --retries=3 \
+    CMD curl -f http://127.0.0.1:8095/health || exit 1
+CMD ["uvicorn", "main:app", "--host", "0.0.0.0", "--port", "8095"]
--- a/paddleocr-service/main.py
+++ b/paddleocr-service/main.py
@@ -0,0 +1,110 @@
+"""PaddleOCR Remote Service — PP-OCRv4 on x86_64 (CPU)."""
+
+import io
+import logging
+import os
+import threading
+
+import numpy as np
+from fastapi import FastAPI, File, Header, HTTPException, UploadFile
+from PIL import Image
+
+logging.basicConfig(level=logging.INFO)
+logger = logging.getLogger(__name__)
+
+app = FastAPI(title="PaddleOCR Service")
+
+_engine = None
+_ready = False
+_loading = False
+API_KEY = os.environ.get("PADDLEOCR_API_KEY", "")
+
+
+def _load_model():
+    """Load PaddleOCR model in background thread."""
+    global _engine, _ready
+    try:
+        logger.info("Importing paddleocr...")
+        from paddleocr import PaddleOCR
+
+        logger.info("Loading PaddleOCR model (PP-OCRv4, lang=en)...")
+        _engine = PaddleOCR(
+            lang="en",
+            use_angle_cls=True,
+            show_log=False,
+            enable_mkldnn=False,
+            use_gpu=False,
+        )
+        logger.info("PaddleOCR model loaded — running warmup...")
+        # Warmup with tiny image to trigger any lazy init
+        dummy = np.ones((30, 100, 3), dtype=np.uint8) * 255
+        _engine.ocr(dummy)
+        _ready = True
+        logger.info("PaddleOCR ready to serve")
+    except Exception as e:
+        logger.error(f"Failed to load PaddleOCR: {e}", exc_info=True)
+
+
+@app.on_event("startup")
+def startup_load_model():
+    """Start model loading in background so health check passes immediately."""
+    global _loading
+    _loading = True
+    threading.Thread(target=_load_model, daemon=True).start()
+    logger.info("Model loading started in background thread")
+
+
+@app.get("/health")
+def health():
+    if _ready:
+        return {"status": "ok", "model": "PP-OCRv4"}
+    if _loading:
+        return {"status": "loading"}
+    return {"status": "error"}
+
+
+@app.post("/ocr")
+async def ocr(
+    file: UploadFile = File(...),
+    x_api_key: str = Header(default=""),
+):
+    if API_KEY and x_api_key != API_KEY:
+        raise HTTPException(status_code=401, detail="Invalid API key")
+
+    if not _ready:
+        raise HTTPException(status_code=503, detail="Model still loading")
+
+    img_bytes = await file.read()
+    img = Image.open(io.BytesIO(img_bytes)).convert("RGB")
+    img_np = np.array(img)
+
+    try:
+        result = _engine.ocr(img_np)
+    except Exception as e:
+        logger.error(f"OCR failed: {e}", exc_info=True)
+        raise HTTPException(status_code=500, detail=f"OCR failed: {e}")
+
+    if not result or not result[0]:
+        return {"words": [], "image_width": img_np.shape[1], "image_height": img_np.shape[0]}
+
+    words = []
+    for line in result[0]:
+        box, (text, conf) = line[0], line[1]
+        x_min = min(p[0] for p in box)
+        y_min = min(p[1] for p in box)
+        x_max = max(p[0] for p in box)
+        y_max = max(p[1] for p in box)
+        words.append({
+            "text": str(text).strip(),
+            "left": int(x_min),
+            "top": int(y_min),
+            "width": int(x_max - x_min),
+            "height": int(y_max - y_min),
+            "conf": round(float(conf) * 100, 1),
+        })
+
+    return {
+        "words": words,
+        "image_width": img_np.shape[1],
+        "image_height": img_np.shape[0],
+    }
--- a/paddleocr-service/requirements.txt
+++ b/paddleocr-service/requirements.txt
@@ -0,0 +1,7 @@
+paddlepaddle>=2.6.0,<3.0.0
+paddleocr>=2.7.0,<3.0.0
+fastapi>=0.110.0
+uvicorn>=0.25.0
+python-multipart>=0.0.6
+Pillow>=10.0.0
+numpy>=1.24.0
--- a/rag-service/config.py
+++ b/rag-service/config.py
@@ -6,6 +6,7 @@ class Settings:

    # Qdrant
    QDRANT_URL: str = os.getenv("QDRANT_URL", "http://localhost:6333")
+    QDRANT_API_KEY: str = os.getenv("QDRANT_API_KEY", "")

    # MinIO
    MINIO_ENDPOINT: str = os.getenv("MINIO_ENDPOINT", "localhost:9000")
--- a/rag-service/qdrant_client_wrapper.py
+++ b/rag-service/qdrant_client_wrapper.py
@@ -48,7 +48,11 @@ class QdrantClientWrapper:
    @property
    def client(self) -> QdrantClient:
        if self._client is None:
-            self._client = QdrantClient(url=settings.QDRANT_URL, timeout=30)
+            self._client = QdrantClient(
+                url=settings.QDRANT_URL,
+                api_key=settings.QDRANT_API_KEY or None,
+                timeout=30,
+            )
            logger.info("Connected to Qdrant at %s", settings.QDRANT_URL)
        return self._client
Author	SHA1	Message	Date
Benjamin Admin	520a0f401c	fix: downgrade to PaddleOCR 2.x for CPU stability Some checks failed Deploy to Coolify / deploy (push) Failing after 2s Details Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-13 19:13:41 +01:00
Benjamin Admin	6adf1fe1eb	fix: force-disable oneDNN for PaddlePaddle 3.x Some checks failed Deploy to Coolify / deploy (push) Failing after 2s Details Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-13 19:01:55 +01:00
Benjamin Admin	2ac6559291	fix: disable oneDNN and support PaddleOCR 3.x format Some checks failed Deploy to Coolify / deploy (push) Failing after 2s Details Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-13 18:54:28 +01:00
Benjamin Admin	52618a0630	fix: add error handling to OCR endpoint Some checks failed Deploy to Coolify / deploy (push) Failing after 2s Details Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-13 18:37:47 +01:00
Benjamin Admin	e1a84fd568	fix: remove warmup OCR call — causes OOM on 6G container Some checks failed Deploy to Coolify / deploy (push) Failing after 2s Details Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-13 18:31:25 +01:00
Benjamin Admin	dd0bda05be	fix: increase paddleocr memory limit 4G → 6G Some checks failed Deploy to Coolify / deploy (push) Failing after 2s Details PaddlePaddle + PP-OCRv5 model + warmup OCR needs more than 4G on CPU-only servers. Container was OOM-killed during warmup. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-13 18:08:15 +01:00
Benjamin Admin	4c68666c5c	fix: add warmup OCR call to avoid timeout on first request Some checks failed Deploy to Coolify / deploy (push) Failing after 6s Details PaddleOCR JIT-compiles on the first .ocr() call, which takes minutes on CPU-only servers. This causes Traefik 504 Gateway Timeout. Run a dummy OCR during startup so the first real request is fast. Also simplify Traefik labels on paddleocr-service. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-13 16:55:07 +01:00
Benjamin Admin	46b1fdc20f	fix: use runs-on docker for Gitea runner compatibility Some checks failed Deploy to Coolify / deploy (push) Failing after 4s Details The Gitea runner on Mac Mini uses label 'docker', not 'ubuntu-latest'. Also need alpine container with curl installed. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-13 15:51:23 +01:00
Benjamin Admin	445cbc3100	fix: add deploy-coolify.yml workflow to coolify branch Some checks failed Deploy to Coolify / deploy (push) Has been cancelled Details The deploy workflow was missing from the coolify branch, so pushes to coolify never triggered a Coolify redeploy via Gitea Actions. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-13 15:45:58 +01:00
Benjamin Admin	8fe4473205	feat: add paddleocr-service directory to coolify branch The docker-compose.coolify.yml references paddleocr-service/Dockerfile but the directory only existed on main. Coolify clones the coolify branch and needs the source files to build the container. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-13 15:40:26 +01:00
Benjamin Admin	07dbd78962	feat: add paddleocr-service to Coolify compose Add PaddleOCR PP-OCRv5 service with 4G memory limit, model volume, and health check (5min start period for model loading). Domain routing (ocr.breakpilot.com) to be configured in Coolify UI. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-13 13:39:58 +01:00
Sharang Parnerkar	e9487a31c6	Replace deploy-hetzner with Coolify webhook deploy in ci.yaml Some checks failed CI / go-lint (pull_request) Failing after 2s Details CI / python-lint (pull_request) Failing after 10s Details CI / nodejs-lint (pull_request) Failing after 2s Details CI / test-go-consent (pull_request) Failing after 2s Details CI / test-python-voice (pull_request) Failing after 9s Details CI / test-bqas (pull_request) Failing after 10s Details CI / Deploy (pull_request) Has been skipped Details Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-13 11:42:41 +01:00
Sharang Parnerkar	0fb4a7e359	Remove standalone deploy-coolify.yml — deploy is handled in ci.yaml Some checks failed CI / go-lint (pull_request) Failing after 3s Details CI / python-lint (pull_request) Failing after 11s Details CI / nodejs-lint (pull_request) Failing after 3s Details CI / test-go-consent (pull_request) Failing after 3s Details CI / test-python-voice (pull_request) Failing after 11s Details CI / test-bqas (pull_request) Failing after 12s Details CI / deploy-hetzner (pull_request) Has been skipped Details Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-13 11:26:34 +01:00
Sharang Parnerkar	cf2cabd098	Remove services not needed by SDK from Coolify deployment Some checks failed CI / go-lint (pull_request) Failing after 15s Details CI / python-lint (pull_request) Failing after 10s Details CI / nodejs-lint (pull_request) Failing after 2s Details CI / test-go-consent (pull_request) Failing after 2s Details CI / test-python-voice (pull_request) Failing after 11s Details CI / test-bqas (pull_request) Failing after 10s Details CI / deploy-hetzner (pull_request) Has been skipped Details Deploy to Coolify / deploy (push) Has been cancelled Details Remove backend-core, billing-service, night-scheduler, and admin-core as they are not used by any compliance/SDK service. Update health-aggregator CHECK_SERVICES to reference consent-service instead. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-13 10:16:59 +01:00
Sharang Parnerkar	8ee02bd2e4	Add healthchecks to backend-core, consent-service, billing-service, admin-core Coolify/Traefik requires healthchecks to route traffic to containers. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-13 10:16:59 +01:00
Sharang Parnerkar	d9687725e5	Remove Traefik labels from coolify compose — Coolify handles routing Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-13 10:16:59 +01:00
Sharang Parnerkar	6c3911ca47	Fix admin-core build: ensure public directory exists before build Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-13 10:16:59 +01:00
Sharang Parnerkar	30807d1ce1	Fix backend-core TARGETARCH: auto-detect instead of hardcoded arm64 The Dockerfile hardcoded TARGETARCH=arm64 for Mac Mini. Coolify server is x86_64, causing exit code 126 (wrong binary arch). Now uses Docker BuildKit's auto-detected TARGETARCH with dpkg fallback. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-13 10:16:59 +01:00
Sharang Parnerkar	82c28a2b6e	Add QDRANT_API_KEY support to rag-service - Add QDRANT_API_KEY to config.py (empty string = no auth) - Pass api_key to QdrantClient constructor (None when empty) - Add QDRANT_API_KEY to coolify compose and env example Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-13 10:16:59 +01:00
Sharang Parnerkar	86624d72dd	Sync coolify compose with main: remove voice-service, update rag/embedding - Remove voice-service (removed in main branch) - Remove voice_session_data volume - Add OLLAMA_URL and OLLAMA_EMBED_MODEL to rag-service - Update embedding-service default model to BAAI/bge-m3, memory 4G→8G - Update health-aggregator CHECK_SERVICES (remove voice-service) - Update .env.coolify.example accordingly Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-13 10:16:59 +01:00
Sharang Parnerkar	9218664400	fix: use Alpine-compatible addgroup/adduser flags in Dockerfiles Replace --system/--gid/--uid (Debian syntax) with -S/-g/-u (BusyBox/Alpine). Coolify ARG injection causes exit code 255 with Debian-style flags. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-13 10:16:59 +01:00
Sharang Parnerkar	8fa5d9061a	refactor(coolify): externalize postgres, qdrant, S3; remove jitsi/synapse - Remove PostgreSQL, Qdrant, MinIO services (managed separately in Coolify) - Remove Jitsi stack (web, xmpp, jicofo, jvb) and Synapse/synapse-db - Add POSTGRES_HOST, QDRANT_URL, S3_ENDPOINT/S3_ACCESS_KEY/S3_SECRET_KEY env vars - Remove Traefik labels from internal-only services - Health aggregator no longer checks external services - Core now has 10 services: valkey + 9 application services Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-13 10:16:59 +01:00
Sharang Parnerkar	84002f5719	feat: add Coolify deployment configuration Add docker-compose.coolify.yml (17 services), .env.coolify.example, and Gitea Action workflow for Coolify API deployment. Removes nginx, vault, gitea, woodpecker, mailpit, and dev-only services. Adds Traefik labels for *.breakpilot.ai domain routing with Let's Encrypt SSL. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-13 10:16:59 +01:00