feat: MedAssist demo Docker image + CI pipeline

.github/workflows/ci.yml

@@ -59,7 +59,8 @@ jobs:
         env:
           AA_PORT: "8080"
           AA_BIND_ADDRESS: "0.0.0.0"
-          AA_ADMIN_SECRET: ${{ secrets.AA_ADMIN_SECRET }}
+          # Broker binary uses AA_ prefix (devonartis/agentwrit#44)
+          AA_ADMIN_SECRET: ${{ secrets.AGENTWRIT_ADMIN_SECRET }}
         options: >-
           --health-cmd "wget --spider -q http://localhost:8080/v1/health"
           --health-interval 2s
@@ -75,7 +76,7 @@ jobs:
         id: register-app
         env:
           AGENTWRIT_BROKER_URL: http://localhost:8080
-          AA_ADMIN_SECRET: ${{ secrets.AA_ADMIN_SECRET }}
+          AA_ADMIN_SECRET: ${{ secrets.AGENTWRIT_ADMIN_SECRET }}
         run: |
           # Authenticate as admin
           ADMIN_TOKEN=$(curl -sf -X POST "${AGENTWRIT_BROKER_URL}/v1/admin/auth" \
@@ -99,7 +100,7 @@ jobs:
       - name: Run integration tests (all 15 stories)
         env:
           AGENTWRIT_BROKER_URL: http://localhost:8080
-          AGENTWRIT_ADMIN_SECRET: ${{ secrets.AA_ADMIN_SECRET }}
+          AGENTWRIT_ADMIN_SECRET: ${{ secrets.AGENTWRIT_ADMIN_SECRET }}
           AGENTWRIT_CLIENT_ID: ${{ steps.register-app.outputs.client_id }}
           AGENTWRIT_CLIENT_SECRET: ${{ steps.register-app.outputs.client_secret }}
         run: |

.github/workflows/docker-medassist.yml

@@ -0,0 +1,49 @@
+name: Build & Push MedAssist Demo
+
+on:
+  push:
+    branches: [main]
+    paths:
+      - "demo/**"
+      - "src/**"
+      - "pyproject.toml"
+      - "uv.lock"
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  build-and-push:
+    name: Build & Push Docker Image
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Extract version from pyproject.toml
+        id: version
+        run: |
+          VERSION=$(grep '^version' pyproject.toml | head -1 | sed 's/.*"\(.*\)".*/\1/')
+          echo "version=${VERSION}" >> "$GITHUB_OUTPUT"
+          echo "Version: ${VERSION}"
+
+      - name: Build and push
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          file: demo/Dockerfile
+          push: true
+          tags: |
+            devonartis/agentwrit-medassist:latest
+            devonartis/agentwrit-medassist:${{ steps.version.outputs.version }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max

demo/Dockerfile

@@ -0,0 +1,34 @@
+FROM python:3.13-slim AS base
+
+# System deps for cryptography wheel
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    gcc libffi-dev curl \
+    && rm -rf /var/lib/apt/lists/*
+
+# Install uv
+COPY --from=ghcr.io/astral-sh/uv:latest /uv /usr/local/bin/uv
+
+WORKDIR /app
+
+# Copy build metadata (hatchling needs README.md)
+COPY pyproject.toml uv.lock README.md ./
+
+# Install all dependencies including demo deps (layer cache)
+COPY src/ src/
+RUN uv sync --frozen
+
+# Copy demo app
+COPY demo/ demo/
+
+# Demo entrypoint
+COPY demo/entrypoint.sh /entrypoint.sh
+RUN chmod +x /entrypoint.sh
+
+EXPOSE 5000
+
+# Runtime config — secrets passed at run time, not baked in
+ENV AGENTWRIT_BROKER_URL=http://broker:8080
+ENV LLM_BASE_URL=https://api.openai.com/v1
+ENV LLM_MODEL=gpt-4o-mini
+
+ENTRYPOINT ["/entrypoint.sh"]

demo/entrypoint.sh

@@ -0,0 +1,47 @@
+#!/bin/sh
+set -e
+
+# Wait for broker to be healthy
+echo "Waiting for broker at ${AGENTWRIT_BROKER_URL}..."
+until curl -sf "${AGENTWRIT_BROKER_URL}/v1/health" > /dev/null 2>&1; do
+    sleep 1
+done
+echo "Broker is ready."
+
+# Auto-register app if no client credentials provided
+if [ -z "${AGENTWRIT_CLIENT_ID}" ] || [ -z "${AGENTWRIT_CLIENT_SECRET}" ]; then
+    echo "No client credentials — registering app with broker..."
+
+    if [ -z "${AGENTWRIT_ADMIN_SECRET}" ]; then
+        echo "ERROR: AGENTWRIT_ADMIN_SECRET required for auto-registration"
+        exit 1
+    fi
+
+    # Authenticate as admin
+    ADMIN_TOKEN=$(curl -sf -X POST "${AGENTWRIT_BROKER_URL}/v1/admin/auth" \
+        -H "Content-Type: application/json" \
+        -d "{\"secret\":\"${AGENTWRIT_ADMIN_SECRET}\"}" \
+        | python3 -c "import sys,json; print(json.load(sys.stdin)['access_token'])")
+
+    # Register the demo app
+    APP_JSON=$(curl -sf -X POST "${AGENTWRIT_BROKER_URL}/v1/admin/apps" \
+        -H "Content-Type: application/json" \
+        -H "Authorization: Bearer ${ADMIN_TOKEN}" \
+        -d '{
+            "name": "medassist-demo",
+            "scopes": [
+                "read:records:*", "write:records:*", "read:labs:*",
+                "write:prescriptions:*", "read:formulary:*",
+                "read:billing:*", "write:billing:*", "read:insurance:*"
+            ],
+            "token_ttl": 1800
+        }')
+
+    export AGENTWRIT_CLIENT_ID=$(echo "${APP_JSON}" | python3 -c "import sys,json; print(json.load(sys.stdin)['client_id'])")
+    export AGENTWRIT_CLIENT_SECRET=$(echo "${APP_JSON}" | python3 -c "import sys,json; print(json.load(sys.stdin)['client_secret'])")
+
+    echo "App registered: ${AGENTWRIT_CLIENT_ID}"
+fi
+
+echo "Starting MedAssist AI on port 5000..."
+exec uv run uvicorn demo.app:app --host 0.0.0.0 --port 5000

docker-compose.yml

@@ -2,13 +2,15 @@ services:
   broker:
     image: devonartis/agentwrit:latest
     ports:
-      - "${AA_HOST_PORT:-8080}:8080"
+      - "${AGENTWRIT_HOST_PORT:-8080}:8080"
     environment:
+      # Broker binary still uses AA_ prefix (devonartis/agentwrit#44).
+      # We map from AGENTWRIT_ so users never see the legacy prefix.
       - AA_PORT=8080
-      - AA_BIND_ADDRESS=${AA_BIND_ADDRESS:-0.0.0.0}
-      - AA_ADMIN_SECRET=${AA_ADMIN_SECRET:-}
-      - AA_SEED_TOKENS=${AA_SEED_TOKENS:-false}
-      - AA_LOG_LEVEL=${AA_LOG_LEVEL:-standard}
+      - AA_BIND_ADDRESS=0.0.0.0
+      - AA_ADMIN_SECRET=${AGENTWRIT_ADMIN_SECRET:-}
+      - AA_SEED_TOKENS=${AGENTWRIT_SEED_TOKENS:-false}
+      - AA_LOG_LEVEL=${AGENTWRIT_LOG_LEVEL:-standard}
     volumes:
       - broker-data:/data
     healthcheck:
@@ -17,5 +19,24 @@ services:
       timeout: 3s
       retries: 10
 
+  medassist:
+    image: devonartis/agentwrit-medassist:latest
+    build:
+      context: .
+      dockerfile: demo/Dockerfile
+    ports:
+      - "${AGENTWRIT_DEMO_PORT:-5000}:5000"
+    environment:
+      - AGENTWRIT_BROKER_URL=http://broker:8080
+      - AGENTWRIT_ADMIN_SECRET=${AGENTWRIT_ADMIN_SECRET:-}
+      - AGENTWRIT_CLIENT_ID=${AGENTWRIT_CLIENT_ID:-}
+      - AGENTWRIT_CLIENT_SECRET=${AGENTWRIT_CLIENT_SECRET:-}
+      - LLM_BASE_URL=${LLM_BASE_URL:-https://api.openai.com/v1}
+      - LLM_API_KEY=${LLM_API_KEY:-}
+      - LLM_MODEL=${LLM_MODEL:-gpt-4o-mini}
+    depends_on:
+      broker:
+        condition: service_healthy
+
 volumes:
   broker-data: