Embed OCI metadata, switch to debian13 base

.github/workflows/release.yml

@@ -1208,6 +1208,8 @@ jobs:
           set -euo pipefail
           VERSION="${{ needs.read_version.outputs.version }}"
           DOCKER_REPO="${DOCKER_REPO_INPUT:-}"
+          DOCKER_IMAGE_SOURCE="https://github.com/${{ github.repository }}"
+          DOCKER_IMAGE_CREATED="$(date -u +%Y-%m-%dT%H:%M:%SZ)"
           if [[ -z "$DOCKER_REPO" ]]; then
             DOCKER_REPO="jamals86/kalamdb"
           fi
@@ -1220,6 +1222,8 @@ jobs:
           DOCKER_VERSION_COMMIT_TAG="${VERSION}-h${SHORT_SHA}"
           echo "docker_repo=$DOCKER_REPO" >> "$GITHUB_OUTPUT"
           echo "docker_version_commit_tag=$DOCKER_VERSION_COMMIT_TAG" >> "$GITHUB_OUTPUT"
+          echo "docker_image_source=$DOCKER_IMAGE_SOURCE" >> "$GITHUB_OUTPUT"
+          echo "docker_image_created=$DOCKER_IMAGE_CREATED" >> "$GITHUB_OUTPUT"
 
       - name: Download pre-built artifacts (x86_64)
         uses: actions/download-artifact@v4
@@ -1302,6 +1306,16 @@ jobs:
           platforms: linux/amd64
           build-contexts: |
             binaries=binaries-amd64
+          build-args: |
+            OCI_IMAGE_VERSION=${{ needs.read_version.outputs.version }}
+            OCI_IMAGE_REVISION=${{ github.sha }}
+            OCI_IMAGE_CREATED=${{ steps.vars.outputs.docker_image_created }}
+            OCI_IMAGE_SOURCE=${{ steps.vars.outputs.docker_image_source }}
+            OCI_IMAGE_URL=https://kalamdb.org
+            OCI_IMAGE_DOCUMENTATION=https://kalamdb.org/docs
+            OCI_IMAGE_AUTHORS=Jamal Saad
+            OCI_IMAGE_VENDOR=KalamDB
+            OCI_IMAGE_LICENSES=Apache-2.0
           tags: |
             ${{ steps.vars.outputs.docker_repo }}:${{ needs.read_version.outputs.version }}-amd64
 
@@ -1328,6 +1342,16 @@ jobs:
           platforms: linux/arm64
           build-contexts: |
             binaries=binaries-arm64
+          build-args: |
+            OCI_IMAGE_VERSION=${{ needs.read_version.outputs.version }}
+            OCI_IMAGE_REVISION=${{ github.sha }}
+            OCI_IMAGE_CREATED=${{ steps.vars.outputs.docker_image_created }}
+            OCI_IMAGE_SOURCE=${{ steps.vars.outputs.docker_image_source }}
+            OCI_IMAGE_URL=https://kalamdb.org
+            OCI_IMAGE_DOCUMENTATION=https://kalamdb.org/docs
+            OCI_IMAGE_AUTHORS=Jamal Saad
+            OCI_IMAGE_VENDOR=KalamDB
+            OCI_IMAGE_LICENSES=Apache-2.0
           tags: |
             ${{ steps.vars.outputs.docker_repo }}:${{ needs.read_version.outputs.version }}-arm64
 

docker/build/Dockerfile.prebuilt

@@ -17,7 +17,32 @@ COPY backend/server.example.toml /runtime/config/server.toml
 RUN sed -i 's|data_path = "\./data"|data_path = "/data"|g' /runtime/config/server.toml
 
 # Distroless runtime keeps the final image smaller and reduces the attack surface.
-FROM gcr.io/distroless/cc-debian12:nonroot
+# Debian 13 provides a newer glibc that matches the release-built Linux binaries.
+FROM gcr.io/distroless/cc-debian13:nonroot
+
+ARG OCI_IMAGE_TITLE="KalamDB"
+ARG OCI_IMAGE_DESCRIPTION="SQL-first realtime state database for AI agents, chat products, and multi-tenant SaaS"
+ARG OCI_IMAGE_URL="https://kalamdb.org"
+ARG OCI_IMAGE_SOURCE="https://github.com/jamals86/KalamDB"
+ARG OCI_IMAGE_DOCUMENTATION="https://kalamdb.org/docs"
+ARG OCI_IMAGE_VENDOR="KalamDB"
+ARG OCI_IMAGE_AUTHORS="Jamal Saad"
+ARG OCI_IMAGE_LICENSES="Apache-2.0"
+ARG OCI_IMAGE_VERSION="dev"
+ARG OCI_IMAGE_REVISION="unknown"
+ARG OCI_IMAGE_CREATED="unknown"
+
+LABEL org.opencontainers.image.title="${OCI_IMAGE_TITLE}" \
+    org.opencontainers.image.description="${OCI_IMAGE_DESCRIPTION}" \
+    org.opencontainers.image.url="${OCI_IMAGE_URL}" \
+    org.opencontainers.image.source="${OCI_IMAGE_SOURCE}" \
+    org.opencontainers.image.documentation="${OCI_IMAGE_DOCUMENTATION}" \
+    org.opencontainers.image.vendor="${OCI_IMAGE_VENDOR}" \
+    org.opencontainers.image.authors="${OCI_IMAGE_AUTHORS}" \
+    org.opencontainers.image.licenses="${OCI_IMAGE_LICENSES}" \
+    org.opencontainers.image.version="${OCI_IMAGE_VERSION}" \
+    org.opencontainers.image.revision="${OCI_IMAGE_REVISION}" \
+    org.opencontainers.image.created="${OCI_IMAGE_CREATED}"
 
 # Copy pre-built binaries from build context (provided via --build-context binaries=...)
 # The build context should contain kalamdb-server and kalam binaries

docker/build/test-docker-image.sh

@@ -105,7 +105,7 @@ main() {
 
     # Test 3: Check binary existence
     log_info "Test 3: Checking binaries inside container..."
-    docker exec "$CONTAINER_NAME" /bin/sh -c "test -x /usr/local/bin/kalamdb-server" &>/dev/null
+    docker exec "$CONTAINER_NAME" /usr/local/bin/busybox sh -c "test -x /usr/local/bin/kalamdb-server" &>/dev/null
     if [ $? -eq 0 ]; then
         log_info "✓ Server binary exists and is executable"
     else