fix: Migrate voice-agent to Amazon Linux 2023 to eliminate CRITICAL CVEs

backend/voice-agent/Dockerfile

@@ -13,44 +13,59 @@
 # ========================
 # Stage 1: Build / Install
 # ========================
-FROM python:3.12-slim AS builder
+# Using Amazon Linux 2023 for better AWS integration and security
+FROM public.ecr.aws/amazonlinux/amazonlinux:2023 AS builder
 
 ENV PYTHONDONTWRITEBYTECODE=1 \
     PIP_NO_CACHE_DIR=1 \
     PIP_DISABLE_PIP_VERSION_CHECK=1
 
-# Build tools for any native extensions (gcc, python3-dev)
-RUN apt-get update && apt-get install -y --no-install-recommends \
+# Build tools for any native extensions (gcc, python3-devel)
+# Amazon Linux 2023 uses OpenSSL (no gnutls/mbedtls vulnerabilities)
+RUN yum install -y \
     gcc \
-    python3-dev \
-    && rm -rf /var/lib/apt/lists/*
+    python3.13 \
+    python3.13-devel \
+    python3.13-pip \
+    && yum clean all
 
 WORKDIR /app
 
 # Copy requirements first for better layer caching
 COPY requirements.txt .
 
-# Install Python dependencies into a virtual env for clean copy
-RUN python -m venv /app/venv
+# Set Python 3.13 as default and install dependencies into a virtual env
+RUN alternatives --install /usr/bin/python3 python3 /usr/bin/python3.13 1 \
+    && alternatives --set python3 /usr/bin/python3.13 \
+    && python3 -m venv /app/venv
+
 ENV PATH="/app/venv/bin:$PATH"
 RUN pip install --no-cache-dir -r requirements.txt
 
 # ========================
 # Stage 2: Runtime
 # ========================
-FROM python:3.12-slim
+# Using Amazon Linux 2023 for better AWS integration and security
+FROM public.ecr.aws/amazonlinux/amazonlinux:2023
 
 ENV PYTHONDONTWRITEBYTECODE=1 \
     PYTHONUNBUFFERED=1
 
-# Runtime-only system dependencies (no gcc/python3-dev)
-RUN apt-get update && apt-get install -y --no-install-recommends \
+# Runtime-only system dependencies (no gcc/python3-devel)
+# Amazon Linux 2023 uses OpenSSL (no gnutls/mbedtls vulnerabilities)
+RUN yum install -y \
+    python3.13 \
+    python3.13-libs \
     # Audio processing
-    libsndfile1 \
-    ffmpeg \
-    # Networking (health checks)
-    curl \
-    && rm -rf /var/lib/apt/lists/*
+    libsndfile \
+    # User management tools
+    shadow-utils \
+    # Networking (health checks) - curl-minimal already installed
+    && yum clean all
+
+# Set Python 3.13 as default
+RUN alternatives --install /usr/bin/python3 python3 /usr/bin/python3.13 1 \
+    && alternatives --set python3 /usr/bin/python3.13
 
 # Create non-root user for security
 RUN useradd --create-home --shell /bin/bash appuser

buildspec-appointment-agent.yml

@@ -0,0 +1,28 @@
+version: 0.2
+
+phases:
+  pre_build:
+    commands:
+      - echo Logging in to Amazon ECR...
+      - aws ecr get-login-password --region $AWS_DEFAULT_REGION | docker login --username AWS --password-stdin $ECR_REGISTRY
+      - aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws
+      - IMAGE_TAG=${CODEBUILD_RESOLVED_SOURCE_VERSION:-latest}
+      - echo Building appointment-agent with image tag $IMAGE_TAG
+
+  build:
+    commands:
+      - echo Build started on `date`
+      - cd backend/agents/appointment-agent
+      - docker build -t appointment-agent .
+      - docker tag appointment-agent $ECR_REGISTRY/$ECR_REPOSITORY:appointment-agent-$IMAGE_TAG
+      - docker tag appointment-agent $ECR_REGISTRY/$ECR_REPOSITORY:appointment-agent-latest
+
+  post_build:
+    commands:
+      - echo Pushing the Docker images...
+      - docker push $ECR_REGISTRY/$ECR_REPOSITORY:appointment-agent-$IMAGE_TAG
+      - docker push $ECR_REGISTRY/$ECR_REPOSITORY:appointment-agent-latest
+
+env:
+  variables:
+    AWS_DEFAULT_REGION: us-east-1

buildspec-crm-agent.yml

@@ -0,0 +1,32 @@
+version: 0.2
+
+# CodeBuild buildspec for building and pushing crm-agent container
+
+phases:
+  pre_build:
+    commands:
+      - echo Logging in to Amazon ECR...
+      - aws ecr get-login-password --region $AWS_DEFAULT_REGION | docker login --username AWS --password-stdin $ECR_REGISTRY
+      - aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws
+      - IMAGE_TAG=${CODEBUILD_RESOLVED_SOURCE_VERSION:-latest}
+      - echo Building crm-agent with image tag $IMAGE_TAG
+
+  build:
+    commands:
+      - echo Build started on `date`
+      - echo Building the Docker image for crm-agent...
+      - cd backend/agents/crm-agent
+      - docker build -t $ECR_REPOSITORY:crm-agent-$IMAGE_TAG .
+      - docker tag $ECR_REPOSITORY:crm-agent-$IMAGE_TAG $ECR_REGISTRY/$ECR_REPOSITORY:crm-agent-$IMAGE_TAG
+      - docker tag $ECR_REPOSITORY:crm-agent-$IMAGE_TAG $ECR_REGISTRY/$ECR_REPOSITORY:crm-agent-latest
+
+  post_build:
+    commands:
+      - echo Build completed on `date`
+      - echo Pushing the Docker images...
+      - docker push $ECR_REGISTRY/$ECR_REPOSITORY:crm-agent-$IMAGE_TAG
+      - docker push $ECR_REGISTRY/$ECR_REPOSITORY:crm-agent-latest
+
+env:
+  variables:
+    AWS_DEFAULT_REGION: us-east-1

buildspec-kb-agent.yml

@@ -0,0 +1,28 @@
+version: 0.2
+
+phases:
+  pre_build:
+    commands:
+      - echo Logging in to Amazon ECR...
+      - aws ecr get-login-password --region $AWS_DEFAULT_REGION | docker login --username AWS --password-stdin $ECR_REGISTRY
+      - aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws
+      - IMAGE_TAG=${CODEBUILD_RESOLVED_SOURCE_VERSION:-latest}
+      - echo Building kb-agent with image tag $IMAGE_TAG
+
+  build:
+    commands:
+      - echo Build started on `date`
+      - cd backend/agents/knowledge-base-agent
+      - docker build -t kb-agent .
+      - docker tag kb-agent $ECR_REGISTRY/$ECR_REPOSITORY:kb-agent-$IMAGE_TAG
+      - docker tag kb-agent $ECR_REGISTRY/$ECR_REPOSITORY:kb-agent-latest
+
+  post_build:
+    commands:
+      - echo Pushing the Docker images...
+      - docker push $ECR_REGISTRY/$ECR_REPOSITORY:kb-agent-$IMAGE_TAG
+      - docker push $ECR_REGISTRY/$ECR_REPOSITORY:kb-agent-latest
+
+env:
+  variables:
+    AWS_DEFAULT_REGION: us-east-1

buildspec-voice-agent.yml

@@ -0,0 +1,42 @@
+version: 0.2
+
+# CodeBuild buildspec for building and pushing voice-agent container
+# Addresses security vulnerabilities by building with updated Dockerfile
+
+phases:
+  pre_build:
+    commands:
+      - echo Logging in to Amazon ECR...
+      - aws ecr get-login-password --region $AWS_DEFAULT_REGION | docker login --username AWS --password-stdin $ECR_REGISTRY
+      - IMAGE_TAG=${CODEBUILD_RESOLVED_SOURCE_VERSION:-latest}
+      - echo Building voice-agent with image tag $IMAGE_TAG
+      - echo Attempting to pull Amazon Linux base image to warm Docker cache...
+      - docker pull public.ecr.aws/amazonlinux/amazonlinux:2023 || echo "Docker pull failed, will try during build"
+
+  build:
+    commands:
+      - echo Build started on `date`
+      - echo Building the Docker image for voice-agent...
+      - cd backend/voice-agent
+      - docker build -t $ECR_REPOSITORY:$IMAGE_TAG .
+      - docker tag $ECR_REPOSITORY:$IMAGE_TAG $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG
+      - docker tag $ECR_REPOSITORY:$IMAGE_TAG $ECR_REGISTRY/$ECR_REPOSITORY:latest
+
+  post_build:
+    commands:
+      - echo Build completed on `date`
+      - echo Pushing the Docker images...
+      - docker push $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG
+      - docker push $ECR_REGISTRY/$ECR_REPOSITORY:latest
+      - echo Writing image definitions file...
+      - printf '[{"name":"voice-agent","imageUri":"%s"}]' $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG > imagedefinitions.json
+
+artifacts:
+  files:
+    - imagedefinitions.json
+
+env:
+  variables:
+    AWS_DEFAULT_REGION: us-east-1
+    ECR_REGISTRY: 972801262139.dkr.ecr.us-east-1.amazonaws.com
+    ECR_REPOSITORY: cdk-hnb659fds-container-assets-972801262139-us-east-1