docs(docker): clean up on-prem runbooks

.dockerignore

@@ -1,10 +1,14 @@
 .git
 .github
 .opencode
+.codenomad
 node_modules
 **/node_modules
 tmp
 dist
 **/dist
+artifacts
+apps/desktop/src-tauri/target
+**/target
 .env
 .env.*

ee/apps/den-api/package.json

@@ -9,7 +9,7 @@
     "build:email": "pnpm --filter @openwork/email build",
     "build:den-db": "pnpm --filter @openwork-ee/den-db build",
     "backfill:desktop-policies": "pnpm run build:den-db && tsx scripts/backfill-desktop-policies.ts",
-    "seed:demo-org": "pnpm run build:den-db && sh -lc 'DEN_WEB_PORT=${DEN_WEB_PORT:-3005}; OPENWORK_DEV_MODE=${OPENWORK_DEV_MODE:-1} DATABASE_URL=${DATABASE_URL:-mysql://root:password@127.0.0.1:3306/openwork_den} DEN_DB_ENCRYPTION_KEY=${DEN_DB_ENCRYPTION_KEY:-local-dev-db-encryption-key-please-change-1234567890} BETTER_AUTH_SECRET=${BETTER_AUTH_SECRET:-local-dev-secret-not-for-production-use!!} BETTER_AUTH_URL=${BETTER_AUTH_URL:-http://localhost:$DEN_WEB_PORT} tsx scripts/seed-demo-org.ts'",
+    "seed:demo-org": "pnpm run build:den-db && node --import tsx scripts/seed-demo-org-runner.mjs",
     "start": "node dist/server.js"
   },
   "dependencies": {
@@ -38,12 +38,12 @@
     "nanoid": "^5.1.11",
     "openapi-types": "^12.1.3",
     "stripe": "^22.1.1",
+    "tsx": "^4.15.7",
     "zod": "^4.3.6"
   },
   "devDependencies": {
     "@types/json-schema": "^7.0.15",
     "@types/node": "^20.11.30",
-    "tsx": "^4.15.7",
     "typescript": "^5.5.4"
   }
 }

ee/apps/den-api/scripts/seed-demo-org-runner.mjs

@@ -0,0 +1,9 @@
+const denWebPort = process.env.DEN_WEB_PORT?.trim() || "3005"
+
+process.env.OPENWORK_DEV_MODE ??= "1"
+process.env.DATABASE_URL ??= "mysql://root:password@127.0.0.1:3306/openwork_den"
+process.env.DEN_DB_ENCRYPTION_KEY ??= "local-dev-db-encryption-key-please-change-1234567890"
+process.env.BETTER_AUTH_SECRET ??= "local-dev-secret-not-for-production-use!!"
+process.env.BETTER_AUTH_URL ??= `http://localhost:${denWebPort}`
+
+await import("./seed-demo-org.ts")

ee/apps/den-api/scripts/seed-demo-org.ts

@@ -1085,7 +1085,8 @@ async function main() {
   log("✓", `done in ${elapsedSeconds}s`)
   log(" ", `${memberIdsByEmail.size} members · ${teamIdsByName.size} teams · ${seededPlugins} plugins · ${seededObjects} config objects`)
   console.log()
-  log("→", `login: ${DEMO_OWNER_EMAIL} / ${DEMO_OWNER_PASSWORD}`)
+  log("→", `login email: ${DEMO_OWNER_EMAIL}`)
+  log("→", "login password: use the DEN_DEMO_OWNER_PASSWORD value supplied to this seed run")
   log("→", "open: /organization or /dashboard")
   console.log()
 }

packaging/docker/Dockerfile

@@ -1,6 +1,11 @@
 FROM node:22-bookworm-slim
 
-ARG OPENWORK_ORCHESTRATOR_VERSION=0.11.22
+ARG TARGETARCH
+ARG BUN_VERSION=1.3.8
+ARG BUN_DOWNLOAD_URL=
+ARG BUN_SHA256=
+
+WORKDIR /repo
 
 RUN apt-get update \
   && apt-get install -y --no-install-recommends \
@@ -9,9 +14,63 @@ RUN apt-get update \
     git \
     tar \
     unzip \
+  && npm install -g pnpm@11.4.0 \
+  && case "${TARGETARCH:-amd64}" in \
+    amd64) bun_artifact=bun-linux-x64.zip; bun_sha=0322b17f0722da76a64298aad498225aedcbf6df1008a1dee45e16ecb226a3f1 ;; \
+    arm64) bun_artifact=bun-linux-aarch64.zip; bun_sha=4e9deb6814a7ec7f68725ddd97d0d7b4065bcda9a850f69d497567e995a7fa33 ;; \
+    *) echo "Unsupported Bun TARGETARCH=${TARGETARCH}" >&2; exit 1 ;; \
+  esac \
+  && bun_url="${BUN_DOWNLOAD_URL:-https://github.com/oven-sh/bun/releases/download/bun-v${BUN_VERSION}/${bun_artifact}}" \
+  && bun_sha="${BUN_SHA256:-$bun_sha}" \
+  && curl -fsSLo "/tmp/${bun_artifact}" "$bun_url" \
+  && echo "$bun_sha  /tmp/${bun_artifact}" | sha256sum -c - \
+  && unzip -q "/tmp/${bun_artifact}" -d /tmp \
+  && install -m 0755 "/tmp/${bun_artifact%.zip}/bun" /usr/local/bin/bun \
+  && bun --version | grep -qx "$BUN_VERSION" \
+  && rm -rf "/tmp/${bun_artifact%.zip}" "/tmp/${bun_artifact}" \
   && rm -rf /var/lib/apt/lists/*
 
-RUN npm install -g "openwork-orchestrator@${OPENWORK_ORCHESTRATOR_VERSION}"
+COPY package.json pnpm-lock.yaml pnpm-workspace.yaml ./
+RUN mkdir -p \
+    apps/app \
+    apps/desktop \
+    apps/opencode-router \
+    apps/orchestrator \
+    apps/server \
+    apps/ui-demo \
+    ee/apps/den-api \
+    ee/apps/den-web \
+    ee/apps/den-worker-proxy \
+    ee/apps/inference \
+    ee/apps/landing \
+    ee/packages/den-db \
+    ee/packages/utils \
+    packages/email \
+    packages/handsfree \
+    packages/openwork-ui-mcp \
+    packages/types \
+    packages/ui
+COPY apps/app/package.json apps/app/package.json
+COPY apps/desktop/package.json apps/desktop/package.json
+COPY apps/opencode-router/package.json apps/opencode-router/package.json
+COPY apps/orchestrator/package.json apps/orchestrator/package.json
+COPY apps/server/package.json apps/server/package.json
+COPY apps/ui-demo/package.json apps/ui-demo/package.json
+COPY ee/apps/den-api/package.json ee/apps/den-api/package.json
+COPY ee/apps/den-web/package.json ee/apps/den-web/package.json
+COPY ee/apps/den-worker-proxy/package.json ee/apps/den-worker-proxy/package.json
+COPY ee/apps/inference/package.json ee/apps/inference/package.json
+COPY ee/apps/landing/package.json ee/apps/landing/package.json
+COPY ee/packages/den-db/package.json ee/packages/den-db/package.json
+COPY ee/packages/utils/package.json ee/packages/utils/package.json
+COPY packages/email/package.json packages/email/package.json
+COPY packages/handsfree/package.json packages/handsfree/package.json
+COPY packages/openwork-ui-mcp/package.json packages/openwork-ui-mcp/package.json
+COPY packages/types/package.json packages/types/package.json
+COPY packages/ui/package.json packages/ui/package.json
+RUN pnpm install --frozen-lockfile
+
+COPY . .
 
 # Persistent directories (mount volumes here on PaaS/SSH).
 ENV OPENWORK_DATA_DIR=/data/openwork-orchestrator
@@ -33,16 +92,8 @@ VOLUME ["/workspace", "/data"]
 # - OpenCode stays internal (127.0.0.1:4096)
 # - OpenWork server proxies OpenCode via localhost
 # - OpenCode Router disabled by default
-CMD [
-  "openwork",
-  "serve",
-  "--workspace", "/workspace",
-  "--remote-access",
-  "--openwork-port", "8787",
-  "--opencode-host", "127.0.0.1",
-  "--opencode-port", "4096",
-  "--connect-host", "127.0.0.1",
-  "--cors", "*",
-  "--approval", "manual",
-  "--no-opencode-router"
+CMD [ \
+  "sh", \
+  "-lc", \
+  "TOKEN_FILE=/data/openwork-worker.env; ENV_OPENWORK_TOKEN=\"${OPENWORK_TOKEN:-}\"; ENV_OPENWORK_HOST_TOKEN=\"${OPENWORK_HOST_TOKEN:-}\"; FILE_OPENWORK_TOKEN=; FILE_OPENWORK_HOST_TOKEN=; if [ -f \"$TOKEN_FILE\" ]; then . \"$TOKEN_FILE\"; FILE_OPENWORK_TOKEN=\"${OPENWORK_TOKEN:-}\"; FILE_OPENWORK_HOST_TOKEN=\"${OPENWORK_HOST_TOKEN:-}\"; fi; OPENWORK_TOKEN=\"${ENV_OPENWORK_TOKEN:-$FILE_OPENWORK_TOKEN}\"; OPENWORK_HOST_TOKEN=\"${ENV_OPENWORK_HOST_TOKEN:-$FILE_OPENWORK_HOST_TOKEN}\"; GENERATED_TOKEN=0; if [ -z \"$OPENWORK_TOKEN\" ]; then OPENWORK_TOKEN=owc_$(node -e \"console.log(require('crypto').randomBytes(32).toString('base64url'))\"); FILE_OPENWORK_TOKEN=\"$OPENWORK_TOKEN\"; GENERATED_TOKEN=1; fi; if [ -z \"$OPENWORK_HOST_TOKEN\" ]; then OPENWORK_HOST_TOKEN=owh_$(node -e \"console.log(require('crypto').randomBytes(32).toString('base64url'))\"); FILE_OPENWORK_HOST_TOKEN=\"$OPENWORK_HOST_TOKEN\"; GENERATED_TOKEN=1; fi; export OPENWORK_TOKEN OPENWORK_HOST_TOKEN; if [ \"$GENERATED_TOKEN\" = \"1\" ] || [ ! -f \"$TOKEN_FILE\" ]; then umask 077; { if [ -z \"$ENV_OPENWORK_TOKEN\" ]; then printf 'OPENWORK_TOKEN=%s\\n' \"$FILE_OPENWORK_TOKEN\"; fi; if [ -z \"$ENV_OPENWORK_HOST_TOKEN\" ]; then printf 'OPENWORK_HOST_TOKEN=%s\\n' \"$FILE_OPENWORK_HOST_TOKEN\"; fi; } > \"$TOKEN_FILE\"; fi; if [ -n \"$ENV_OPENWORK_TOKEN$ENV_OPENWORK_HOST_TOKEN\" ]; then echo \"OpenWork worker env-supplied tokens are active and were not persisted\"; else echo \"OpenWork worker fallback tokens are stored in $TOKEN_FILE\"; fi; OPENWORK_CORS_ORIGINS=\"${OPENWORK_CORS_ORIGINS:-http://localhost:${OPENWORK_PORT:-8787},http://127.0.0.1:${OPENWORK_PORT:-8787}}\"; exec bun apps/orchestrator/src/cli.ts serve --workspace /workspace --remote-access --openwork-port \"${OPENWORK_PORT:-8787}\" --opencode-host 127.0.0.1 --opencode-port 4096 --connect-host \"${OPENWORK_CONNECT_HOST:-127.0.0.1}\" --cors \"$OPENWORK_CORS_ORIGINS\" --approval \"${OPENWORK_APPROVAL_MODE:-manual}\" --no-opencode-router" \
 ]

packaging/docker/Dockerfile.den

@@ -5,16 +5,18 @@ RUN corepack enable
 WORKDIR /app
 
 COPY package.json pnpm-lock.yaml pnpm-workspace.yaml /app/
-COPY .npmrc /app/.npmrc
 COPY patches /app/patches
+COPY packages/email/package.json /app/packages/email/package.json
 COPY packages/types/package.json /app/packages/types/package.json
 COPY ee/packages/utils/package.json /app/ee/packages/utils/package.json
 COPY ee/packages/den-db/package.json /app/ee/packages/den-db/package.json
 COPY ee/apps/den-api/package.json /app/ee/apps/den-api/package.json
 
 RUN pnpm install --frozen-lockfile
 
+COPY packages/email /app/packages/email
 COPY packages/types /app/packages/types
+COPY apps/desktop/package.json /app/apps/desktop/package.json
 COPY ee/packages/utils /app/ee/packages/utils
 COPY ee/packages/den-db /app/ee/packages/den-db
 COPY ee/apps/den-api /app/ee/apps/den-api

packaging/docker/Dockerfile.den-web

@@ -5,7 +5,6 @@ RUN corepack enable
 WORKDIR /app
 
 COPY package.json pnpm-lock.yaml pnpm-workspace.yaml /app/
-COPY .npmrc /app/.npmrc
 COPY patches /app/patches
 COPY packages/types/package.json /app/packages/types/package.json
 COPY packages/ui/package.json /app/packages/ui/package.json

packaging/docker/Dockerfile.den-worker-proxy

@@ -5,7 +5,6 @@ RUN corepack enable
 WORKDIR /app
 
 COPY package.json pnpm-lock.yaml pnpm-workspace.yaml /app/
-COPY .npmrc /app/.npmrc
 COPY patches /app/patches
 COPY packages/types/package.json /app/packages/types/package.json
 COPY ee/packages/utils/package.json /app/ee/packages/utils/package.json