Prevent dependency cache copies in runtime image#4140

Open

owenshuo wants to merge 1 commit into

orchestration-agent:mainfrom

owenshuo:fix/4132-runtime-cache-audit

owenshuo commented May 25, 2026

/claim #4132

Summary

add a narrow multi-stage Dockerfile that installs production dependencies with pip cache disabled and copies only runtime dependency/app artifact paths into the final image
add a runtime image inspection script that fails when dependency manager cache directories are present
add CI coverage that builds the runtime image and runs the cache inspection check

Verification

python3 -m pytest tests/test_image_cache_inspection.py -q
python3 -m flake8 scripts/inspect_image_caches.py tests/test_image_cache_inspection.py
git diff --check
docker build -t agent-orchestrator:cache-audit .
python3 scripts/inspect_image_caches.py agent-orchestrator:cache-audit


          Prevent runtime image cache copies

4221e13

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet