docs: remove Docker artifacts (keep S360 server image), add local-first Docker-for-Neo4j workflow#54
Merged
Merged
Conversation
colombod
force-pushed
the
remove-docker-local-first-docs
branch
2 times, most recently
from
July 11, 2026 22:36
11168e4 to
8c9f884
Compare
…st Docker-for-Neo4j workflow Remove maintained Docker artifacts from the repo (keeping ONLY the S360-compliant server Dockerfile) and rewrite documentation/setup around a local-first workflow that runs Neo4j in a documented Docker container. Removed: - docker-compose.yml, docker-compose.airgap.yml (unused Compose stack) - start.sh (Compose wrapper) - neo4j.Dockerfile (Neo4j no longer shipped as a container image) - test/airgap/ (README.md, dtu-profile.yaml, verify-airgap-apoc.sh) - tests/test_docker_compose_simplified.py, tests/test_docker_infrastructure.py, tests/test_start_sh.py (now-subjectless tests) Kept intentionally: the server Dockerfile (S360/Qualys-compliant Azure Linux base, PR #50), .dockerignore, docker-entrypoint.sh, tests/neo4j/ fixtures and the docker dev-dependency. Added: - scripts/prime-local-config.py — stdlib-only local key-priming helper that replaces the old Docker credential bootstrap (generates the API token, prints it once, stores only the sha256 digest, writes server-config.yaml with bolt://localhost:7687 and a local writable data tree). - docs/local-development.md — canonical "Running Locally" guide: Neo4j via a single documented `docker run` (NEO4J_PLUGINS auto-installs APOC + GDS, --restart unless-stopped for boot persistence), key priming, run the server, plus ask-Amplifier prompts. Changed: - README.md — removed the Docker Compose / single-container run sections and all references to deleted files; local-first is now the primary path. - docs/azure-deployment.md — rewritten into a generic, compliant "deploy via amplifier-online" guide (no as-built specifics/secrets/IPs): S360 base-image policy (PR #50), a Neo4j VM build section (capacity, APOC+GDS, persistent disk, private VNet/NSG), Key Vault secret wiring with the declarative-redeploy rule, dual-client config keyed to the Neo4j Community single-account reality, and a Neo4j-safe version-bump runbook. - docs/service-setup.md — local Neo4j guidance; removed the docker-compose Caddy HTTPS section. - docs/managing-api-keys.md — local prime-local-config.py bootstrap. - docs/remote-access-sharing.md — standalone/local host-binding + backup/restore. - docs/designs/per-user-api-keys.md — bootstrap references off deleted start.sh. - AGENTS.md — keep/remove policy and the S360 base-image compliance anchor. - amplifier-online.yaml — deployed image tag reference v6.0.0 -> v6.6.6. Validation: `pytest tests/` collects 1881 tests with no errors; scripts/prime-local-config.py passes ruff + pyright and was tested end-to-end; repo-wide grep confirms zero broken references to any deleted file. 🤖 Generated with [Amplifier](https://github.com/microsoft/amplifier) Co-Authored-By: Amplifier <240397093+microsoft-amplifier@users.noreply.github.com>
Surface the real fixes from PR #55 (feat: add graph data science plugin): - Drop the wrong `dbms.security.procedures.allowlist=apoc.*,gds.*` from the bare-metal Neo4j VM config in azure-deployment.md — an allowlist restricted to the plugins would block the built-in db.*/dbms.* procedures the server needs. Set ONLY `unrestricted`. - local-development.md docker run: add explicit `NEO4J_dbms_security_procedures_unrestricted='apoc.*,gds.*'` so GDS procedures load, pin the image to neo4j:5.26.22-community, and document that GDS is fetched at first start matched to the Neo4j version per the official compatibility matrix (GDS 2.13.x for Neo4j 5.26.x). 🤖 Generated with [Amplifier](https://github.com/microsoft/amplifier) Co-Authored-By: Amplifier <240397093+microsoft-amplifier@users.noreply.github.com>
colombod
force-pushed
the
remove-docker-local-first-docs
branch
from
July 13, 2026 23:32
8c9f884 to
6ea8a7d
Compare
Address Paul's PR #54 review — two places where the guide contradicted how Amplifier Online actually works (the committed amplifier-online.yaml is the tell): 1. Image registry. Drop the "push to your project's ACR" / `az acr build --registry <your-acr>` framing. There is ONE shared platform ACR (amplifieronlinecr, admin disabled, no push access). Make push-to-deploy the Step 1 path: `amplifier-online cicd create` -> CI builds to ghcr.io -> the provisioner imports ghcr->ACR. Compliance is enforced in CI (approved FROM base -> Trivy gate -> SBOM + provenance), and the manifest `image:` is a provisioner destination, not a push target. 2. Neo4j VM. Replace the hand-rolled VNet/subnet/NSG (Step 2) with a second `vm`-stack Amplifier Online project: its own manifest + `up`, in the platform vms subnet, static_private_ip 10.100.4.4, ports 7687 from cae-infra, no public IP, data_disk_gib, cloud-init installing Neo4j Community 5.26 LTS + APOC + GDS 2.13.11. The stack inherits the approved image + private networking instead of re-deriving them, keeping the guide's "compliant, via amplifier-online" thesis. 🤖 Generated with [Amplifier](https://github.com/microsoft/amplifier) Co-Authored-By: Amplifier <240397093+microsoft-amplifier@users.noreply.github.com>
colombod
added a commit
that referenced
this pull request
Jul 15, 2026
Image bump: v6.6.6 → v6.7.0 - services.api.image now references amplifieronlinecr.azurecr.io/context-intelligence-server:v6.7.0 - ACR image tag is where the provisioner lands the imported image; bumping it makes v6.7.0 addressable Neo4j configuration: flat single-account → structured two-client form (required by v6.7.0) - Enables the server's new structured Neo4j validator (admin + cypher_query split) - On Community, both clients use the SAME instance and SAME Key Vault secrets (neo4j-user, neo4j-password) - Adds NEO4J_REQUIRE_EXPLICIT_CLIENTS="true" - Adds admin client: NEO4J__ADMIN__URL=bolt://10.100.4.4:7687 with ACCESS_MODE=WRITE - Adds cypher_query client: NEO4J__CYPHER_QUERY__URL=bolt://10.100.4.4:7687 with ACCESS_MODE=READ - Removes flat NEO4J_URL - Documents out-of-band secret wiring: all four credential leaves (admin+cypher_query USERNAME/PASSWORD) map to the same two KV secrets (neo4j-user, neo4j-password), re-applied after every `up` - No secretref strings in manifest (ship verbatim) This follows PR #54 (which retained the flat/v6.6.6 form). Pairs with building v6.7.0 image via push-to-deploy. 🤖 Generated with [Amplifier](https://github.com/microsoft/amplifier) Co-Authored-By: Amplifier <240397093+microsoft-amplifier@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Removes maintained Docker artifacts from the repo — keeping only the S360-compliant server
Dockerfile— and rewrites the documentation/setup around a local-first workflow that runs Neo4j in a documented Docker container. Also corrects and expands the Azure deployment guide.Removed
docker-compose.yml,docker-compose.airgap.yml(unused Compose stack)start.sh(Compose wrapper)neo4j.Dockerfile(Neo4j no longer shipped as a container image)test/airgap/(README.md,dtu-profile.yaml,verify-airgap-apoc.sh)tests/test_docker_compose_simplified.py,tests/test_docker_infrastructure.py,tests/test_start_sh.py(now-subjectless tests)Kept (intentionally)
The server
Dockerfile(S360/Qualys-compliant Azure Linux base, PR #50),.dockerignore,docker-entrypoint.sh, and thetests/neo4j/fixtures + thedockerdev-dependency.Added
scripts/prime-local-config.py— stdlib-only local key-priming helper replacing the old Docker credential bootstrap: generates the API token (printed once, only the sha256 digest stored) and writesserver-config.yamlwithbolt://localhost:7687+ a local writable data tree.docs/local-development.md— canonical "Running Locally" guide: Neo4j via a single documenteddocker run(NEO4J_PLUGINSauto-installs APOC + GDS,--restart unless-stoppedfor boot persistence), key priming, run the server, plus ask-Amplifier prompts.Changed
README.md— removed the Docker Compose / single-container run sections and all references to deleted files; local-first is now the primary path.docs/azure-deployment.md— rewritten into a generic, compliant "deploy via amplifier-online" guide (no as-built specifics/secrets/IPs): S360 base-image policy (PR fix(docker): adopt Azure Linux base + remove EOL packaging tools to clear S360 SCA findings #50), a Neo4j VM build section (capacity, APOC+GDS, persistent disk, private VNet/NSG), Key Vault secret wiring with the declarative-redeploy rule, dual-client config keyed to the Neo4j Community single-account reality, and a Neo4j-safe version-bump runbook.docs/service-setup.md— local Neo4j guidance; removed the docker-compose Caddy HTTPS section.docs/managing-api-keys.md— localprime-local-config.pybootstrap.docs/remote-access-sharing.md— standalone/local host-binding + backup/restore.docs/designs/per-user-api-keys.md— bootstrap references off the deletedstart.sh.AGENTS.md— keep/remove policy and the S360 base-image compliance anchor.amplifier-online.yaml— deployed image tag referencev6.0.0→v6.6.6.Validation
pytest tests/collects 1881 tests, no errors.scripts/prime-local-config.pypasses ruff + pyright and was tested end-to-end.🤖 Generated with Amplifier