feat(standalone): self-contained Docker image + ghcr.io publishing

Phase 2 of the standalone-container plan. Anyone can now pull and run
the API without setting up a local development environment with sibling
Python repos. Three pieces:

1. Dockerfile.standalone: clones sibling Python repos (cobrakbase,
   ModelSEEDpy, KBUtilLib, cb_annotation_ontology_api) and data repos
   (ModelSEEDDatabase dev branch, ModelSEEDTemplates) from GitHub at
   build time. Result: ~1.5-2 GB self-contained image. Defaults to
   local-filesystem storage so no PATRIC account is needed. ANL-only
   endpoints (workspace, RAST jobs, RAST genome) cleanly 503 unless
   their env vars are configured. Existing production Dockerfile is
   untouched; production deploy mechanic on poplar continues to work
   as-is.

2. .github/workflows/publish-image.yml: builds + pushes to
   ghcr.io/modelseed/modelseed-api on push to main + on git tags.
   Tag scheme: :latest, :main-<sha>, :vX.Y.Z, :X.Y. Auth via the
   built-in GITHUB_TOKEN; no separate registry account needed.
   Includes a smoke job that pulls the published image, hits
   /api/health + /api/biochem/stats + /api/biochem/search?query=glucose,
   and asserts that /api/rast/jobs returns 503 (standalone defaults
   correctly leave RAST DB unconfigured).

3. docs/STANDALONE.md: full walkthrough for researchers running the
   image locally: quick-start, persisting data, what endpoints work
   without auth, end-to-end FASTA-to-model recipe, MCP server config
   for Claude Desktop, opt-in env vars for the production-only
   endpoints. README also gets a short "Run standalone" section near
   the top with the one-liner.

.dockerignore extended to cover docs/, .github/, .claude/, .env*, IDE
artifacts, OS noise.

Next: once the first build lands and we verify the image works, the
bulk reconstruction endpoint (Chris's PRD) is purely additive on top
of this image.

Author: jplfaria

.dockerignore

@@ -1,15 +1,56 @@
+# Keep the docker build context lean: only files the Dockerfiles
+# actually COPY need to be sent to the daemon. Tests, docs, git
+# history, and dev artifacts can be excluded.
+
+# Version control + git metadata
 .git
+.gitignore
+.gitattributes
+
+# Python build / install artifacts
 .venv
 venv
 __pycache__
 *.py[cod]
 *.egg-info
 dist
 build
+
+# Test artifacts (tests run in CI, not inside the image)
+tests/
 .pytest_cache
 .coverage
 htmlcov
-.DS_Store
+
+# Docs (served by FastAPI from code, not from the markdown files)
+docs/
+
+# CI + tooling config
+.github
 .claude
+noxfile.py
+
+# Editor / IDE
+.vscode
+.idea
+*.swp
+*.swo
+*~
+
+# Local secrets / config (never bake into the image)
 .env
-tests
+.env.*
+!.env.example
+
+# Local Docker iteration
+docker-compose.yml
+docker-compose.*.yml
+
+# OS noise
+.DS_Store
+Thumbs.db
+
+# Logs and scratch
+*.log
+scratch
+tmp

.github/workflows/publish-image.yml

@@ -0,0 +1,152 @@
+# Build the standalone modelseed-api Docker image and publish to
+# ghcr.io/modelseed/modelseed-api.
+#
+# Tagging:
+#   - push to main:  ghcr.io/.../modelseed-api:latest + :main-<sha>
+#   - git tag v*:    ghcr.io/.../modelseed-api:vX.Y.Z + :latest
+#
+# Image is built from Dockerfile.standalone (clones sibling repos from
+# GitHub during build, includes bundled data). Production deployments on
+# poplar continue to use the regular Dockerfile + docker-compose; this
+# workflow is purely for the public/standalone artifact.
+#
+# Requires: nothing special. GITHUB_TOKEN is auto-provisioned and has
+# packages:write on the org-scoped registry (ghcr.io/modelseed/...).
+
+name: Publish standalone image
+
+on:
+  push:
+    branches: [main]
+    paths:
+      # Only rebuild when something that actually affects the image changes.
+      - 'src/**'
+      - 'data/**'
+      - 'pyproject.toml'
+      - 'Dockerfile.standalone'
+      - '.dockerignore'
+      - '.github/workflows/publish-image.yml'
+  push:
+    tags:
+      - 'v*'
+  workflow_dispatch:
+    inputs:
+      smoke_test:
+        description: 'Run smoke test after build (slower, but verifies image actually runs)'
+        type: boolean
+        default: true
+
+permissions:
+  contents: read
+  packages: write
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}
+
+jobs:
+  build-and-push:
+    runs-on: ubuntu-latest
+    timeout-minutes: 60
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to ghcr.io
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Compute image tags + labels
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          tags: |
+            type=ref,event=branch
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+            type=sha,prefix=main-,enable=${{ github.ref == format('refs/heads/{0}', 'main') }}
+            type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', 'main') || startsWith(github.ref, 'refs/tags/v') }}
+
+      - name: Build + push
+        id: build
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          file: ./Dockerfile.standalone
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          # GitHub Actions cache so subsequent builds reuse the heavy layers
+          # (system deps + cloned sibling repos) when those didn't change.
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+  smoke:
+    name: Smoke-test the published image
+    needs: build-and-push
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    if: ${{ github.event_name != 'workflow_dispatch' || inputs.smoke_test }}
+    steps:
+      - name: Pull image
+        run: docker pull ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
+
+      - name: Start container
+        run: |
+          docker run -d --name smoke -p 8000:8000 \
+            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
+          # Give uvicorn a moment to bind + biochem init to finish.
+          # biochem init reads ~45k compounds + 56k reactions; takes ~10s.
+          for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15; do
+            if curl -sf http://localhost:8000/api/health > /dev/null; then
+              echo "Healthy after ${i}s"
+              break
+            fi
+            sleep 1
+          done
+
+      - name: Hit /api/health
+        run: |
+          resp=$(curl -sf http://localhost:8000/api/health)
+          echo "Response: $resp"
+          echo "$resp" | grep -q '"status":"ok"'
+
+      - name: Hit /api/biochem/stats (no auth, exercises bundled data)
+        run: |
+          resp=$(curl -sf http://localhost:8000/api/biochem/stats)
+          echo "Response: $resp"
+          echo "$resp" | grep -q 'total_compounds'
+
+      - name: Hit /api/biochem/search (real query against bundled DB)
+        run: |
+          resp=$(curl -sf 'http://localhost:8000/api/biochem/search?query=glucose&type=compounds&limit=5')
+          echo "Response: $resp" | head -c 500
+          echo "$resp" | grep -q 'cpd00027'
+
+      - name: Confirm ANL-only endpoints return 503 (standalone-friendly defaults)
+        run: |
+          # No PATRIC token + no RAST DB configured = these should 503 cleanly,
+          # not crash or return 500.
+          code=$(curl -s -o /dev/null -w '%{http_code}' \
+            -H 'Authorization: bogus-token' \
+            http://localhost:8000/api/rast/jobs)
+          if [ "$code" != "503" ]; then
+            echo "FAIL: /api/rast/jobs returned $code, expected 503"
+            exit 1
+          fi
+          echo "OK: /api/rast/jobs returns 503 as expected (no MODELSEED_RAST_DB_HOST)"
+
+      - name: Show container logs (always, for diagnostics)
+        if: always()
+        run: docker logs smoke | tail -100
+
+      - name: Stop container
+        if: always()
+        run: docker rm -f smoke

Dockerfile.standalone

@@ -0,0 +1,99 @@
+# ModelSEED API: self-contained image for standalone use
+#
+# Unlike the production Dockerfile (which COPYs sibling repos from the
+# build host), this image clones all dependency repos from GitHub during
+# the build. Result: a single self-contained image that anyone can pull
+# from ghcr.io and run without setting up a local development environment.
+#
+# Build (CI): GitHub Actions builds + pushes to ghcr.io/modelseed/modelseed-api
+# Build (local, for testing):
+#     docker build -f Dockerfile.standalone -t modelseed-api:standalone .
+# Run:
+#     docker run -p 8000:8000 ghcr.io/modelseed/modelseed-api:latest
+#     # then hit http://localhost:8000/demo/
+#
+# The image includes ModelSEEDDatabase and ModelSEEDTemplates baked in;
+# total size ~1.5-2 GB. Larger than typical web-app images but eliminates
+# the need for separate data downloads.
+#
+# Defaults to local-storage mode (no PATRIC account needed). All ANL-
+# specific endpoints (workspace, RAST jobs, RAST genome) cleanly return
+# 503 unless their env vars are configured. See docs/STANDALONE.md.
+
+FROM python:3.11-slim
+
+# System deps: GLPK for cobra's linear solver, git for cloning, gcc/g++
+# for Python wheel builds that need compilation.
+RUN apt-get update && apt-get install -y --no-install-recommends \
+        glpk-utils \
+        libglpk-dev \
+        libexpat1 \
+        gcc \
+        g++ \
+        git \
+    && rm -rf /var/lib/apt/lists/*
+
+WORKDIR /deps
+
+# Clone dependency repos. Using `--depth 1` keeps the image smaller by
+# skipping git history. Pin to specific commits later if reproducible
+# builds become important; HEAD of each branch is fine for now.
+RUN git clone --depth 1 --branch master https://github.com/Fxe/cobrakbase.git && \
+    git clone --depth 1 --branch main https://github.com/cshenry/ModelSEEDpy.git && \
+    git clone --depth 1 --branch main https://github.com/cshenry/KBUtilLib.git && \
+    git clone --depth 1 --branch main https://github.com/kbaseapps/cb_annotation_ontology_api.git && \
+    git clone --depth 1 --branch dev https://github.com/ModelSEED/ModelSEEDDatabase.git && \
+    git clone --depth 1 --branch main https://github.com/ModelSEED/ModelSEEDTemplates.git
+
+# Install dependency packages in the order they expect.
+# cobrakbase first (no deps on others), then ModelSEEDpy, then KBUtilLib.
+RUN pip install --no-cache-dir -e /deps/cobrakbase && \
+    pip install --no-cache-dir -e /deps/ModelSEEDpy && \
+    pip install --no-cache-dir -e /deps/KBUtilLib
+
+WORKDIR /app
+
+# Copy modelseed-api source from build context. With CI, the context is
+# this repo's checkout; locally, run from the repo root.
+COPY src/ /app/src/
+COPY data/ /app/data/
+COPY pyproject.toml /app/
+
+# Install modelseed-api with the modeling+celery extras.
+RUN pip install --no-cache-dir -e ".[modeling,celery]"
+
+# numpy/scikit-learn occasionally end up at mismatched ABI versions
+# after the editable installs; force-reinstall to a coherent pair.
+# Then pre-download the ~25MB genome classifier files so the first
+# model build is fast.
+RUN pip install --no-cache-dir --force-reinstall numpy scikit-learn && \
+    python -c "from modelseedpy.helpers import get_classifier; get_classifier('knn_ACNP_RAST_filter_01_17_2023')"
+
+# Default configuration.
+ENV MODELSEED_MODELSEED_DB_PATH=/deps/ModelSEEDDatabase \
+    MODELSEED_TEMPLATES_PATH=/deps/ModelSEEDTemplates/templates/v7.0 \
+    MODELSEED_CB_ANNOTATION_ONTOLOGY_API_PATH=/deps/cb_annotation_ontology_api \
+    MODELSEED_JOB_STORE_DIR=/tmp/modelseed-jobs \
+    MODELSEED_HOST=0.0.0.0 \
+    MODELSEED_PORT=8000 \
+    MODELSEED_STORAGE_BACKEND=local \
+    MODELSEED_LOCAL_DATA_DIR=/data/modelseed
+# Local-storage by default: no PATRIC account needed, models persist
+# under MODELSEED_LOCAL_DATA_DIR. Users who want PATRIC-workspace mode
+# can override MODELSEED_STORAGE_BACKEND=workspace at run time.
+
+# WORKAROUND: cobrakbase.KBaseAPI() reads a token from ~/.kbase/token
+# even when not connecting to KBase. Required by MSReconstructionUtils
+# init. Dummy value is fine.
+ENV KB_AUTH_TOKEN=unused
+RUN mkdir -p /root/.kbase && echo "unused" > /root/.kbase/token
+
+# Make sure the default local-data dir exists so first-run writes work
+# without the user pre-creating + bind-mounting it.
+RUN mkdir -p /data/modelseed && chmod 777 /data/modelseed
+VOLUME /data/modelseed
+
+EXPOSE 8000
+
+WORKDIR /app/src
+CMD ["python", "-m", "uvicorn", "modelseed_api.main:app", "--host", "0.0.0.0", "--port", "8000"]

README.md

@@ -22,6 +22,32 @@ The production API is served at **https://modelseed.org/PMS/**.
 For deployment, restart procedures, on-call runbook, and infrastructure details, see the private operations repo: [`ModelSEED/modelseed-api-ops`](https://github.com/ModelSEED/modelseed-api-ops). Access is invite-only: ask Chris Henry or Jose Faria.
 
 
+## Run standalone (your own machine, no ANL setup)
+
+The repo ships a self-contained Docker image on GitHub Container Registry. Bundles all dependencies + biochemistry data; no PATRIC account or RAST account needed for the local-mode workflow.
+
+```bash
+docker run -p 8000:8000 ghcr.io/modelseed/modelseed-api:latest
+```
+
+Then open `http://localhost:8000/demo/` or hit the API directly:
+
+```bash
+curl http://localhost:8000/api/health
+curl 'http://localhost:8000/api/biochem/search?query=glucose&type=compounds&limit=5'
+```
+
+To persist models across container restarts, bind-mount a host directory:
+
+```bash
+docker run -p 8000:8000 \
+    -v ~/.modelseed:/data/modelseed \
+    ghcr.io/modelseed/modelseed-api:latest
+```
+
+The standalone image defaults to local-filesystem storage. Endpoints that need ANL infrastructure (`/api/workspace/*`, `/api/rast/*`) return a clean 503 unless their env vars are configured. See [`docs/STANDALONE.md`](docs/STANDALONE.md) for the full walkthrough including FASTA-to-model recipes and MCP server setup for Claude Desktop.
+
+
 ## API Endpoints
 
 Most endpoints require a PATRIC token in the `Authorization` header (not needed in local mode). Biochemistry endpoints are always public.