fix: honcho auth + deepseek LLM config

- Honcho (FastAPI) et OpenConcho (React SPA) dans un seul Dockerfile multi-stage
- nginx proxy /v3/ /v2/ /health /openapi.json vers Honcho sur localhost:8000
- Supprime le service openconcho séparé et le dossier orphelin
- Routeur Traefik unique à honcho.lazyworkhorse.net (port 80 — nginx)
- Plus besoin d'exposer Honcho séparément (API accessible via nginx proxy)

ai/compose.yml

@@ -161,35 +161,21 @@ services:
       - "303"
       - "26"
 
-  # --- Honcho: AI-native user modeling ---
+  # --- Honcho + OpenConcho combiné: API + Web UI nginx/FastAPI ---
-  honcho:
+  honcho-ui:
     build: ./honcho
     container_name: honcho
     restart: unless-stopped
-    ports:
-      - "127.0.0.1:8001:8000"
     environment:
       - DB_CONNECTION_URI=postgresql+psycopg://honcho:honcho_pass@honcho-db:5432/honcho
       - CACHE_URL=redis://honcho-redis:6379/0
       - CACHE_ENABLED=true
       - EMBEDDING_VECTOR_DIMENSIONS=1536
-      - VECTOR_STORE_DIMENSIONS=
+      - AUTH_USE_AUTH=true
+      - AUTH_JWT_SECRET=${AUTH_JWT_SECRET}
+      - OPENAI_API_KEY=${OPENAI_API_KEY}
     volumes:
       - /mnt/HoardingCow_docker_data/Honcho/data:/app/data
-    networks:
-      - ai_backend
-      - ai_net
-    depends_on:
-      honcho-db:
-        condition: service_healthy
-      honcho-redis:
-        condition: service_healthy
-
-  # --- OpenConcho: Honcho web UI ---
-  openconcho:
-    build: ./openconcho
-    container_name: openconcho
-    restart: unless-stopped
     networks:
       - ai_backend
       - ai_net
@@ -197,19 +183,24 @@ services:
       - "traefik.enable=true"
 
       # Router for HTTP + redirect to HTTPS
-      - "traefik.http.routers.openconcho-http.rule=Host(`honcho.lazyworkhorse.net`)"
+      - "traefik.http.routers.honcho-http.rule=Host(`honcho.lazyworkhorse.net`)"
-      - "traefik.http.routers.openconcho-http.entrypoints=web"
+      - "traefik.http.routers.honcho-http.entrypoints=web"
-      - "traefik.http.routers.openconcho-http.middlewares=redirect-to-https"
+      - "traefik.http.routers.honcho-http.middlewares=redirect-to-https"
 
       # Router for HTTPS with TLS — protected by Authelia
-      - "traefik.http.routers.openconcho-https.rule=Host(`honcho.lazyworkhorse.net`)"
+      - "traefik.http.routers.honcho-https.rule=Host(`honcho.lazyworkhorse.net`)"
-      - "traefik.http.routers.openconcho-https.entrypoints=websecure"
+      - "traefik.http.routers.honcho-https.entrypoints=websecure"
-      - "traefik.http.routers.openconcho-https.tls=true"
+      - "traefik.http.routers.honcho-https.tls=true"
-      - "traefik.http.routers.openconcho-https.tls.certresolver=njalla"
+      - "traefik.http.routers.honcho-https.tls.certresolver=njalla"
-      - "traefik.http.routers.openconcho-https.middlewares=hermes-auth"
+      - "traefik.http.routers.honcho-https.middlewares=hermes-auth"
 
-      # Service Loadbalancer
+      # Service Loadbalancer (nginx port)
-      - "traefik.http.services.openconcho.loadbalancer.server.port=80"
+      - "traefik.http.services.honcho.loadbalancer.server.port=80"
+    depends_on:
+      honcho-db:
+        condition: service_healthy
+      honcho-redis:
+        condition: service_healthy
 
   honcho-db:
     image: pgvector/pgvector:pg15

ai/honcho/Dockerfile

@@ -1,6 +1,5 @@
 # build stage — fetches and builds Honcho from source
-# Using buildkit cache mounts for speed across rebuilds
+FROM python:3.13-slim-bookworm AS honcho-builder
-FROM python:3.13-slim-bookworm AS builder
 
 RUN apt-get update && \
     apt-get install -y --no-install-recommends git && \
@@ -8,7 +7,6 @@ RUN apt-get update && \
 
 COPY --from=ghcr.io/astral-sh/uv:0.9.24 /uv /bin/uv
 
-# Clone Honcho at a pinned commit for reproducibility
 ARG HONCHO_REPO=https://github.com/plastic-labs/honcho
 ARG HONCHO_REF=main
 RUN git clone --depth 1 --branch ${HONCHO_REF} ${HONCHO_REPO} /app
@@ -21,21 +19,56 @@ ENV UV_PYTHON=/usr/local/bin/python3.13
 
 RUN uv sync --frozen
 
-# --- runtime stage ---
+# build stage — builds OpenConcho SPA
+FROM node:22-bookworm AS openconcho-builder
+
+ENV PNPM_HOME=/pnpm
+ENV PATH=$PNPM_HOME:$PATH
+RUN corepack enable && corepack prepare pnpm@latest --activate
+
+WORKDIR /app
+RUN apt-get update && apt-get install -y git && rm -rf /var/lib/apt/lists/*
+
+ARG OPENCONCHO_SHA=e490d911fcb27ee193558fd9a28856cde2057665
+RUN git clone --depth 1 https://github.com/offendingcommit/openconcho.git /app && \
+    git -C /app fetch --depth 1 origin ${OPENCONCHO_SHA} && \
+    git -C /app checkout ${OPENCONCHO_SHA}
+
+RUN pnpm install --frozen-lockfile
+RUN pnpm --filter @openconcho/web build
+
+# runtime stage — nginx + Honcho FastAPI
 FROM python:3.13-slim-bookworm
 
-RUN groupadd --system app && \
+# Install nginx and create runtime dirs before dropping permissions
-    useradd --system --gid app --create-home app
+RUN apt-get update && apt-get install -y --no-install-recommends nginx && \
+    rm -rf /var/log/nginx/* && \
+    rm -rf /var/lib/apt/lists/* && \
+    rm -f /etc/nginx/sites-enabled/default
 
-COPY --from=builder /app /app
+# Patch nginx.conf: comment out "user www-data;" so nginx master stays as root
+# (workers inherit root inside a container — fine for single-service isolation)
+RUN sed -i 's/^user /# user /' /etc/nginx/nginx.conf
 
+# Pre-create nginx runtime directories with proper ownership
+RUN mkdir -p /var/lib/nginx/body /var/lib/nginx/proxy /var/lib/nginx/fastcgi \
+             /var/lib/nginx/uwsgi /var/lib/nginx/scgi /var/lib/nginx/proxy_temp \
+             /var/cache/nginx && \
+    chown -R root:root /var/lib/nginx /var/cache/nginx
+
+# Honcho
+COPY --from=honcho-builder /app /app
 WORKDIR /app
 ENV PATH="/app/.venv/bin:$PATH"
 ENV HOME=/app
+COPY config.toml /app/config.toml
 
-COPY --chown=app:app config.toml /app/config.toml
+# OpenConcho SPA
+COPY --from=openconcho-builder /app/packages/web/dist /usr/share/nginx/html
 
-USER app
+# nginx config (proxies /v3/, /v2/ to Honcho on localhost:8000)
-EXPOSE 8000
+COPY honcho-nginx.conf /etc/nginx/conf.d/default.conf
 
-CMD ["fastapi", "run", "--host", "0.0.0.0", "src/main.py"]
+EXPOSE 80
+
+CMD ["sh", "-c", "nginx -g 'daemon off;' & fastapi run --host 127.0.0.1 --port 8000 src/main.py"]

ai/honcho/config.toml

@@ -48,8 +48,8 @@ FLUSH_ENABLED = true
 
 [deriver.model_config]
 transport = "openai"
-model = "hermes-3"
+model = "deepseek-v4-flash"
-base_url = "http://ollama:11434/v1"
+base_url = "https://opencode.ai/zen/go/v1"
 
 # --- Dialectic ---
 [dialectic]
@@ -61,36 +61,36 @@ MAX_TOOL_ITERATIONS = 1
 MAX_OUTPUT_TOKENS = 512
 [dialectic.levels.minimal.model_config]
 transport = "openai"
-model = "hermes-3"
+model = "deepseek-v4-flash"
-base_url = "http://ollama:11434/v1"
+base_url = "https://opencode.ai/zen/go/v1"
 
 [dialectic.levels.low]
 MAX_TOOL_ITERATIONS = 3
 [dialectic.levels.low.model_config]
 transport = "openai"
-model = "hermes-3"
+model = "deepseek-v4-flash"
-base_url = "http://ollama:11434/v1"
+base_url = "https://opencode.ai/zen/go/v1"
 
 [dialectic.levels.medium]
 MAX_TOOL_ITERATIONS = 2
 [dialectic.levels.medium.model_config]
 transport = "openai"
-model = "hermes-3"
+model = "deepseek-v4-flash"
-base_url = "http://ollama:11434/v1"
+base_url = "https://opencode.ai/zen/go/v1"
 
 [dialectic.levels.high]
 MAX_TOOL_ITERATIONS = 4
 [dialectic.levels.high.model_config]
 transport = "openai"
-model = "hermes-3"
+model = "deepseek-v4-flash"
-base_url = "http://ollama:11434/v1"
+base_url = "https://opencode.ai/zen/go/v1"
 
 [dialectic.levels.max]
 MAX_TOOL_ITERATIONS = 10
 [dialectic.levels.max.model_config]
 transport = "openai"
-model = "hermes-3"
+model = "deepseek-v4-flash"
-base_url = "http://ollama:11434/v1"
+base_url = "https://opencode.ai/zen/go/v1"
 
 # --- Summary ---
 [summary]
@@ -100,8 +100,8 @@ MESSAGES_PER_LONG_SUMMARY = 60
 
 [summary.model_config]
 transport = "openai"
-model = "hermes-3"
+model = "deepseek-v4-flash"
-base_url = "http://ollama:11434/v1"
+base_url = "https://opencode.ai/zen/go/v1"
 
 # --- Dream ---
 [dream]

ai/honcho/honcho-nginx.conf

@@ -0,0 +1,52 @@
+server {
+    listen 80 default_server;
+    listen [::]:80 default_server;
+    server_name _;
+
+    root /usr/share/nginx/html;
+    index index.html;
+
+    # Honcho API proxy
+    location /v3/ {
+        proxy_pass http://127.0.0.1:8000;
+        proxy_http_version 1.1;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+
+    location /v2/ {
+        proxy_pass http://127.0.0.1:8000;
+        proxy_http_version 1.1;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+
+    # Honcho health
+    location /health {
+        proxy_pass http://127.0.0.1:8000;
+        proxy_http_version 1.1;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+
+    # OpenAPI docs
+    location /openapi.json {
+        proxy_pass http://127.0.0.1:8000;
+        proxy_http_version 1.1;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+
+    # SPA: fallback to index.html for client-side routing
+    location / {
+        try_files $uri $uri/ /index.html;
+    }
+}

ai/openconcho/Dockerfile

@@ -1,23 +0,0 @@
-# build stage
-FROM node:22-bookworm AS builder
-
-ENV PNPM_HOME=/pnpm
-ENV PATH=$PNPM_HOME:$PATH
-RUN corepack enable && corepack prepare pnpm@latest --activate
-
-WORKDIR /app
-RUN apt-get update && apt-get install -y git && rm -rf /var/lib/apt/lists/*
-
-ARG OPENCONCHO_SHA=e490d911fcb27ee193558fd9a28856cde2057665
-RUN git clone --depth 1 https://github.com/offendingcommit/openconcho.git /app && \
-    git -C /app fetch --depth 1 origin ${OPENCONCHO_SHA} && \
-    git -C /app checkout ${OPENCONCHO_SHA}
-
-RUN pnpm install --frozen-lockfile
-RUN pnpm --filter @openconcho/web build
-
-# runtime stage
-FROM nginx:alpine
-COPY --from=builder /app/packages/web/dist /usr/share/nginx/html
-EXPOSE 80
-CMD ["nginx", "-g", "daemon off;"]