remove Python from Docker: use Rust CLI for config generation

Dockerfile

@@ -1,4 +1,4 @@
-# Envoy version — keep in sync with cli/planoai/consts.py ENVOY_VERSION
+# Envoy version — keep in sync with crates/plano-cli/src/consts.rs ENVOY_VERSION
 ARG ENVOY_VERSION=v1.37.0
 
 # --- Dependency cache ---
@@ -21,10 +21,12 @@ RUN mkdir -p common/src && echo "" > common/src/lib.rs && \
     mkdir -p prompt_gateway/src && echo "#[no_mangle] pub fn _start() {}" > prompt_gateway/src/lib.rs && \
     mkdir -p llm_gateway/src && echo "#[no_mangle] pub fn _start() {}" > llm_gateway/src/lib.rs && \
     mkdir -p brightstaff/src && echo "fn main() {}" > brightstaff/src/main.rs && echo "" > brightstaff/src/lib.rs && \
-    mkdir -p plano-cli/src && echo "fn main() {}" > plano-cli/src/main.rs
+    mkdir -p plano-cli/src && echo "fn main() {}" > plano-cli/src/main.rs && \
+    mkdir -p plano-cli/templates && touch plano-cli/templates/.keep
 
 RUN cargo build --release --target wasm32-wasip1 -p prompt_gateway -p llm_gateway || true
 RUN cargo build --release -p brightstaff || true
+RUN cargo build --release -p plano-cli || true
 
 # --- WASM plugins ---
 FROM deps AS wasm-builder
@@ -45,18 +47,27 @@ COPY crates/brightstaff/src    brightstaff/src
 RUN find common hermesllm brightstaff -name "*.rs" -exec touch {} +
 RUN cargo build --release -p brightstaff
 
+# --- Plano CLI binary ---
+FROM deps AS cli-builder
+RUN rm -rf common/src hermesllm/src plano-cli/src plano-cli/templates
+COPY crates/common/src         common/src
+COPY crates/hermesllm/src      hermesllm/src
+COPY crates/plano-cli/src      plano-cli/src
+COPY crates/plano-cli/templates plano-cli/templates
+COPY crates/plano-cli/build.rs plano-cli/build.rs
+RUN find common hermesllm plano-cli -name "*.rs" -exec touch {} +
+RUN cargo build --release -p plano-cli
+
 FROM docker.io/envoyproxy/envoy:${ENVOY_VERSION} AS envoy
 
-FROM python:3.14-slim AS arch
+FROM debian:bookworm-slim AS arch
 
 RUN set -eux; \
   apt-get update; \
   apt-get upgrade -y; \
-  apt-get install -y --no-install-recommends gettext-base curl procps; \
+  apt-get install -y --no-install-recommends gettext-base curl procps supervisor; \
   apt-get clean; rm -rf /var/lib/apt/lists/*
 
-RUN pip install --no-cache-dir supervisor
-
 # Remove PAM packages (CVE-2025-6020)
 RUN set -eux; \
   dpkg -r --force-depends libpam-modules libpam-modules-bin libpam-runtime libpam0g || true; \
@@ -67,25 +78,16 @@ COPY --from=envoy /usr/local/bin/envoy /usr/local/bin/envoy
 
 WORKDIR /app
 
-RUN pip install --no-cache-dir uv
-
-COPY cli/pyproject.toml ./
-COPY cli/uv.lock ./
-COPY cli/README.md ./
 COPY config/plano_config_schema.yaml /config/plano_config_schema.yaml
 COPY config/envoy.template.yaml /config/envoy.template.yaml
 
-RUN pip install --no-cache-dir -e .
-
-COPY cli/planoai planoai/
-COPY config/envoy.template.yaml .
-COPY config/plano_config_schema.yaml .
 RUN mkdir -p /etc/supervisor/conf.d
 COPY config/supervisord.conf /etc/supervisor/conf.d/supervisord.conf
 
 COPY --from=wasm-builder /arch/target/wasm32-wasip1/release/prompt_gateway.wasm /etc/envoy/proxy-wasm-plugins/prompt_gateway.wasm
 COPY --from=wasm-builder /arch/target/wasm32-wasip1/release/llm_gateway.wasm /etc/envoy/proxy-wasm-plugins/llm_gateway.wasm
 COPY --from=brightstaff-builder /arch/target/release/brightstaff /app/brightstaff
+COPY --from=cli-builder /arch/target/release/planoai /usr/local/bin/planoai
 
 RUN mkdir -p /var/log/supervisor && \
     touch /var/log/envoy.log /var/log/supervisor/supervisord.log \

config/supervisord.conf

@@ -4,7 +4,13 @@ pidfile=/var/run/supervisord.pid
 
 [program:config_generator]
 command=/bin/sh -c "\
-    uv run python -m planoai.config_generator && \
+    PLANO_CONFIG_FILE=/app/plano_config.yaml \
+    PLANO_CONFIG_SCHEMA_FILE=/config/plano_config_schema.yaml \
+    TEMPLATE_ROOT=/config \
+    ENVOY_CONFIG_TEMPLATE_FILE=envoy.template.yaml \
+    PLANO_CONFIG_FILE_RENDERED=/app/plano_config_rendered.yaml \
+    ENVOY_CONFIG_FILE_RENDERED=/etc/envoy/envoy.yaml \
+    planoai render-config && \
     envsubst < /app/plano_config_rendered.yaml > /app/plano_config_rendered.env_sub.yaml && \
     envsubst < /etc/envoy/envoy.yaml > /etc/envoy.env_sub.yaml && \
     touch /tmp/config_ready || \

crates/plano-cli/src/commands/mod.rs

@@ -3,6 +3,7 @@ pub mod cli_agent;
 pub mod down;
 pub mod init;
 pub mod logs;
+pub mod render_config;
 pub mod self_update;
 pub mod up;
 pub mod validate;
@@ -145,6 +146,10 @@ pub enum Command {
         path: String,
     },
 
+    /// Render config files (used by Docker/supervisord)
+    #[command(name = "render-config")]
+    RenderConfig,
+
     /// Update planoai to the latest version
     #[command(name = "self-update")]
     SelfUpdate {
@@ -273,6 +278,7 @@ pub async fn run(cli: Cli) -> anyhow::Result<()> {
             list_templates,
         }) => init::run(template, clean, output, force, list_templates).await,
         Some(Command::Validate { file, path }) => validate::run(file, &path).await,
+        Some(Command::RenderConfig) => render_config::run().await,
         Some(Command::SelfUpdate { version }) => self_update::run(version.as_deref()).await,
     }
 }

crates/plano-cli/src/commands/render_config.rs

@@ -0,0 +1,33 @@
+use std::path::Path;
+
+use anyhow::Result;
+
+use crate::config;
+
+/// Render config files for Docker/supervisord use.
+/// Reads paths from environment variables (matching the old Python config_generator).
+pub async fn run() -> Result<()> {
+    let config_file =
+        std::env::var("PLANO_CONFIG_FILE").unwrap_or_else(|_| "/app/plano_config.yaml".to_string());
+    let schema_file = std::env::var("PLANO_CONFIG_SCHEMA_FILE")
+        .unwrap_or_else(|_| "plano_config_schema.yaml".to_string());
+    let template_root = std::env::var("TEMPLATE_ROOT").unwrap_or_else(|_| "./".to_string());
+    let template_file = std::env::var("ENVOY_CONFIG_TEMPLATE_FILE")
+        .unwrap_or_else(|_| "envoy.template.yaml".to_string());
+    let config_rendered = std::env::var("PLANO_CONFIG_FILE_RENDERED")
+        .unwrap_or_else(|_| "/app/plano_config_rendered.yaml".to_string());
+    let envoy_rendered = std::env::var("ENVOY_CONFIG_FILE_RENDERED")
+        .unwrap_or_else(|_| "/etc/envoy/envoy.yaml".to_string());
+
+    let template_path = Path::new(&template_root).join(&template_file);
+
+    config::validate_and_render(
+        Path::new(&config_file),
+        Path::new(&schema_file),
+        &template_path,
+        Path::new(&envoy_rendered),
+        Path::new(&config_rendered),
+    )?;
+
+    Ok(())
+}

crates/plano-cli/src/docker/mod.rs

@@ -34,10 +34,9 @@ pub async fn validate_config(plano_config_path: &Path) -> Result<()> {
         "-v".to_string(),
         format!("{}:/app/plano_config.yaml:ro", abs_path.display()),
         "--entrypoint".to_string(),
-        "python".to_string(),
+        "planoai".to_string(),
         plano_docker_image(),
-        "-m".to_string(),
-        "planoai.config_generator".to_string(),
+        "render-config".to_string(),
     ];
 
     let output = Command::new(&args[0]).args(&args[1..]).output()?;