From eae1372e1c7c978f12e8080d58241303dfab75b0 Mon Sep 17 00:00:00 2001
From: "Jonathan D.A. Jewell" <6759885+hyperpolymath@users.noreply.github.com>
Date: Mon, 11 May 2026 02:42:46 +0200
Subject: [PATCH] ops(container-stack): fix svalinn Containerfile + add
 canonical selur Containerfile
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

svalinn (#15)
- Replace `RUN cd src && ./node_modules/.bin/rescript build` with
  `RUN deno task res:build`. The original command failed because rescript
  wasn't on disk at the relative path; the deno.json `res:build` task runs
  under `deno task`, which prepends node_modules/.bin/ to PATH so the
  rescript CLI resolves from the workspace-root node_modules populated by
  `deno install`. Matches the rest of svalinn's tooling (Deno-first).

selur (#12)
- New container-stack/selur/Containerfile — two-stage build matching the
  sibling pattern (cerro-torre, vordr, svalinn, rokur). Stage 1 builds
  selur.wasm via Zig (`cd zig && zig build wasm`). Stage 2 ships only the
  WASM artefact at /usr/local/lib/selur.wasm — Idris2 proofs and the Rust
  host library are compile/verification-time artefacts and follow vordr's
  pattern of not shipping in the runtime image.
- Runtime image is artefact-distribution: ENTRYPOINT `cat` exposes the
  WASM on stdout so downstream consumers (idaptik Wave 1 selur-compose,
  etc.) can extract it via `podman run --rm selur:latest > selur.wasm`.
- LABEL net.hyperpolymath.selur.artifact-path=/usr/local/lib/selur.wasm
  makes the artefact path machine-discoverable.

Closes #15, closes #12. Unblocks idaptik Wave 1 stapel-voll integration
(selur was the missing piece per the audit).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 container-stack/selur/Containerfile   | 46 +++++++++++++++++++++++++++
 container-stack/svalinn/Containerfile |  6 ++--
 2 files changed, 50 insertions(+), 2 deletions(-)
 create mode 100644 container-stack/selur/Containerfile

diff --git a/container-stack/selur/Containerfile b/container-stack/selur/Containerfile
new file mode 100644
index 0000000..0f060f3
--- /dev/null
+++ b/container-stack/selur/Containerfile
@@ -0,0 +1,46 @@
+# SPDX-License-Identifier: PMPL-1.0-or-later
+# Containerfile for selur — Ephapax-linear WASM sealant
+#
+# Multi-stage build: compile selur.wasm via Zig, package in a minimal runtime
+# image. Idris2 proofs and the Rust host library are compile/verification-time
+# artefacts and are NOT shipped — see vordr's Containerfile for the same
+# pattern (verification artefacts stay out of the runtime image).
+#
+# The runtime image is an artefact-distribution container: it ships
+# selur.wasm at a well-known path, and the default ENTRYPOINT prints the
+# WASM to stdout so consumers can extract it with:
+#
+#   podman run --rm selur:latest > selur.wasm
+#
+# Or copy it out of a stopped container:
+#
+#   id=$(podman create selur:latest) && podman cp $id:/usr/local/lib/selur.wasm . && podman rm $id
+#
+# Build:  podman build -f Containerfile -t selur:latest .
+
+# ── Stage 1: Build selur.wasm with Zig ────────────────────────────
+FROM cgr.dev/chainguard/wolfi-base:latest AS zig-builder
+
+RUN apk add --no-cache zig
+
+WORKDIR /build
+
+# Only the Zig sources are needed for the WASM artefact — the Rust host
+# library (src/lib.rs, Cargo.toml) is for downstream embedders, not for
+# producing the wasm. Idris2 (idris/) is for proof verification only.
+COPY zig/ ./zig/
+
+RUN cd zig && zig build wasm
+
+# ── Stage 2: Runtime — artefact distribution ──────────────────────
+FROM cgr.dev/chainguard/wolfi-base:latest
+
+LABEL org.opencontainers.image.title="selur" \
+      org.opencontainers.image.description="Ephapax-linear WASM sealant — zero-copy IPC bridge between Svalinn and Vörðr (WASM artefact)" \
+      org.opencontainers.image.source="https://github.com/hyperpolymath/selur" \
+      org.opencontainers.image.licenses="PMPL-1.0-or-later" \
+      net.hyperpolymath.selur.artifact-path="/usr/local/lib/selur.wasm"
+
+COPY --from=zig-builder /build/zig/zig-out/bin/selur.wasm /usr/local/lib/selur.wasm
+
+ENTRYPOINT ["cat", "/usr/local/lib/selur.wasm"]
diff --git a/container-stack/svalinn/Containerfile b/container-stack/svalinn/Containerfile
index 729d129..2855302 100644
--- a/container-stack/svalinn/Containerfile
+++ b/container-stack/svalinn/Containerfile
@@ -26,8 +26,10 @@ COPY src/ ./src/
 COPY spec/ ./spec/
 COPY config/ ./config/
 
-# Compile ReScript to JavaScript
-RUN cd src && ./node_modules/.bin/rescript build
+# Compile ReScript to JavaScript via Deno's task runner. `deno task` prepends
+# node_modules/.bin/ to PATH (deno.json sets nodeModulesDir=auto), so the
+# rescript CLI resolves correctly from the workspace-root node_modules.
+RUN deno task res:build
 
 # ---------------------------------------------------------------------------
 # Stage 2: Runtime