cleanup and remote only

Dockerfile

@@ -0,0 +1,41 @@
+# syntax=docker/dockerfile:1.7
+FROM python:3.13-slim
+
+ENV DEBIAN_FRONTEND=noninteractive \
+    PYTHONUNBUFFERED=1 \
+    PYTHONDONTWRITEBYTECODE=1 \
+    PIP_NO_CACHE_DIR=1 \
+    HOME=/data \
+    MEMPALACE_PALACE_PATH=/data/palace
+
+# libgomp1: required at runtime by onnxruntime (used by chromadb's default
+# embedding function — all-MiniLM-L6-v2 ONNX).
+RUN apt-get update \
+ && apt-get install -y --no-install-recommends ca-certificates libgomp1 \
+ && rm -rf /var/lib/apt/lists/*
+
+# Unraid convention: appdata is owned by nobody:users (99:100). Run as that
+# UID/GID so files written to /data inherit the right ownership on the host.
+RUN groupadd -g 100 users \
+ && useradd  -u 99 -g 100 -m -d /data -s /usr/sbin/nologin mempalace
+
+WORKDIR /build
+COPY pyproject.toml README.md ./
+COPY mempalace ./mempalace
+RUN pip install --no-cache-dir . mcp-proxy \
+ && rm -rf /build
+
+WORKDIR /data
+RUN chown -R 99:100 /data
+USER 99:100
+
+# 8765 — MCP over SSE (mcp-proxy)
+# 8766 — HTTP ingest (in-process thread, started when MEMPALACE_INGEST_PORT set)
+EXPOSE 8765 8766
+
+HEALTHCHECK --interval=30s --timeout=5s --start-period=30s --retries=3 \
+  CMD python -c "import socket,sys;s=socket.socket();s.settimeout(2);sys.exit(0 if s.connect_ex(('127.0.0.1',8765))==0 else 1)"
+
+# mcp-proxy wraps the stdio MCP server and exposes it as SSE on :8765.
+# --pass-environment forwards MEMPALACE_* vars to the spawned child.
+CMD ["mcp-proxy","--sse-host","0.0.0.0","--sse-port","8765","--pass-environment","--","mempalace-mcp"]