flowmesh-cli-stack 0.1.0__py3-none-any.whl

flowmesh_cli_stack/__init__.py

@@ -0,0 +1,13 @@
+"""Stack management package for FlowMesh CLI."""
+
+import typer
+
+from .bundle import app as bundle_app
+from .stack import app as stack_app
+from .worker import app as worker_app
+
+
+def register(root: typer.Typer) -> None:
+    root.add_typer(stack_app, name="stack")
+    stack_app.add_typer(worker_app, name="worker")
+    stack_app.add_typer(bundle_app, name="bundle")

flowmesh_cli_stack/assets/.env.example

@@ -0,0 +1,204 @@
+# FlowMesh Stack Configuration
+# Copy to .env and adjust as needed
+
+# ==== Image Source ====
+FLOWMESH_REGISTRY=ghcr.io/mlsys-io
+FLOWMESH_VERSION=dev
+# Optional registry cache lineage for stack push.
+# Leave empty to use the default stable cache scope.
+FLOWMESH_CACHE_VERSION=
+FLOWMESH_BUILD_REF=local
+
+# ==== Node Identity ====
+# Optional suffix appended to stack-managed Docker object names.
+# Use a distinct suffix per local stack on shared hosts.
+# This isolates container, network, and volume names,
+# but each stack still needs unique ports.
+FLOWMESH_STACK_SUFFIX=
+NODE_ROLE=root
+NODE_NAMESPACE=flowmesh
+NODE_CLUSTER=dev
+NODE_ALIAS=node
+NODE_TAGS=
+ENABLE_SUPERVISOR=true
+SERVER_HOST=localhost
+SERVER_HTTP_PORT=8000
+SERVER_GRPC_PORT=50051
+SERVER_LOG_LEVEL=INFO
+
+# ==== Server gRPC TLS ====
+# Leave empty to disable
+SERVER_TLS_DIR=./secrets/tls/server
+SERVER_GRPC_TLS_CA_FILE=/etc/ssl/server/server-ca.pem
+SERVER_GRPC_TLS_CERT_FILE=/etc/ssl/server/server.pem
+SERVER_GRPC_TLS_KEY_FILE=/etc/ssl/server/server.key
+
+# ==== Supervisor gRPC ====
+# Tuning for the supervisor's gRPC server and worker connections.
+# Leave SUPERVISOR_GRPC_EXTERNAL_PORT empty unless workers connect
+# through a port-forwarded / proxied address.
+SUPERVISOR_GRPC_DISABLE_SERVER_TLS=false
+SUPERVISOR_GRPC_EXTERNAL_PORT=
+SUPERVISOR_GRPC_KEEPALIVE_PERMIT_WITHOUT_CALLS=true
+SUPERVISOR_GRPC_MIN_RECV_PING_INTERVAL_MS=60000
+SUPERVISOR_GRPC_KEEPALIVE_TIME_MS=300000
+SUPERVISOR_GRPC_KEEPALIVE_TIMEOUT_MS=10000
+
+# ==== Redis Connectivity ====
+REDIS_CONTROL_URL=redis://localhost:6379/0
+REDIS_TELEMETRY_URL=redis://localhost:6380/0
+
+# ==== Core Ports ====
+REDIS_CONTROL_PORT=6379
+REDIS_TELEMETRY_PORT=6380
+
+# ==== Log Streams (Redis) ====
+# Caps Redis Streams for per-task and per-workflow logs.
+LOG_STREAM_MAXLEN_TASK=50000
+LOG_STREAM_MAXLEN_WORKFLOW=200000
+# Expire log stream keys after close (0 disables).
+LOG_STREAM_TTL_SEC=3600
+# Flush archived task logs at most every N seconds.
+TASK_LOG_ARCHIVE_FLUSH_INTERVAL_SEC=5
+# Flush archived task logs after buffering N entries.
+TASK_LOG_ARCHIVE_FLUSH_MAX_ENTRIES=100
+
+# ==== Redis Access ====
+REDIS_ACL_ENABLED=1
+REDIS_USERNAME=admin
+REDIS_PASSWORD=very-strong-password
+
+# ==== Redis TLS ====
+# Leave empty to disable
+REDIS_TLS_DIR=./secrets/tls/redis
+REDIS_TLS_CA_FILE=/etc/ssl/redis/redis-ca.pem
+REDIS_TLS_CERT_FILE=/etc/ssl/redis/redis-server.pem
+REDIS_TLS_KEY_FILE=/etc/ssl/redis/redis-server.key
+
+# ==== SSH Task Support ====
+ENABLE_SERVER_SSH_PROXY=true
+ENABLE_SERVER_SSH_FORWARD=true
+ENABLE_SERVER_SSH_CONNECTION_AUDIT=true
+SERVER_SSH_FORWARD_BIND_HOST=0.0.0.0
+SERVER_SSH_FORWARD_PUBLIC_HOST=localhost
+SERVER_SSH_FORWARD_PORT_START=32000
+SERVER_SSH_FORWARD_PORT_END=32100
+
+# ==== SSH Worker Defaults ====
+ENABLE_SSH_BY_DEFAULT=true
+SSH_DEFAULT_IMAGE=
+SSH_DEFAULT_USER=
+SSH_DEFAULT_TTL_SEC=
+SSH_DEFAULT_IDLE_SEC=
+SSH_MAX_TTL_SEC=
+SSH_POLL_INTERVAL_SEC=
+SSH_STOP_TIMEOUT_SEC=
+
+# ==== General Settings ====
+TZ=Asia/Singapore
+LOG_LEVEL=INFO
+
+# ==== Orchestrator Settings ====
+ORCHESTRATOR_DISPATCH_MODE=adaptive
+ORCHESTRATOR_WORKER_SELECTION=best_fit
+SCHEDULER_SELECTION_JITTER=0.001
+SCHEDULER_LAMBDA_INFERENCE=0.4
+SCHEDULER_LAMBDA_TRAINING=0.8
+SCHEDULER_LAMBDA_OTHER=0.5
+ENABLE_TASK_MERGE=true
+TASK_MERGE_MAX_BATCH_SIZE=4
+ENABLE_CONTEXT_REUSE=true
+WORKER_CACHE_TTL_SEC=3600
+ENABLE_STAGE_WEIGHT_STICKINESS=false
+ENABLE_WORKER_WATCHDOG=true
+WORKER_DEATH_CHECK_INTERVAL=30
+WORKER_DEATH_GRACE_SEC=60
+
+# ==== Server Heartbeat ====
+SERVER_HEARTBEAT_INTERVAL=30
+
+# ==== Vast.ai Configuration ====
+VAST_SEARCH_LIMIT=
+VAST_MAX_RETRIES=
+
+# ==== Worker Parameters ====
+WORKER_LOG_LEVEL=INFO
+HEARTBEAT_INTERVAL_SEC=30
+WORKER_COST_PER_HOUR=1.0
+# Directory/Docker volume for the server to look up task results after worker completion.
+# Set to the same value as WORKER_RESULTS_DIR so the server can access worker results.
+# For workflows with a local output destination (`spec.output.destination.type="local"`),
+# `SERVER_RESULTS_DIR` and `WORKER_RESULTS_DIR` must point to the same shared directory
+# or volume; otherwise, the server cannot read the worker's outputs and downstream tasks
+# will stall in the dispatching loop.
+# Defaults to the stack-scoped results volume when empty.
+SERVER_RESULTS_DIR=
+# Defaults to the stack-scoped results volume when empty.
+WORKER_RESULTS_DIR=
+HF_CACHE_DIR=
+WORKER_NETWORK_BANDWIDTH_BYTES_PER_SEC=
+WORKER_TAGS=
+WORKER_HB_DIR=
+FLOWMESH_BASE_URL=http://localhost:8000
+# Supplier API key for worker authentication with the server
+FLOWMESH_API_KEY=
+NEBULA_API_BASE_URL=
+# Server-side CUDA image used to probe local GPUs.
+SERVER_CUDA_PROBE_IMAGE=nvidia/cuda:12.9.1-base-ubuntu24.04
+# Optional Docker runtime name for GPU containers.
+DOCKER_GPU_RUNTIME=nvidia
+CUDA_VISIBLE_DEVICES=all
+WORKER_UPLOAD_RESULTS=false
+MODEL_CLEANUP_AFTER_UPLOAD=0
+
+# ==== Model Pre-downloading ====
+# Comma-separated list of models to pre-download during worker startup
+# Leave empty to disable model pre-downloading
+# Example: meta-llama/Llama-3.2-1B-Instruct,meta-llama/Llama-3.2-3B-Instruct
+PREDOWNLOAD_MODEL_LIST=
+
+# ==== API Keys injected into workers (optional) ====
+OPENAI_API_KEY=
+GOOGLE_API_KEY=
+VAST_API_KEY=
+HF_TOKEN=
+NEBULA_API_TOKEN=
+
+# ==== External Plugins ====
+# Plugins are Python packages dropped under FLOWMESH_PLUGIN_DIR 
+# (host-mounted to /app/plugins on the server) and selected by 
+# FLOWMESH_PLUGINS as a comma-separated list of top-level module 
+# names. Each named module must expose `install()` returning a 
+# `HookBindings`. Leave both empty unless you ship a plugin.
+FLOWMESH_PLUGIN_DIR=./plugins
+FLOWMESH_PLUGINS=
+
+# ==== Agent Executor (youtu-agent / utu) ====
+# All four UTU_LLM_* are required for the agent executor to run.
+# utu LLM provider kind, e.g. "chat.completions"
+UTU_LLM_TYPE=
+# utu model identifier, e.g. gpt-4o-mini
+UTU_LLM_MODEL=
+# utu LLM base URL
+UTU_LLM_BASE_URL=
+# utu LLM API key
+UTU_LLM_API_KEY=
+# Serper API key (optional, for agent search tools)
+SERPER_API_KEY=
+# Jina API key (optional, for agent search tools)
+JINA_API_KEY=
+# Database URL for agent tracing (optional)
+DB_URL=
+
+# ==== n8n Integration ====
+# AES-GCM key to decrypt encrypted n8n credentials.
+N8N_CREDENTIAL_AES_PASSWORD=
+
+# ==== Worker launch config (optional) ====
+SERVER_WORKER_CONFIG=./configs/worker_config.yaml
+
+# ==== Logging ====
+LOG_MAX_BYTES=5242880
+LOG_BACKUP_COUNT=5
+SERVER_APP_RELOAD=0
+SERVER_APP_LOG_LEVEL=info

flowmesh_cli_stack/assets/compose.yml

@@ -0,0 +1,201 @@
+services:
+  redis_control:
+    image: redis:7-alpine
+    profiles: [root]
+    container_name: ${FLOWMESH_STACK_SLUG:-flowmesh_node}_redis_control
+    environment:
+      REDIS_ACL_ENABLED: ${REDIS_ACL_ENABLED:-0}
+      REDIS_USERNAME: ${REDIS_USERNAME:-admin}
+      REDIS_PASSWORD: ${REDIS_PASSWORD:-}
+      REDIS_TLS_CA_FILE: ${REDIS_TLS_CA_FILE:-}
+      REDIS_TLS_CERT_FILE: ${REDIS_TLS_CERT_FILE:-}
+      REDIS_TLS_KEY_FILE: ${REDIS_TLS_KEY_FILE:-}
+    command:
+      - /bin/sh
+      - -c
+      - |
+        if [ "${REDIS_ACL_ENABLED:-0}" = "1" ]; then
+          if [ -z "${REDIS_PASSWORD:-}" ]; then
+            echo "REDIS_PASSWORD required when REDIS_ACL_ENABLED=1" >&2
+            exit 1
+          fi
+          mkdir -p /etc/redis
+          printf "user default off\nuser %s on >%s ~* &* +@all\n" "$${REDIS_USERNAME:-admin}" "$${REDIS_PASSWORD}" > /etc/redis/users.acl
+        fi
+        if [ -n "${REDIS_TLS_CA_FILE:-}" ] || [ -n "${REDIS_TLS_CERT_FILE:-}" ] || [ -n "${REDIS_TLS_KEY_FILE:-}" ]; then
+          if [ -z "${REDIS_TLS_CA_FILE:-}" ] || [ -z "${REDIS_TLS_CERT_FILE:-}" ] || [ -z "${REDIS_TLS_KEY_FILE:-}" ]; then
+            echo "REDIS_TLS_CA_FILE, REDIS_TLS_CERT_FILE, REDIS_TLS_KEY_FILE are required to enable Redis TLS" >&2
+            exit 1
+          fi
+          TLS_ARGS="--tls-port 6379 --port 0 --tls-ca-cert-file ${REDIS_TLS_CA_FILE} --tls-cert-file ${REDIS_TLS_CERT_FILE} --tls-key-file ${REDIS_TLS_KEY_FILE} --tls-auth-clients no"
+        fi
+        if [ "${REDIS_ACL_ENABLED:-0}" = "1" ]; then
+          exec redis-server $${TLS_ARGS:-} --aclfile /etc/redis/users.acl --save 60 1 --loglevel warning --client-output-buffer-limit pubsub 1gb 512mb 60
+        else
+          exec redis-server $${TLS_ARGS:-} --save 60 1 --loglevel warning --client-output-buffer-limit pubsub 1gb 512mb 60
+        fi
+    ports:
+      - "${REDIS_CONTROL_PORT:-6379}:6379"
+    volumes:
+      - redis_control_data:/data
+      - ${REDIS_TLS_DIR:-./secrets/tls/redis}:/etc/ssl/redis:ro
+    restart: unless-stopped
+    networks:
+      - flowmesh_node_network
+    healthcheck:
+      test:
+        - CMD-SHELL
+        - |
+          TLS_ENABLED=0
+          if [ -n "${REDIS_TLS_CA_FILE:-}" ] && [ -n "${REDIS_TLS_CERT_FILE:-}" ] && [ -n "${REDIS_TLS_KEY_FILE:-}" ]; then
+            TLS_ENABLED=1
+          fi
+          if [ "${REDIS_ACL_ENABLED:-0}" = "1" ]; then
+            if [ "$${TLS_ENABLED}" = "1" ]; then
+              redis-cli --tls --cacert "${REDIS_TLS_CA_FILE:-}" -u "rediss://${REDIS_USERNAME:-admin}:${REDIS_PASSWORD}@localhost:6379/0" ping
+            else
+              redis-cli -u "redis://${REDIS_USERNAME:-admin}:${REDIS_PASSWORD}@localhost:6379/0" ping
+            fi
+          else
+            if [ "$${TLS_ENABLED}" = "1" ]; then
+              redis-cli --tls --cacert "${REDIS_TLS_CA_FILE:-}" -p 6379 ping
+            else
+              redis-cli -p 6379 ping
+            fi
+          fi
+      interval: 5s
+      timeout: 3s
+      retries: 5
+
+  redis_telemetry:
+    image: redis:7-alpine
+    profiles: [root]
+    container_name: ${FLOWMESH_STACK_SLUG:-flowmesh_node}_redis_telemetry
+    environment:
+      REDIS_ACL_ENABLED: ${REDIS_ACL_ENABLED:-0}
+      REDIS_USERNAME: ${REDIS_USERNAME:-admin}
+      REDIS_PASSWORD: ${REDIS_PASSWORD:-}
+      REDIS_TLS_CA_FILE: ${REDIS_TLS_CA_FILE:-}
+      REDIS_TLS_CERT_FILE: ${REDIS_TLS_CERT_FILE:-}
+      REDIS_TLS_KEY_FILE: ${REDIS_TLS_KEY_FILE:-}
+    command:
+      - /bin/sh
+      - -c
+      - |
+        if [ "${REDIS_ACL_ENABLED:-0}" = "1" ]; then
+          if [ -z "${REDIS_PASSWORD:-}" ]; then
+            echo "REDIS_PASSWORD required when REDIS_ACL_ENABLED=1" >&2
+            exit 1
+          fi
+          mkdir -p /etc/redis
+          printf "user default off\nuser %s on >%s ~* &* +@all\n" "$${REDIS_USERNAME:-admin}" "$${REDIS_PASSWORD}" > /etc/redis/users.acl
+        fi
+        if [ -n "${REDIS_TLS_CA_FILE:-}" ] || [ -n "${REDIS_TLS_CERT_FILE:-}" ] || [ -n "${REDIS_TLS_KEY_FILE:-}" ]; then
+          if [ -z "${REDIS_TLS_CA_FILE:-}" ] || [ -z "${REDIS_TLS_CERT_FILE:-}" ] || [ -z "${REDIS_TLS_KEY_FILE:-}" ]; then
+            echo "REDIS_TLS_CA_FILE, REDIS_TLS_CERT_FILE, REDIS_TLS_KEY_FILE are required to enable Redis TLS" >&2
+            exit 1
+          fi
+          TLS_ARGS="--tls-port 6379 --port 0 --tls-ca-cert-file ${REDIS_TLS_CA_FILE} --tls-cert-file ${REDIS_TLS_CERT_FILE} --tls-key-file ${REDIS_TLS_KEY_FILE} --tls-auth-clients no"
+        fi
+        if [ "${REDIS_ACL_ENABLED:-0}" = "1" ]; then
+          exec redis-server $${TLS_ARGS:-} --aclfile /etc/redis/users.acl --save 300 1 --loglevel warning
+        else
+          exec redis-server $${TLS_ARGS:-} --save 300 1 --loglevel warning
+        fi
+    ports:
+      - "${REDIS_TELEMETRY_PORT:-6380}:6379"
+    volumes:
+      - redis_telemetry_data:/data
+      - ${REDIS_TLS_DIR:-./secrets/tls/redis}:/etc/ssl/redis:ro
+    restart: unless-stopped
+    networks:
+      - flowmesh_node_network
+    healthcheck:
+      test:
+        - CMD-SHELL
+        - |
+          TLS_ENABLED=0
+          if [ -n "${REDIS_TLS_CA_FILE:-}" ] && [ -n "${REDIS_TLS_CERT_FILE:-}" ] && [ -n "${REDIS_TLS_KEY_FILE:-}" ]; then
+            TLS_ENABLED=1
+          fi
+          if [ "${REDIS_ACL_ENABLED:-0}" = "1" ]; then
+            if [ "$${TLS_ENABLED}" = "1" ]; then
+              redis-cli --tls --cacert "${REDIS_TLS_CA_FILE:-}" -u "rediss://${REDIS_USERNAME:-admin}:${REDIS_PASSWORD}@localhost:6379/0" ping
+            else
+              redis-cli -u "redis://${REDIS_USERNAME:-admin}:${REDIS_PASSWORD}@localhost:6379/0" ping
+            fi
+          else
+            if [ "$${TLS_ENABLED}" = "1" ]; then
+              redis-cli --tls --cacert "${REDIS_TLS_CA_FILE:-}" -p 6379 ping
+            else
+              redis-cli -p 6379 ping
+            fi
+          fi
+      interval: 5s
+      timeout: 3s
+      retries: 5
+
+  server:
+    image: ${FLOWMESH_REGISTRY:-ghcr.io/mlsys-io}/flowmesh_server:${FLOWMESH_VERSION:-dev}
+    container_name: ${FLOWMESH_STACK_SLUG:-flowmesh_node}_server
+    depends_on:
+      redis_control:
+        condition: service_healthy
+        required: false
+      redis_telemetry:
+        condition: service_healthy
+        required: false
+    env_file:
+      - ${STACK_ENV_FILE:-./.env}
+    environment:
+      REDIS_CONTROL_URL: ${REDIS_CONTROL_URL:-redis://localhost:${REDIS_CONTROL_PORT:-6379}/0}
+      REDIS_TELEMETRY_URL: ${REDIS_TELEMETRY_URL:-redis://localhost:${REDIS_TELEMETRY_PORT:-6380}/0}
+      SERVER_METRICS_DIR: "/mnt/flowmesh-metrics"
+      LOG_FILE: "/var/log/flowmesh-server/server.log"
+      WORKER_CONFIG_PATH: /etc/flowmesh/worker_config.yaml
+      RESULTS_DIR: "/mnt/flowmesh-results"
+      WORKER_RESULTS_DIR: ${WORKER_RESULTS_DIR:-${FLOWMESH_STACK_SLUG:-flowmesh_node}_results}
+      SERVER_APP_PORT: ${SERVER_HTTP_PORT:-8000}
+      FLOWMESH_BASE_URL: ${FLOWMESH_BASE_URL:-http://localhost:${SERVER_HTTP_PORT:-8000}}
+    volumes:
+      # Bare `flowmesh_results` is the compose volume key below; it resolves to
+      # the slug-scoped Docker volume name when SERVER_RESULTS_DIR is empty.
+      - ${SERVER_RESULTS_DIR:-flowmesh_results}:/mnt/flowmesh-results
+      - flowmesh_metrics:/mnt/flowmesh-metrics
+      - flowmesh_server_logs:/var/log/flowmesh-server
+      - /var/run/docker.sock:/var/run/docker.sock
+      - ${SERVER_WORKER_CONFIG:-./configs/worker_config.yaml}:/etc/flowmesh/worker_config.yaml:ro
+      - ${FLOWMESH_PLUGIN_DIR:-./plugins}:/app/plugins:ro
+      - ${REDIS_TLS_DIR:-./secrets/tls/redis}:/etc/ssl/redis:ro
+      - ${SERVER_TLS_DIR:-./secrets/tls/server}:/etc/ssl/server:ro
+    restart: unless-stopped
+    network_mode: host
+    healthcheck:
+      test:
+        [
+          "CMD",
+          "curl",
+          "-sf",
+          "http://localhost:${SERVER_HTTP_PORT:-8000}/healthz",
+        ]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+      start_period: 40s
+
+networks:
+  flowmesh_node_network:
+    name: ${FLOWMESH_STACK_SLUG:-flowmesh_node}_network
+    driver: bridge
+
+volumes:
+  redis_control_data:
+    name: ${FLOWMESH_STACK_SLUG:-flowmesh_node}_redis_control_data
+  redis_telemetry_data:
+    name: ${FLOWMESH_STACK_SLUG:-flowmesh_node}_redis_telemetry_data
+  flowmesh_results:
+    name: ${FLOWMESH_STACK_SLUG:-flowmesh_node}_results
+  flowmesh_metrics:
+    name: ${FLOWMESH_STACK_SLUG:-flowmesh_node}_metrics
+  flowmesh_server_logs:
+    name: ${FLOWMESH_STACK_SLUG:-flowmesh_node}_server_logs

flowmesh_cli_stack/assets/docker-bake.hcl

@@ -0,0 +1,110 @@
+variable "REGISTRY" {
+  default = "ghcr.io/mlsys-io"
+}
+
+variable "VERSION" {
+  default = "dev"
+}
+
+variable "BUILD_REF" {
+  default = "local"
+}
+
+variable "BUILD_CREATED" {
+  default = "unknown"
+}
+
+group "server" {
+  targets = ["flowmesh_server"]
+}
+
+group "workers" {
+  targets = [
+    "flowmesh_worker_cpu",
+    "flowmesh_worker_gpu",
+    "flowmesh_ssh_cpu",
+    "flowmesh_ssh_gpu",
+  ]
+}
+
+group "builders" {
+  targets = [
+    "flowmesh_worker_gpu_builder",
+  ]
+}
+
+group "default" {
+  targets = concat(
+    group.server.targets,
+    group.workers.targets,
+  )
+}
+
+target "flowmesh_server" {
+  context    = "."
+  dockerfile = "src/server/Dockerfile"
+  args = {
+    BUILD_VERSION = "${VERSION}"
+    BUILD_REF     = "${BUILD_REF}"
+    BUILD_CREATED = "${BUILD_CREATED}"
+  }
+  tags = ["${REGISTRY}/flowmesh_server:${VERSION}"]
+}
+
+target "flowmesh_worker_cpu" {
+  context    = "."
+  dockerfile = "src/worker/docker/Dockerfile.cpu"
+  args = {
+    BUILD_VERSION = "${VERSION}"
+    BUILD_REF     = "${BUILD_REF}"
+    BUILD_CREATED = "${BUILD_CREATED}"
+  }
+  tags = ["${REGISTRY}/flowmesh_worker:${VERSION}-cpu"]
+}
+
+target "flowmesh_worker_gpu_builder" {
+  context    = "."
+  dockerfile = "src/worker/docker/Dockerfile.cuda.builder"
+  args = {
+    BUILD_VERSION = "${VERSION}"
+    BUILD_REF     = "${BUILD_REF}"
+    BUILD_CREATED = "${BUILD_CREATED}"
+  }
+  tags = ["${REGISTRY}/flowmesh_worker_builder:${VERSION}-gpu"]
+}
+
+target "flowmesh_worker_gpu" {
+  context    = "."
+  dockerfile = "src/worker/docker/Dockerfile.cuda"
+  contexts = {
+    builder = "target:flowmesh_worker_gpu_builder"
+  }
+  args = {
+    BUILD_VERSION = "${VERSION}"
+    BUILD_REF     = "${BUILD_REF}"
+    BUILD_CREATED = "${BUILD_CREATED}"
+  }
+  tags = ["${REGISTRY}/flowmesh_worker:${VERSION}-gpu"]
+}
+
+target "flowmesh_ssh_cpu" {
+  context    = "."
+  dockerfile = "src/worker/docker/Dockerfile.ssh.cpu"
+  args = {
+    BUILD_VERSION = "${VERSION}"
+    BUILD_REF     = "${BUILD_REF}"
+    BUILD_CREATED = "${BUILD_CREATED}"
+  }
+  tags = ["${REGISTRY}/flowmesh_ssh:${VERSION}-cpu"]
+}
+
+target "flowmesh_ssh_gpu" {
+  context    = "."
+  dockerfile = "src/worker/docker/Dockerfile.ssh.gpu"
+  args = {
+    BUILD_VERSION = "${VERSION}"
+    BUILD_REF     = "${BUILD_REF}"
+    BUILD_CREATED = "${BUILD_CREATED}"
+  }
+  tags = ["${REGISTRY}/flowmesh_ssh:${VERSION}-gpu"]
+}