fortranspire 0.1.2__tar.gz

fortranspire-0.1.2/.claude/settings.local.json

@@ -0,0 +1,62 @@
+{
+  "permissions": {
+    "allow": [
+      "Bash(git add *)",
+      "Bash(git commit -m ' *)",
+      "Bash(git push *)",
+      "WebSearch",
+      "WebFetch(domain:mistral.ai)",
+      "WebFetch(domain:www.scaleway.com)",
+      "Bash(uv sync *)",
+      "Bash(curl -sL https://pypi.org/pypi/loki-frontend/json)",
+      "Bash(curl -sL https://pypi.org/pypi/loki/json)",
+      "Bash(curl -sL https://api.github.com/repos/ecmwf-ifs/loki/releases/latest)",
+      "Bash(python3 -c \"import sys, json; d=json.load\\(sys.stdin\\); print\\('tag:', d.get\\('tag_name'\\), 'name:', d.get\\('name'\\)\\)\")",
+      "Bash(curl -sL https://api.github.com/repos/ecmwf-ifs/loki/tags)",
+      "Bash(python3 -c \"import sys, json; tags=json.load\\(sys.stdin\\); print\\([t['name'] for t in tags[:10]]\\)\")",
+      "Bash(git ls-remote *)",
+      "Bash(uv run *)",
+      "Bash(.venv/bin/python *)",
+      "Bash(pip show *)",
+      "Bash(git rm *)",
+      "Bash(git checkout *)",
+      "Bash(git remote *)",
+      "Bash(gh pr create --title 'rename to fortranspire + JOSS scaffolding + agent-analyze / agent-doc / agent-format' --base main --head feature/fortranspire-rename-and-joss --body ' *)",
+      "Bash(git pull *)",
+      "Bash(awk 'NR==489,NR==733' fortranspire/agent/translation_graph_phase1.py)",
+      "Bash(awk 'NR==736,NR==807' fortranspire/agent/translation_graph_phase1.py)",
+      "Bash(awk 'NR==810,NR==967' fortranspire/agent/translation_graph_phase1.py)",
+      "Bash(awk 'NR==970,NR==1090' fortranspire/agent/translation_graph_phase1.py)",
+      "Bash(awk 'NR==1095,NR==1196' fortranspire/agent/translation_graph_phase1.py)",
+      "Bash(awk 'NR==1200,NR==1395' fortranspire/agent/translation_graph_phase1.py)",
+      "Bash(awk 'NR==1396,NR==1424' fortranspire/agent/translation_graph_phase1.py)",
+      "Bash(awk 'NR>=1085 && NR<=1095' fortranspire/agent/translation_graph_phase1.py.bak)",
+      "Bash(awk 'NR>=1085 && NR<=1095')",
+      "Bash(gh pr create --title '[#2] split monolithic LangGraph file into per-node modules' --base main --head refactor/issue-2-split-graph-nodes --body ' *)",
+      "Bash(gh pr create --title '[#3] externalize LLM prompts \\(versioning + i18n\\)' --base main --head refactor/issue-3-externalize-prompts --body ' *)",
+      "Bash(gh pr create --title '[#4] Pydantic schemas + documenter structured output' --base main --head refactor/issue-4-structured-outputs --body ' *)",
+      "Bash(gh pr *)",
+      "Bash(git fetch *)",
+      "Bash(git rebase *)",
+      "WebFetch(domain:meteofrance.com)",
+      "WebFetch(domain:www.bayfor.org)",
+      "WebFetch(domain:www.eurohpc-ju.europa.eu)",
+      "WebFetch(domain:topictree.ideal-ist.eu)",
+      "WebFetch(domain:www.marches-publics.gouv.fr)",
+      "WebFetch(domain:www.ecmwf.int)",
+      "WebFetch(domain:www.marchesonline.com)",
+      "WebFetch(domain:hpc-portal.eu)",
+      "Bash(uv build *)",
+      "Bash(git tag -a v0.1.0 -m ' *)",
+      "Bash(git tag *)",
+      "Bash(gh release *)",
+      "Bash(gh api *)",
+      "Bash(curl -sI https://github.com/maurinl26/loki)",
+      "Bash(curl -sI https://pypi.org/project/loki/)",
+      "Bash(curl -sI https://pypi.org/project/loki-fortranspire/)",
+      "Bash(curl -sI https://pypi.org/project/ecmwf-loki/)",
+      "Bash(curl -sI https://pypi.org/project/loki-ifs/)",
+      "Bash(curl -s -o /dev/null -w '%{http_code}' https://pypi.org/pypi/__TRACKED_VAR__/json)"
+    ]
+  }
+}

fortranspire-0.1.2/.env.example

@@ -0,0 +1,43 @@
+# Copier ce fichier en .env et adapter les valeurs
+
+# ----------------------------------------------------
+# Endpoint Mistral (OpenAI-compatible)
+# ----------------------------------------------------
+# Par défaut : La Plateforme Mistral (hébergement souverain en Europe).
+# Alternatives : vLLM / TGI / Ollama auto-hébergés on-prem ou cloud privé.
+MISTRAL_ENDPOINT="https://api.mistral.ai/v1"
+MISTRAL_API_KEY="votre_clef_mistral_ici_xxxxxx"
+
+# ── Modèle par étape du pipeline ────────────────────────────────────────────
+# Le pipeline a deux types d'appels LLM :
+#   - reasoning (extractor, openacc)  → besoin d'un gros modèle de raisonnement
+#   - code      (cython_wrapper)      → Codestral suffit, moins cher, plus rapide
+#
+# Si une variable spécifique est définie, elle prime. Sinon, fallback sur
+# MISTRAL_MODEL (legacy, un seul modèle pour tout), puis sur les défauts.
+MISTRAL_MODEL_REASONING="mistral-large-latest"
+MISTRAL_MODEL_CODE="codestral-latest"
+
+# Legacy : un seul modèle pour les deux étapes. Décommenter pour forcer.
+# MISTRAL_MODEL="mistral-large-latest"
+
+# Note : aucune variable AZURE_* n'est lue. L'agent appelle l'endpoint
+# OpenAI-compatible défini ci-dessus directement, sans intermédiaire.
+
+
+# Paramètres de génération
+LLM_TEMPERATURE=0.0
+LLM_TOP_P=0.9
+LLM_NUM_PREDICT=2048
+
+# Agent
+AGENT_MAX_ITERATIONS=15
+AGENT_MEMORY_WINDOW=10
+
+# Authentification (Optionnelle)
+# Laissez vide pour un accès public.
+# Renseignez une valeur pour forcer le header 'Authorization: Bearer <API_KEY>'
+# API_KEY=ma_clef_secrete_123
+
+# Répertoire de travail (laisser vide = racine du projet)
+# AGENT_WORKSPACE=/path/to/your/project

fortranspire-0.1.2/.github/workflows/analyze.yml

@@ -0,0 +1,113 @@
+name: Fortran static analysis
+
+# Runs the deterministic Loki-based parser on every PR and push.
+# No LLM is called, no token is consumed — safe on forks.
+# Findings are uploaded as SARIF and surface as inline PR annotations
+# via GitHub Code Scanning.
+
+on:
+  pull_request:
+    paths:
+      - '**/*.f90'
+      - '**/*.F90'
+      - 'local_code_agent/**'
+      - '.github/workflows/analyze.yml'
+  push:
+    branches: [main]
+    paths:
+      - '**/*.f90'
+      - '**/*.F90'
+      - 'local_code_agent/**'
+      - '.github/workflows/analyze.yml'
+  workflow_dispatch:
+    inputs:
+      target_path:
+        description: 'Path to analyze (file or directory)'
+        required: false
+        default: '.'
+
+permissions:
+  contents: read
+  security-events: write   # required to upload SARIF
+  pull-requests: read
+
+jobs:
+  analyze:
+    name: agent-analyze (Loki, no LLM)
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 2   # need HEAD~1 to diff changed files on PR
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@v3
+        with:
+          enable-cache: true
+
+      - name: Set up Python 3.12
+        run: uv python install 3.12
+
+      - name: Install project (no LLM extras needed)
+        run: uv sync --no-dev
+
+      - name: Pick paths to analyze
+        id: paths
+        run: |
+          set -euo pipefail
+          if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
+            echo "targets=${{ github.event.inputs.target_path }}" >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+          if [ "${{ github.event_name }}" = "pull_request" ]; then
+            git fetch --no-tags --depth=1 origin "${{ github.base_ref }}"
+            changed=$(git diff --name-only --diff-filter=ACMR \
+              "origin/${{ github.base_ref }}...HEAD" \
+              | grep -E '\.(f90|F90)$' || true)
+          else
+            changed=$(git diff --name-only --diff-filter=ACMR HEAD~1 HEAD \
+              | grep -E '\.(f90|F90)$' || true)
+          fi
+          if [ -z "$changed" ]; then
+            echo "No Fortran files changed — analyzer will scan the whole repo."
+            echo "targets=." >> "$GITHUB_OUTPUT"
+          else
+            echo "Changed Fortran files:"
+            echo "$changed"
+            echo "targets<<EOF" >> "$GITHUB_OUTPUT"
+            echo "$changed" >> "$GITHUB_OUTPUT"
+            echo "EOF" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Run analyzer (text — console)
+        continue-on-error: true
+        run: |
+          # shellcheck disable=SC2086
+          uv run agent-analyze --no-color ${{ steps.paths.outputs.targets }}
+
+      - name: Run analyzer (SARIF — for Code Scanning)
+        run: |
+          # shellcheck disable=SC2086
+          uv run agent-analyze \
+            --format sarif \
+            --fail-on error \
+            --output fortranspire.sarif \
+            ${{ steps.paths.outputs.targets }}
+
+      - name: Upload SARIF to GitHub Code Scanning
+        if: always()
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: fortranspire.sarif
+          category: fortranspire
+
+      - name: Upload SARIF as build artifact
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: fortranspire-sarif
+          path: fortranspire.sarif
+          if-no-files-found: warn

fortranspire-0.1.2/.github/workflows/deploy-azure.yml

@@ -0,0 +1,78 @@
+name: 'Azure Infrastructure Control'
+
+on:
+  # Permet le lancement manuel depuis l'onglet "Actions" de GitHub
+  workflow_dispatch:
+    inputs:
+      action:
+        description: 'Action à effectuer (apply / destroy)'
+        required: true
+        default: 'apply'
+        type: choice
+        options:
+        - apply
+        - destroy
+
+permissions:
+  contents: read
+
+jobs:
+  terraform:
+    name: 'Terraform ${{ github.event.inputs.action }}'
+    runs-on: ubuntu-latest
+    env:
+      ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
+      ARM_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }}
+      ARM_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+      ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
+      TF_VAR_ssh_public_key: ${{ secrets.DEPLOY_SSH_PUBKEY }}
+
+    steps:
+    - name: Checkout Code
+      uses: actions/checkout@v4
+
+    - name: Setup Terraform
+      uses: hashicorp/setup-terraform@v3
+
+    - name: Terraform Init
+      run: terraform init
+      working-directory: infrastructure
+
+    - name: Azure CLI Login
+      run: az login --service-principal -u $ARM_CLIENT_ID -p $ARM_CLIENT_SECRET --tenant $ARM_TENANT_ID
+
+    - name: Cleanup Stale Resources
+      if: github.event.inputs.action == 'apply'
+      run: |
+        # If RG exists in wrong region, delete it entirely — location is immutable so Terraform
+        # would try destroy+recreate anyway, but the orphaned NIC-ORCHESTRATOR blocks VNet deletion.
+        LOCATION=$(az group show --name rg-total-seismic-agent --query location -o tsv 2>/dev/null || echo "")
+        if [ -n "$LOCATION" ] && [ "$LOCATION" != "eastus" ]; then
+          echo "RG is in '$LOCATION', deleting so Terraform can recreate in eastus..."
+          az group delete --name rg-total-seismic-agent --yes
+        fi
+
+    - name: Import Pre-existing Resources
+      if: github.event.inputs.action == 'apply'
+      working-directory: infrastructure
+      run: |
+        SUB="/subscriptions/${ARM_SUBSCRIPTION_ID}"
+        RG="rg-total-seismic-agent"
+        terraform import azurerm_resource_group.rg \
+          "${SUB}/resourceGroups/${RG}" 2>/dev/null || true
+        terraform import azurerm_virtual_network.vnet \
+          "${SUB}/resourceGroups/${RG}/providers/Microsoft.Network/virtualNetworks/vnet-seismic" 2>/dev/null || true
+        terraform import azurerm_subnet.subnet_compute \
+          "${SUB}/resourceGroups/${RG}/providers/Microsoft.Network/virtualNetworks/vnet-seismic/subnets/snet-compute" 2>/dev/null || true
+        terraform import azurerm_network_interface.nic_gpu \
+          "${SUB}/resourceGroups/${RG}/providers/Microsoft.Network/networkInterfaces/nic-gpu" 2>/dev/null || true
+        terraform import azurerm_ai_services.ai_studio \
+          "${SUB}/resourceGroups/${RG}/providers/Microsoft.CognitiveServices/accounts/ai-hub-seismic" 2>/dev/null || true
+
+    - name: Terraform Plan
+      run: terraform plan -input=false ${{ github.event.inputs.action == 'destroy' && '-destroy' || '' }}
+      working-directory: infrastructure
+
+    - name: Terraform Action
+      run: terraform ${{ github.event.inputs.action }} -auto-approve -input=false
+      working-directory: infrastructure

fortranspire-0.1.2/.github/workflows/draft-paper.yml

@@ -0,0 +1,35 @@
+name: JOSS paper draft
+
+on:
+  push:
+    paths:
+      - paper.md
+      - paper.bib
+      - .github/workflows/draft-paper.yml
+  pull_request:
+    paths:
+      - paper.md
+      - paper.bib
+      - .github/workflows/draft-paper.yml
+  workflow_dispatch:
+
+jobs:
+  paper:
+    runs-on: ubuntu-latest
+    name: Render paper.md via Open Journals Docker action
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Build draft PDF
+        uses: openjournals/openjournals-draft-action@master
+        with:
+          journal: joss
+          paper-path: paper.md
+
+      - name: Upload rendered PDF as artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: paper
+          path: paper.pdf
+          if-no-files-found: error

fortranspire-0.1.2/.github/workflows/jax-translation.yml

@@ -0,0 +1,54 @@
+name: Fortran to JAX Automated Translation
+
+on:
+  pull_request:
+    paths:
+      - '**/*.f90'
+      - '**/*.F90'
+      - '**/*.f'
+  workflow_dispatch:
+
+jobs:
+  translation-and-profiling:
+    runs-on: ubuntu-latest
+    container:
+      image: ghcr.io/${{ github.repository_owner }}/jax-translation-agent:latest
+    steps:
+      - name: Checkout Code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Install Bencher
+        uses: bencherdev/bencher@main
+
+      - name: Run Multi-Agent Translator and Bencher
+        env:
+          BENCHER_PROJECT: seismic-cpml
+          BENCHER_TESTBED: ubuntu-latest
+          BENCHER_ADAPTER: json
+        run: |
+          # Finds all specifically added/modified .f90 files in this PR
+          CHANGED_FILES=$(git diff --name-only origin/${{ github.base_ref }} HEAD | grep -E '\.f90$|\.F90$')
+          
+          for file in $CHANGED_FILES; do
+             echo "Processing $file..."
+             
+             # Exécution du pipeine englobé par Bencher
+             bencher run \
+               --project "seismic-cpml" \
+               --token "${{ secrets.BENCHER_API_TOKEN }}" \
+               --branch "${{ github.ref_name }}" \
+               --adapter json \
+               --file bencher_report.json \
+               --err \
+               "python -m local_code_agent.agent.cli translate \"$file\" && python -m local_code_agent.agent.cli profile \"$file\""
+          done
+
+      - name: Commit and Push Translated JAX Code
+        run: |
+          git config --global user.name "github-actions[bot]"
+          git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
+          git add "**/*_jax.py"
+          git commit -m "chore: Auto-translated Fortran to JAX :robot:" || echo "No changes to commit"
+          git push

fortranspire-0.1.2/.gitignore

@@ -0,0 +1,27 @@
+.env
+.DS_Store
+**/*.node
+.venv/
+
+# Node/Web
+node_modules/
+.next/
+dist/
+build/
+
+# Python cache
+__pycache__/
+*.pyc
+
+# HPC / Big data
+*.sif
+*.tar.gz
+*.h5
+*.nc
+*.o
+*.mod
+*.so
+
+# 
+output/
+loki/

fortranspire-0.1.2/.readthedocs.yaml

@@ -0,0 +1,24 @@
+# Read the Docs configuration — see https://docs.readthedocs.io/en/stable/config-file/v2.html
+version: 2
+
+build:
+  os: ubuntu-24.04
+  tools:
+    python: "3.12"
+  jobs:
+    post_create_environment:
+      - pip install --upgrade pip
+
+python:
+  install:
+    - requirements: docs/requirements.txt
+    - method: pip
+      path: .
+
+sphinx:
+  configuration: docs/conf.py
+  fail_on_warning: false
+
+formats:
+  - pdf
+  - epub

fortranspire-0.1.2/.zenodo.json

@@ -0,0 +1,49 @@
+{
+  "title": "fortranspire: LLM + MCP pipeline porting legacy Fortran HPC kernels to OpenACC GPU and differentiable JAX",
+  "description": "<p><strong>fortranspire</strong> is an open-source Model Context Protocol (MCP) server and CLI that incrementally transforms legacy Fortran 90 scientific code into GPU-accelerated (OpenACC), Python-callable (Cython / scikit-build), and optionally differentiable (JAX) form. It combines deterministic Loki AST analysis with targeted LLM calls against any OpenAI-compatible endpoint (Mistral, vLLM, TGI, Ollama).</p>",
+  "license": "Apache-2.0",
+  "upload_type": "software",
+  "access_right": "open",
+  "creators": [
+    {
+      "name": "Maurin, Loïc",
+      "affiliation": "External Lecturer, École Nationale de la Météorologie, Toulouse, France",
+      "orcid": "0009-0004-8117-4850"
+    }
+  ],
+  "keywords": [
+    "Fortran",
+    "HPC",
+    "GPU",
+    "OpenACC",
+    "JAX",
+    "Cython",
+    "scikit-build",
+    "Loki",
+    "ECMWF",
+    "Model Context Protocol",
+    "MCP",
+    "large language models",
+    "Mistral",
+    "scientific computing",
+    "seismic imaging",
+    "numerical weather prediction",
+    "neural surrogates",
+    "code generation",
+    "agent",
+    "sovereign AI"
+  ],
+  "communities": [
+    {
+      "identifier": "joss"
+    }
+  ],
+  "related_identifiers": [
+    {
+      "identifier": "https://github.com/maurinl26/fortranspire",
+      "relation": "isSupplementTo",
+      "scheme": "url"
+    }
+  ],
+  "language": "eng"
+}

fortranspire-0.1.2/AZURE_DEPLOYMENT.md

@@ -0,0 +1,56 @@
+# Guide de Déploiement : Azure pour TotalEnergies
+
+Ce document détaille l'architecture et les prérequis pour déployer l'Agent LangGraph de traduction Fortran ➔ JAX dans un environnement sécurisé Microsoft Azure (orienté Enterprise).
+
+## 1. Architecture Cible
+
+Pour ce cas d'usage traitant de physiques lourdes (EDP, C-PML) et d'intelligence artificielle générative, l'architecture se divise en trois composants :
+
+1. **Serveur Orchestrateur (Compute)** : Exécute le code LangGraph (`translation_graph.py`), parse les arbres de syntaxe avec `loki-ifs` et héberge l'interface FastMCP.
+   - *Instance recommandée :* `Standard_D8s_v5` (Machine optimisée calcul à usage général).
+2. **Nœud d'inférence Physique / JAX (GPU)** : Exécute la simulation JAX compilée (JIT) et entraîne le surrogate model de type Fourier Neural Operator (FNO).
+   - *Instance recommandée :* `Standard_NCads_A100_v4` (qui dispose d'un GPU Nvidia A100 80GB) pour supporter de grandes dimensions spatiales.
+3. **Le Cerveau IA (Le LLM Mistral)** : Assure la compréhension mathématique et la traduction.
+   - *Service par défaut :* **La Plateforme Mistral** (`api.mistral.ai`) — endpoint souverain opéré en Europe par Mistral AI, sans intermédiaire hyperscaler.
+   - *Alternative on-prem :* vLLM/TGI hébergé sur la VM GPU ci-dessus, exposant la même API OpenAI-compatible.
+
+---
+
+## 2. Accès à Mistral : endpoint souverain
+
+L'agent n'utilise pas Azure AI Studio pour le LLM. La connexion se fait **directement** vers un endpoint Mistral OpenAI-compatible :
+
+1. Créer une clef sur [console.mistral.ai](https://console.mistral.ai/) → *API Keys*.
+2. Renseigner `.env` :
+
+```env
+MISTRAL_ENDPOINT="https://api.mistral.ai/v1"
+MISTRAL_API_KEY="<clef_mistral>"
+MISTRAL_MODEL="mistral-large-latest"
+```
+
+Pour une souveraineté complète (données + poids du modèle hors cloud public), pointer `MISTRAL_ENDPOINT` vers un serveur vLLM/TGI auto-hébergé sur la VM GPU listée au §1. Voir la section "Connecter un endpoint Mistral" du `README.md` pour la commande `vllm serve`.
+
+> Les services restants documentés ici (orchestrateur D8s, inférence A100, ACR, CI/CD) concernent uniquement l'infrastructure de **compute** — le LLM, lui, ne dépend plus d'Azure.
+
+---
+
+## 3. Provisionnement et CI/CD (azure-pipelines.yml)
+
+### Différence fondamentale entre CI/CD et Provisionnement (Infrastructure as Code)
+**`azure-pipelines.yml`** ne sert PAS à instancier/louer la carte graphique ou le serveur en soi.
+- Son rôle est purement logiciel (CI/CD) : À chaque "Push" sur votre dépôt Git, `azure-pipelines.yml` va demander à Azure de lancer des tests unitaires, vérifier la syntaxe Python, compiler le code, et éventuellement créer une image Docker.
+
+**Pour *Provisionner* (allumer les machines `NC-A100` et `D8s`), on utilise de l'Infrastructure-as-Code (IaC) :**
+- L'idéal est de créer un fichier **Bicep** ou **Terraform** (`main.tf`).
+- Ce fichier déclare formellement "TotalEnergies désire X machines virtuelles et Y bases de données dans la région France-Central".
+- Il est possible d'automatiser le déploiement de cette infrastructure via `azure-pipelines.yml`, mais c'est bien le langage *Terraform* ou le portail *Azure Resource Manager (ARM)* qui loue le matériel.
+
+---
+
+## 4. Workflow de Déploiement Recommandé pour le PoC
+
+1. **Validation Locale** : Testez le script sur un ordinateur local/VSCode pour vous assurer de la syntaxe JAX (ce que nous avons fait).
+2. **Setup Azure AI** : Allez sur le portail Azure AI, déployez Mistral et récupérez les clés pour votre fichier `.env`.
+3. **Déploiement Docker** : Poussez votre code dans un Docker Registry Azure (`ACR - Azure Container Registry`).
+4. **Execution GPU** : Démarrez une instance `NC` (A100), connectez-vous y en SSH, tirez l'image Docker, et lancez la boucle FWI Surrogate.

fortranspire-0.1.2/Apptainer.analyze

@@ -0,0 +1,78 @@
+Bootstrap: docker
+From: python:3.12-slim
+
+# Lightweight Apptainer image for the analyze-only mode.
+# - No NVIDIA HPC SDK (CPU-only, no GPU drivers required on the host)
+# - No LLM dependencies pulled in (`uv sync --no-dev` skips dev extras)
+# - Pullable on any HPC login node (Pangea, GENCI, OVH, on-prem)
+#
+# Build:
+#   apptainer build coding-agent-analyze.sif Apptainer.analyze
+#
+# Use in a Slurm step:
+#   srun apptainer run coding-agent-analyze.sif \
+#     --format sarif --output report.sarif --fail-on error src/
+
+%files
+    pyproject.toml /opt/coding-agent/pyproject.toml
+    uv.lock         /opt/coding-agent/uv.lock
+    README.md       /opt/coding-agent/README.md
+    local_code_agent /opt/coding-agent/local_code_agent
+
+%post
+    set -euo pipefail
+    export DEBIAN_FRONTEND=noninteractive
+
+    apt-get update
+    apt-get install -y --no-install-recommends \
+        git \
+        ca-certificates \
+        curl \
+        build-essential \
+        gfortran
+    rm -rf /var/lib/apt/lists/*
+
+    # uv — same tool used in the dev workflow, no surprises for contributors
+    curl -LsSf https://astral.sh/uv/install.sh | sh
+    install -m 0755 /root/.local/bin/uv /usr/local/bin/uv
+
+    # Project install — skip dev extras (no jax / langchain / fastmcp on this image)
+    cd /opt/coding-agent
+    uv sync --no-dev
+
+    # Smoke-test the entry point at build time so a broken image fails fast
+    uv run agent-analyze --help > /dev/null
+
+%environment
+    export PYTHONUNBUFFERED=1
+    export PATH=/opt/coding-agent/.venv/bin:$PATH
+
+%runscript
+    # `apptainer run ... <args>` → forwards args straight to agent-analyze.
+    cd /opt/coding-agent
+    exec uv run agent-analyze "$@"
+
+%labels
+    Author       "Loïc Maurin <maurin.loic.ac@gmail.com>"
+    Description  "coding-agent — Fortran static analyzer (Loki, no LLM, no GPU)"
+    Mode         "analyze-only"
+    License      "Apache-2.0"
+
+%help
+    Static analyzer for legacy Fortran 90 — detects COMMON blocks, SAVE,
+    I/O in kernels, missing IMPLICIT NONE, POINTER/derived-type patterns,
+    suspected loop-carried dependencies. No LLM call, no file rewrite.
+
+    Outputs SARIF (CI-uploadable), JSON, or human-readable text.
+
+    Examples
+    --------
+    Scan a single file:
+        apptainer run coding-agent-analyze.sif src/kernel.f90
+
+    Emit SARIF for a Jenkins / GitLab CI step:
+        apptainer run coding-agent-analyze.sif \\
+            --format sarif --output report.sarif --fail-on error src/
+
+    Run inside a Slurm job:
+        srun --cpus-per-task=2 apptainer run coding-agent-analyze.sif src/