policynim 0.1.0__tar.gz

policynim-0.1.0/.dockerignore

@@ -0,0 +1,14 @@
+.env
+.git
+.github
+.plan
+.pytest_cache
+.ruff_cache
+.venv
+.benchmarks
+.qodo
+.threadloop
+.voice
+__pycache__/
+data/
+dist/

policynim-0.1.0/.env.development.example

@@ -0,0 +1,27 @@
+# Local development defaults.
+# Copy this file to .env for local CLI, eval, and stdio MCP work.
+NVIDIA_API_KEY=
+POLICYNIM_ENV=development
+POLICYNIM_LANCEDB_URI=data/lancedb
+POLICYNIM_LANCEDB_TABLE=policy_chunks
+POLICYNIM_RUNTIME_RULES_ARTIFACT_PATH=data/runtime/runtime_rules.json
+POLICYNIM_RUNTIME_EVIDENCE_DB_PATH=data/runtime/runtime_evidence.sqlite3
+POLICYNIM_RUNTIME_SHELL_TIMEOUT_SECONDS=300
+POLICYNIM_EVAL_WORKSPACE_DIR=data/evals/workspace
+POLICYNIM_DEFAULT_TOP_K=5
+POLICYNIM_EMBED_BATCH_SIZE=32
+POLICYNIM_NVIDIA_CHAT_MODEL=nvidia/llama-3.3-nemotron-super-49b-v1.5
+POLICYNIM_NVIDIA_EMBED_MODEL=nvidia/llama-nemotron-embed-1b-v2
+POLICYNIM_NVIDIA_RERANK_MODEL=nvidia/llama-nemotron-rerank-1b-v2
+POLICYNIM_NVIDIA_BASE_URL=https://integrate.api.nvidia.com/v1
+POLICYNIM_NVIDIA_RETRIEVAL_BASE_URL=https://ai.api.nvidia.com/v1/retrieval
+POLICYNIM_NVIDIA_TIMEOUT_SECONDS=30
+POLICYNIM_NVIDIA_MAX_RETRIES=2
+POLICYNIM_MCP_HOST=127.0.0.1
+POLICYNIM_MCP_PORT=6000
+POLICYNIM_MCP_REQUIRE_AUTH=false
+POLICYNIM_EVAL_UI_PORT=8001
+
+# Optional hosted-only settings:
+# POLICYNIM_MCP_BEARER_TOKENS=token-a,token-b
+# POLICYNIM_MCP_PUBLIC_BASE_URL=https://your-host

policynim-0.1.0/.env.example

@@ -0,0 +1,36 @@
+# Backward-compatible local-development example.
+# Prefer copying .env.development.example for local work and
+# .env.production.example when preparing hosted Railway variables.
+NVIDIA_API_KEY=
+POLICYNIM_ENV=development
+POLICYNIM_LANCEDB_URI=data/lancedb
+POLICYNIM_LANCEDB_TABLE=policy_chunks
+POLICYNIM_RUNTIME_RULES_ARTIFACT_PATH=data/runtime/runtime_rules.json
+POLICYNIM_RUNTIME_EVIDENCE_DB_PATH=data/runtime/runtime_evidence.sqlite3
+POLICYNIM_RUNTIME_SHELL_TIMEOUT_SECONDS=300
+POLICYNIM_EVAL_WORKSPACE_DIR=data/evals/workspace
+POLICYNIM_DEFAULT_TOP_K=5
+POLICYNIM_EMBED_BATCH_SIZE=32
+POLICYNIM_NVIDIA_CHAT_MODEL=nvidia/llama-3.3-nemotron-super-49b-v1.5
+POLICYNIM_NVIDIA_EMBED_MODEL=nvidia/llama-nemotron-embed-1b-v2
+POLICYNIM_NVIDIA_RERANK_MODEL=nvidia/llama-nemotron-rerank-1b-v2
+POLICYNIM_NVIDIA_BASE_URL=https://integrate.api.nvidia.com/v1
+POLICYNIM_NVIDIA_RETRIEVAL_BASE_URL=https://ai.api.nvidia.com/v1/retrieval
+POLICYNIM_NVIDIA_TIMEOUT_SECONDS=30
+POLICYNIM_NVIDIA_MAX_RETRIES=2
+POLICYNIM_MCP_HOST=127.0.0.1
+POLICYNIM_MCP_PORT=6000
+POLICYNIM_MCP_REQUIRE_AUTH=false
+POLICYNIM_EVAL_UI_PORT=8001
+
+# Optional hosted-only settings:
+# POLICYNIM_MCP_BEARER_TOKENS=token-a,token-b
+# POLICYNIM_MCP_PUBLIC_BASE_URL=https://your-host
+# POLICYNIM_BETA_SIGNUP_ENABLED=true
+# POLICYNIM_BETA_AUTH_DB_PATH=data/runtime/auth.sqlite3
+# POLICYNIM_BETA_SESSION_SECRET=replace-with-a-random-secret
+# POLICYNIM_BETA_GITHUB_CLIENT_ID=github-oauth-client-id
+# POLICYNIM_BETA_GITHUB_CLIENT_SECRET=github-oauth-client-secret
+# POLICYNIM_BETA_DAILY_REQUEST_QUOTA=500
+# POLICYNIM_BETA_AUTH_RATE_LIMIT_MAX_ATTEMPTS=20
+# POLICYNIM_BETA_AUTH_RATE_LIMIT_WINDOW_SECONDS=900

policynim-0.1.0/.env.production.example

@@ -0,0 +1,35 @@
+# Hosted production defaults for Docker and Railway.
+# Railway injects PORT. Leave POLICYNIM_MCP_PORT unset unless you need an override.
+# Required at Docker build time for baked ingest and at runtime for live hosted retrieval.
+NVIDIA_API_KEY=
+POLICYNIM_ENV=production
+POLICYNIM_LANCEDB_URI=/app/data/lancedb-baked
+POLICYNIM_LANCEDB_TABLE=policy_chunks
+# Keep the compiled rules artifact with the baked/runtime data layout.
+POLICYNIM_RUNTIME_RULES_ARTIFACT_PATH=/app/data/runtime/runtime_rules.json
+# Keep mutable runtime evidence on the writable state volume.
+POLICYNIM_RUNTIME_EVIDENCE_DB_PATH=/app/state/runtime_evidence.sqlite3
+POLICYNIM_RUNTIME_SHELL_TIMEOUT_SECONDS=300
+POLICYNIM_DEFAULT_TOP_K=5
+POLICYNIM_EMBED_BATCH_SIZE=32
+POLICYNIM_NVIDIA_CHAT_MODEL=nvidia/llama-3.3-nemotron-super-49b-v1.5
+POLICYNIM_NVIDIA_EMBED_MODEL=nvidia/llama-nemotron-embed-1b-v2
+POLICYNIM_NVIDIA_RERANK_MODEL=nvidia/llama-nemotron-rerank-1b-v2
+POLICYNIM_NVIDIA_BASE_URL=https://integrate.api.nvidia.com/v1
+POLICYNIM_NVIDIA_RETRIEVAL_BASE_URL=https://ai.api.nvidia.com/v1/retrieval
+POLICYNIM_NVIDIA_TIMEOUT_SECONDS=30
+POLICYNIM_NVIDIA_MAX_RETRIES=2
+POLICYNIM_MCP_HOST=0.0.0.0
+POLICYNIM_MCP_REQUIRE_AUTH=false
+POLICYNIM_BETA_SIGNUP_ENABLED=false
+POLICYNIM_BETA_AUTH_DB_PATH=/app/state/auth.sqlite3
+POLICYNIM_BETA_DAILY_REQUEST_QUOTA=500
+POLICYNIM_BETA_AUTH_RATE_LIMIT_MAX_ATTEMPTS=20
+POLICYNIM_BETA_AUTH_RATE_LIMIT_WINDOW_SECONDS=900
+
+# Optional hosted auth after you generate a public domain:
+# POLICYNIM_MCP_BEARER_TOKENS=token-a,token-b
+# POLICYNIM_MCP_PUBLIC_BASE_URL=https://your-host
+# POLICYNIM_BETA_SESSION_SECRET=replace-with-a-random-secret
+# POLICYNIM_BETA_GITHUB_CLIENT_ID=github-oauth-client-id
+# POLICYNIM_BETA_GITHUB_CLIENT_SECRET=github-oauth-client-secret

policynim-0.1.0/.github/workflows/ci.yml

@@ -0,0 +1,54 @@
+name: CI
+
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+
+permissions:
+  contents: read
+
+jobs:
+  lint:
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@d0d8abe699bfb85fec6de9f7adb5ae17292296ff # v6
+
+      - name: Set up Python 3.11
+        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
+        with:
+          python-version: "3.11"
+
+      - name: Sync dependencies
+        run: uv sync --group test --group dev
+
+      - name: Run Ruff
+        run: uv run ruff check
+
+      - name: Run Pyright
+        run: uv run pyright
+
+  test:
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@d0d8abe699bfb85fec6de9f7adb5ae17292296ff # v6
+
+      - name: Set up Python 3.11
+        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
+        with:
+          python-version: "3.11"
+
+      - name: Sync dependencies
+        run: uv sync --group test --group dev
+
+      - name: Run offline pytest
+        run: uv run pytest -q -m "not live and not docker_live"

policynim-0.1.0/.github/workflows/hosted-smoke.yml

@@ -0,0 +1,42 @@
+name: Hosted Beta Smoke
+
+on:
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  hosted-smoke:
+    runs-on: ubuntu-24.04
+    env:
+      POLICYNIM_BETA_MCP_URL: ${{ secrets.POLICYNIM_BETA_MCP_URL }}
+      POLICYNIM_BETA_MCP_TOKEN: ${{ secrets.POLICYNIM_BETA_MCP_TOKEN }}
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@d0d8abe699bfb85fec6de9f7adb5ae17292296ff # v6
+
+      - name: Set up Python 3.11
+        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
+        with:
+          python-version: "3.11"
+
+      - name: Validate hosted smoke secrets
+        run: |
+          test -n "$POLICYNIM_BETA_MCP_URL" || {
+            echo "POLICYNIM_BETA_MCP_URL secret is required for hosted smoke tests."
+            exit 1
+          }
+          test -n "$POLICYNIM_BETA_MCP_TOKEN" || {
+            echo "POLICYNIM_BETA_MCP_TOKEN secret is required for hosted smoke tests."
+            exit 1
+          }
+
+      - name: Sync dependencies
+        run: uv sync --group test --group dev
+
+      - name: Run hosted live smoke
+        run: uv run --group test pytest -q -m live tests/test_hosted_mcp_live.py

policynim-0.1.0/.github/workflows/release.yml

@@ -0,0 +1,291 @@
+name: Release
+
+on:
+  workflow_dispatch:
+    inputs:
+      version:
+        description: "Release version or tag, for example 0.1.0 or v0.1.0."
+        required: false
+        type: string
+      publish_pypi:
+        description: "Publish the built Python distribution to PyPI using trusted publishing."
+        required: false
+        default: false
+        type: boolean
+  push:
+    tags:
+      - "v*.*.*"
+
+permissions:
+  contents: read
+
+env:
+  PYTHON_VERSION: "3.11"
+
+jobs:
+  verify:
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@d0d8abe699bfb85fec6de9f7adb5ae17292296ff # v6
+
+      - name: Set up Python
+        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
+        with:
+          python-version: ${{ env.PYTHON_VERSION }}
+
+      - name: Sync dependencies
+        run: uv sync --group test --group dev
+
+      - name: Check lockfile
+        run: uv lock --check
+
+      - name: Run Ruff
+        run: uv run ruff check .
+
+      - name: Run Pyright
+        run: uv run pyright
+
+      - name: Run offline pytest
+        run: uv run pytest -q -m "not live and not docker_live"
+
+      - name: Build Python distribution
+        run: uv build --out-dir dist
+
+      - name: Upload Python distribution
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
+        with:
+          name: python-dist
+          path: dist/*
+          if-no-files-found: error
+
+  wheel-smoke:
+    runs-on: ubuntu-24.04
+    needs: verify
+    steps:
+      - name: Download Python distribution
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
+        with:
+          name: python-dist
+          path: dist
+
+      - name: Set up Python
+        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
+        with:
+          python-version: ${{ env.PYTHON_VERSION }}
+
+      - name: Smoke install built wheel
+        run: |
+          python -m venv /tmp/policynim-wheel-smoke
+          /tmp/policynim-wheel-smoke/bin/python -m pip install dist/*.whl
+          /tmp/policynim-wheel-smoke/bin/policynim --help
+          /tmp/policynim-wheel-smoke/bin/policynim --version
+
+  standalone-build:
+    needs: verify
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: ubuntu-24.04
+            platform: linux-amd64
+            archive: tar
+          - os: macos-13
+            platform: darwin-amd64
+            archive: tar
+          - os: macos-14
+            platform: darwin-arm64
+            archive: tar
+          - os: windows-2022
+            platform: windows-amd64
+            archive: zip
+    runs-on: ${{ matrix.os }}
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@d0d8abe699bfb85fec6de9f7adb5ae17292296ff # v6
+
+      - name: Set up Python
+        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
+        with:
+          python-version: ${{ env.PYTHON_VERSION }}
+
+      - name: Resolve release tag
+        env:
+          REQUESTED_VERSION: ${{ inputs.version }}
+        shell: bash
+        run: |
+          python - <<'PY' >> "$GITHUB_ENV"
+          import os
+          import tomllib
+          from pathlib import Path
+
+          project = tomllib.loads(Path("pyproject.toml").read_text(encoding="utf-8"))
+          project_version = project["project"]["version"]
+          if os.environ.get("GITHUB_REF_TYPE") == "tag":
+              tag = os.environ["GITHUB_REF_NAME"]
+              requested_version = tag.removeprefix("v")
+          else:
+              requested = os.environ.get("REQUESTED_VERSION", "").strip()
+              if requested:
+                  requested_version = requested.removeprefix("v")
+                  tag = f"v{requested_version}"
+              else:
+                  requested_version = project_version
+                  tag = f"v{project_version}"
+          if requested_version != project_version:
+              raise SystemExit(
+                  "Release version mismatch: "
+                  f"requested {requested_version}, pyproject.toml has {project_version}."
+              )
+          print(f"RELEASE_TAG={tag}")
+          PY
+
+      - name: Sync release dependencies
+        run: uv sync --group release
+
+      - name: Build standalone bundle
+        run: uv run --group release pyinstaller --clean --noconfirm packaging/pyinstaller.spec
+
+      - name: Smoke standalone bundle
+        shell: bash
+        run: |
+          if [ "${{ matrix.platform }}" = "windows-amd64" ]; then
+            dist/policynim/policynim.exe --help
+            dist/policynim/policynim.exe --version
+          else
+            dist/policynim/policynim --help
+            dist/policynim/policynim --version
+          fi
+
+      - name: Archive Unix standalone bundle
+        if: matrix.archive == 'tar'
+        shell: bash
+        run: |
+          mkdir -p artifacts
+          case "${{ matrix.platform }}" in
+            linux-amd64) ASSET_NAME="policynim-${RELEASE_TAG}-linux-amd64.tar.gz" ;;
+            darwin-amd64) ASSET_NAME="policynim-${RELEASE_TAG}-darwin-amd64.tar.gz" ;;
+            darwin-arm64) ASSET_NAME="policynim-${RELEASE_TAG}-darwin-arm64.tar.gz" ;;
+            *) echo "Unsupported release platform: ${{ matrix.platform }}" >&2; exit 1 ;;
+          esac
+          tar -C dist -czf "artifacts/${ASSET_NAME}" policynim
+
+      - name: Archive Windows standalone bundle
+        if: matrix.archive == 'zip'
+        shell: pwsh
+        run: |
+          New-Item -ItemType Directory -Force -Path artifacts | Out-Null
+          $RELEASE_TAG = $env:RELEASE_TAG
+          $AssetName = "policynim-${RELEASE_TAG}-windows-amd64.zip"
+          Compress-Archive -Path "dist/policynim/*" -DestinationPath "artifacts/$AssetName" -Force
+
+      - name: Upload standalone bundle
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
+        with:
+          name: standalone-${{ matrix.platform }}
+          path: artifacts/*
+          if-no-files-found: error
+
+  publish-github-release:
+    runs-on: ubuntu-24.04
+    needs:
+      - verify
+      - wheel-smoke
+      - standalone-build
+    permissions:
+      contents: write
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+
+      - name: Download release artifacts
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
+        with:
+          path: release-downloads
+
+      - name: Resolve release tag
+        env:
+          REQUESTED_VERSION: ${{ inputs.version }}
+        run: |
+          python - <<'PY' >> "$GITHUB_ENV"
+          import os
+          import tomllib
+          from pathlib import Path
+
+          project = tomllib.loads(Path("pyproject.toml").read_text(encoding="utf-8"))
+          project_version = project["project"]["version"]
+          if os.environ.get("GITHUB_REF_TYPE") == "tag":
+              tag = os.environ["GITHUB_REF_NAME"]
+              requested_version = tag.removeprefix("v")
+          else:
+              requested = os.environ.get("REQUESTED_VERSION", "").strip()
+              if requested:
+                  requested_version = requested.removeprefix("v")
+                  tag = f"v{requested_version}"
+              else:
+                  requested_version = project_version
+                  tag = f"v{project_version}"
+          if requested_version != project_version:
+              raise SystemExit(
+                  "Release version mismatch: "
+                  f"requested {requested_version}, pyproject.toml has {project_version}."
+              )
+          print(f"RELEASE_TAG={tag}")
+          PY
+
+      - name: Prepare release assets
+        run: |
+          mkdir -p release-assets
+          find release-downloads -type f -exec cp {} release-assets/ \;
+          cp scripts/install.sh release-assets/install.sh
+          cp scripts/install.ps1 release-assets/install.ps1
+          (
+            cd release-assets
+            sha256sum * > SHA256SUMS
+          )
+          cat > release-notes.md <<'EOF'
+          PolicyNIM release artifacts:
+
+          - Python wheel and source distribution for `pipx install policynim`
+          - Standalone CLI bundles for Linux, macOS, and Windows
+          - Unix and PowerShell installer scripts
+          - SHA256SUMS for release asset verification
+          EOF
+
+      - name: Create draft GitHub release
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          gh release create "$RELEASE_TAG" \
+            --draft \
+            --target "$GITHUB_SHA" \
+            --title "$RELEASE_TAG" \
+            --notes-file release-notes.md \
+            release-assets/*
+
+  publish-pypi:
+    runs-on: ubuntu-24.04
+    needs:
+      - verify
+      - wheel-smoke
+    if: startsWith(github.ref, 'refs/tags/v') || (github.event_name == 'workflow_dispatch' && inputs.publish_pypi)
+    environment: pypi
+    permissions:
+      id-token: write
+      contents: read
+    steps:
+      - name: Download Python distribution
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
+        with:
+          name: python-dist
+          path: dist
+
+      - name: Publish to PyPI
+        # This Docker-based action publishes GHCR images under release tags, not commit SHA tags.
+        uses: pypa/gh-action-pypi-publish@v1.14.0 # 6733eb7d741f0b11ec6a39b58540dab7590f9b7d

policynim-0.1.0/.gitignore

@@ -0,0 +1,19 @@
+.DS_Store
+.plan/
+.env
+.env.*
+!.env.example
+!.env.development.example
+!.env.production.example
+.mypy_cache/
+.pytest_cache/
+.ruff_cache/
+.venv/
+.vscode/
+.voice/
+__pycache__/
+build/
+data/
+dist/
+*.pyc
+.threadloop/state/

policynim-0.1.0/.pre-commit-config.yaml

@@ -0,0 +1,19 @@
+repos:
+  - repo: local
+    hooks:
+      - id: ruff-check
+        name: ruff check
+        entry: uv run --group dev ruff check --fix
+        language: system
+        types: [python]
+      - id: ruff-format
+        name: ruff format
+        entry: uv run --group dev ruff format
+        language: system
+        types: [python]
+      - id: pyright
+        name: pyright
+        entry: uv run --group dev pyright
+        language: system
+        pass_filenames: false
+        types: [python]

policynim-0.1.0/.python-version

@@ -0,0 +1,2 @@
+3.11
+

policynim-0.1.0/.threadloop/config.json

@@ -0,0 +1,4 @@
+{
+  "version": 1,
+  "createdAt": "2026-03-23T20:37:09.201Z"
+}

policynim-0.1.0/Dockerfile

@@ -0,0 +1,43 @@
+# syntax=docker/dockerfile:1.7
+ARG PYTHON_BASE_IMAGE=python:3.11.15-slim-trixie@sha256:9358444059ed78e2975ada2c189f1c1a3144a5dab6f35bff8c981afb38946634
+
+FROM ${PYTHON_BASE_IMAGE} AS builder
+
+ENV PYTHONDONTWRITEBYTECODE=1 \
+    PYTHONUNBUFFERED=1 \
+    POLICYNIM_LANCEDB_URI=/app/data/lancedb-baked
+
+WORKDIR /app
+
+RUN pip install --no-cache-dir uv==0.7.12
+
+COPY pyproject.toml uv.lock README.md LICENSE ./
+COPY src ./src
+COPY policies ./policies
+COPY evals ./evals
+
+RUN uv sync --frozen
+RUN --mount=type=secret,id=nvidia_api_key,required=true \
+    sh -c 'NVIDIA_API_KEY="$(cat /run/secrets/nvidia_api_key)" uv run policynim ingest'
+
+
+FROM ${PYTHON_BASE_IMAGE} AS runtime
+
+ENV PYTHONDONTWRITEBYTECODE=1 \
+    PYTHONUNBUFFERED=1 \
+    POLICYNIM_LANCEDB_URI=/app/data/lancedb-baked \
+    POLICYNIM_MCP_HOST=0.0.0.0 \
+    PATH=/app/.venv/bin:$PATH
+
+WORKDIR /app
+
+COPY --from=builder /app/.venv /app/.venv
+COPY --from=builder /app/src /app/src
+COPY --from=builder /app/policies /app/policies
+COPY --from=builder /app/evals /app/evals
+COPY --from=builder /app/pyproject.toml /app/pyproject.toml
+COPY --from=builder /app/README.md /app/README.md
+COPY --from=builder /app/LICENSE /app/LICENSE
+COPY --from=builder /app/data/lancedb-baked /app/data/lancedb-baked
+
+CMD ["policynim", "mcp", "--transport", "streamable-http"]

policynim-0.1.0/Dockerfile.railway

@@ -0,0 +1,45 @@
+ARG PYTHON_BASE_IMAGE=python:3.11.15-slim-trixie@sha256:9358444059ed78e2975ada2c189f1c1a3144a5dab6f35bff8c981afb38946634
+
+FROM ${PYTHON_BASE_IMAGE} AS builder
+
+ENV PYTHONDONTWRITEBYTECODE=1 \
+    PYTHONUNBUFFERED=1 \
+    POLICYNIM_LANCEDB_URI=/app/data/lancedb-baked
+
+WORKDIR /app
+
+RUN pip install --no-cache-dir uv==0.7.12
+
+COPY pyproject.toml uv.lock README.md LICENSE ./
+COPY src ./src
+COPY policies ./policies
+COPY evals ./evals
+
+# Railway's Dockerfile builder rejects non-cache mounts, so its deploy-specific
+# Dockerfile still has to source the bake-time key from a build arg.
+ARG NVIDIA_API_KEY
+
+RUN uv sync --frozen
+RUN NVIDIA_API_KEY="${NVIDIA_API_KEY}" uv run policynim ingest
+
+
+FROM ${PYTHON_BASE_IMAGE} AS runtime
+
+ENV PYTHONDONTWRITEBYTECODE=1 \
+    PYTHONUNBUFFERED=1 \
+    POLICYNIM_LANCEDB_URI=/app/data/lancedb-baked \
+    POLICYNIM_MCP_HOST=0.0.0.0 \
+    PATH=/app/.venv/bin:$PATH
+
+WORKDIR /app
+
+COPY --from=builder /app/.venv /app/.venv
+COPY --from=builder /app/src /app/src
+COPY --from=builder /app/policies /app/policies
+COPY --from=builder /app/evals /app/evals
+COPY --from=builder /app/pyproject.toml /app/pyproject.toml
+COPY --from=builder /app/README.md /app/README.md
+COPY --from=builder /app/LICENSE /app/LICENSE
+COPY --from=builder /app/data/lancedb-baked /app/data/lancedb-baked
+
+CMD ["policynim", "mcp", "--transport", "streamable-http"]

policynim-0.1.0/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Nnenna Ndukwe
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.