chore(infra): use per-service container WORKDIR

[mmabrouk]

chore(infra): use per-service container WORKDIR

Containers were uniformly using /app as WORKDIR regardless of which
service they hosted, which made multi-service compose stacks ambiguous
and produced confusing log paths. This aligns container WORKDIR with
the service that owns it:

Service	WORKDIR
api/oss, api/ee	/api
web/oss, web/ee	/web
services/oss, services/ee	/services

The shared SDK and client install locations also move out from under
the per-container WORKDIR and become top-level paths in every image:

• /app/sdks/python -> /sdks/python
• /app/clients/python -> /clients/python

This is stacked on chore/sdk/python-reorg. That PR introduces
sdks/python/ and clients/python/ as build-context paths and adds
them to PYTHONPATH. Without that prerequisite, Docker builds would
fail with failed to compute cache key: "/sdks/python": not found
because the source directories don't exist on main yet.

What changes

• 12 Dockerfiles (api/{oss,ee}, web/{oss,ee}, services/{oss,ee} -
  dev + gh)
• 7 docker-compose files (mount targets, watchmedo dirs, cron command)
• Helm: _helpers.tpl alembic defaults, web-deployment, cron-deployment
• Railway: all worker/cron/web/alembic Dockerfiles + scripts +
  railway.json
• 4 alembic.ini script_location, 4 migration READMEs
• 4 env.example files (ALEMBIC_CFG_PATH_* defaults)
• 3 self-host docs (docker exec command examples)
• api/oss/src/utils/env.py (alembic fallback paths)
• api/oss/src/crons/queries.sh (crontab path)
• web/entrypoint.sh (ENTRYPOINT_DIR default)

Risks

• Largest blast radius: every container in the stack has its WORKDIR
  changed. Any custom Dockerfile or compose override held outside this
  repo will break.
• Helm values overrides: if any deployment overrides alembicCfgPath
  in their values.yaml, those overrides reference the old /app/... path
  and need to be updated.
• Cron command in compose gh.yml: pinned older AGENTA_API_IMAGE_TAG
  values still emit /app/crontab and would fail to start. Operators
  must bump the image tag alongside this compose update.
• No application logic changes. Only paths in Docker, compose, helm,
  alembic, env defaults move.

QA

• CI green (now that /sdks/python and /clients/python exist via
  the parent PR)
• docker compose dev stack (oss + ee) starts cleanly
• helm template shows the new /api path in env vars
• Run a test alembic migration in a dev container
• Cron container: queries.sh runs from /api/
• Self-host docs render correctly

Originally part of #4239 - split out for independent review.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
agenta-documentation	Ready	Preview, Comment	May 4, 2026 2:01pm

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 737aa2e2-af8d-4bd3-a9ef-412c4ba2cf39

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• ✅ Review completed - (🔄 Check again to review again)

📝 Walkthrough

Walkthrough

This PR systematically restructures the application's filesystem layout by migrating from a single /app directory to separate mountpoints: /api for API code, /web for web code, /services for services code, and distinct paths for SDKs and clients (/sdks/python, /clients/python). Changes span Dockerfiles, compose files, migration configs, deployment templates, and documentation.

Changes

Directory Structure Migration

Layer / File(s)	Summary
Migration Configuration api/ee/databases/postgres/migrations/.../alembic.ini, api/oss/databases/postgres/migrations/.../alembic.ini	Alembic script_location paths updated from /app/{ee,oss}/databases/... to /api/{ee,oss}/databases/...
Application Utility Configuration api/oss/src/utils/env.py	AlembicConfig default paths updated to reference /api/ instead of /app/ for migration config file locations
Cron Job Configuration api/oss/src/crons/queries.sh	Crontab file reference changed from /app/crontab to /api/crontab
Web Entrypoint Script web/entrypoint.sh	ENTRYPOINT_DIR default changed from /app to /web, affecting license-specific public directory creation
Dev Docker Images api/ee/docker/Dockerfile.dev, api/oss/docker/Dockerfile.dev, services/ee/docker/Dockerfile.dev, services/oss/docker/Dockerfile.dev, web/ee/docker/Dockerfile.dev, web/oss/docker/Dockerfile.dev	WORKDIR changed to respective mount paths (/api, /services, /web); pyproject.toml and source code copied to new paths; crontab output redirected to /api/crontab
Production Docker Images api/ee/docker/Dockerfile.gh, api/oss/docker/Dockerfile.gh, services/ee/docker/Dockerfile.gh, services/oss/docker/Dockerfile.gh, web/ee/docker/Dockerfile.gh, web/oss/docker/Dockerfile.gh	WORKDIR and PYTHONPATH updated for builder and runner stages; SDK/client paths moved to /sdks/python and /clients/python; artifact copy destinations reflect new directory structure
Migration Command Documentation api/ee/databases/postgres/migrations/.../README.md, api/oss/databases/postgres/migrations/.../README.md	Docker exec commands updated to use PYTHONPATH=/api and working directories under /api/ instead of /app/
Dev Docker Compose hosting/docker-compose/ee/docker-compose.dev.yml, hosting/docker-compose/oss/docker-compose.dev.yml	Volume mount targets and service commands updated from /app/... to /api/... (API/workers/alembic), /web/... (web), /services (services); watchmedo directories and cron command paths updated
Production Docker Compose hosting/docker-compose/ee/docker-compose.gh*.yml, hosting/docker-compose/oss/docker-compose.gh*.yml	Cron service supercronic command path changed from /app/crontab to /api/crontab
Environment Example Files hosting/docker-compose/ee/env.ee*.example, hosting/docker-compose/oss/env.oss*.example	ALEMBIC_CFG_PATH_CORE and ALEMBIC_CFG_PATH_TRACING updated to /api/ or /web/ paths instead of /app/
Helm Deployment Templates hosting/helm/agenta-oss/templates/_helpers.tpl, hosting/helm/agenta-oss/templates/cron-deployment.yaml, hosting/helm/agenta-oss/templates/web-deployment.yaml	Alembic config path helpers updated to return /api/ paths; cron and web container commands updated to reference new filesystem layout
Railway Build Scripts hosting/railway/oss/alembic/Dockerfile, hosting/railway/oss/cron/Dockerfile, hosting/railway/oss/worker-*/Dockerfile	Alembic config environment variables and supercronic crontab paths updated to /api/ instead of /app/
Railway SDK/Client Build Script hosting/railway/oss/scripts/build-and-push-images.sh	Source and target directory paths updated from sdk/ to separate sdks/ and clients/; copy logic extended for both SDKs and clients into api/ and services/ build directories
Railway Deployment Script hosting/railway/oss/scripts/deploy-from-images.sh	Web entrypoint and server paths updated to /web/; Alembic config paths updated to /api/; cron crontab path updated to /api/crontab
Railway Web Configuration hosting/railway/oss/web/Dockerfile, hosting/railway/oss/web/railway.json	CMD and startCommand updated to execute from /web/entrypoint.sh and /web/oss/server.js instead of /app/ paths
Deployment Documentation docs/docs/self-host/01-quick-start.mdx, docs/docs/self-host/02-configuration.mdx, docs/docs/self-host/03-upgrading.mdx	Migration commands, environment variable examples, and command breakdowns updated to reference /api/ paths and corresponding PYTHONPATH values

🎯 4 (Complex) | ⏱️ ~60 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 60.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely summarizes the main change: updating container WORKDIR from a uniform path to per-service directories. It accurately reflects the primary objective of the PR.
Description check	✅ Passed	The description is comprehensive and directly related to the changeset. It explains the rationale, provides a clear table of changes, lists affected files, and documents risks and QA steps—all aligned with the modifications shown in the raw summary.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/infra/workdir-rename

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

Railway Preview Environment

Preview URL	https://gateway-production-bfcc.up.railway.app/w
Project	agenta-oss-pr-4258
Image tag	pr-4258-0e05f15
Status	Deployed
Railway logs	Open logs
Workflow logs	View workflow run
Updated at 2026-05-04T14:10:16.356Z

[coderabbitai]

Actionable comments posted: 5

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

hosting/railway/oss/cron/Dockerfile (1)

1-14: ⚠️ Potential issue | 🟠 Major

Pin the Railway base image to a specific version.

All Railway Dockerfiles using ghcr.io/agenta-ai/agenta-api:latest (cron, alembic, api, worker-evaluations, worker-events, worker-tracing, worker-webhooks) depend on /api/... paths that may not exist if the base image layout differs or changes. The floating :latest tag creates a deployment risk where the cron service could fail at runtime if the base image no longer contains the expected paths.

🧹 Nitpick comments (1)

web/oss/docker/Dockerfile.dev (1)

8-8: Reduce Docker image size by hardening apt install flags.

Line 8 should add --no-install-recommends and clear apt lists to eliminate unnecessary dependencies.

Proposed patch

-RUN apt-get update && apt-get install -y jq
+RUN apt-get update \
+    && apt-get install -y --no-install-recommends jq \
+    && rm -rf /var/lib/apt/lists/*

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 1c9c36a1-06a4-45d9-911c-4d9c1c03eb51

📥 Commits

Reviewing files that changed from the base of the PR and between 627bf63 and 7b68615.

📒 Files selected for processing (50)

• api/ee/databases/postgres/migrations/core/README.md
• api/ee/databases/postgres/migrations/core/alembic.ini
• api/ee/databases/postgres/migrations/tracing/README copy.md
• api/ee/databases/postgres/migrations/tracing/alembic.ini
• api/ee/docker/Dockerfile.dev
• api/ee/docker/Dockerfile.gh
• api/oss/databases/postgres/migrations/core/README.md
• api/oss/databases/postgres/migrations/core/alembic.ini
• api/oss/databases/postgres/migrations/tracing/README.md
• api/oss/databases/postgres/migrations/tracing/alembic.ini
• api/oss/docker/Dockerfile.dev
• api/oss/docker/Dockerfile.gh
• api/oss/src/crons/queries.sh
• api/oss/src/utils/env.py
• docs/docs/self-host/01-quick-start.mdx
• docs/docs/self-host/02-configuration.mdx
• docs/docs/self-host/03-upgrading.mdx
• hosting/docker-compose/ee/docker-compose.dev.yml
• hosting/docker-compose/ee/docker-compose.gh.local.yml
• hosting/docker-compose/ee/docker-compose.gh.yml
• hosting/docker-compose/ee/env.ee.dev.example
• hosting/docker-compose/ee/env.ee.gh.example
• hosting/docker-compose/oss/docker-compose.dev.yml
• hosting/docker-compose/oss/docker-compose.gh.local.yml
• hosting/docker-compose/oss/docker-compose.gh.ssl.yml
• hosting/docker-compose/oss/docker-compose.gh.yml
• hosting/docker-compose/oss/env.oss.dev.example
• hosting/docker-compose/oss/env.oss.gh.example
• hosting/helm/agenta-oss/templates/_helpers.tpl
• hosting/helm/agenta-oss/templates/cron-deployment.yaml
• hosting/helm/agenta-oss/templates/web-deployment.yaml
• hosting/railway/oss/alembic/Dockerfile
• hosting/railway/oss/cron/Dockerfile
• hosting/railway/oss/scripts/build-and-push-images.sh
• hosting/railway/oss/scripts/deploy-from-images.sh
• hosting/railway/oss/web/Dockerfile
• hosting/railway/oss/web/railway.json
• hosting/railway/oss/worker-evaluations/Dockerfile
• hosting/railway/oss/worker-events/Dockerfile
• hosting/railway/oss/worker-tracing/Dockerfile
• hosting/railway/oss/worker-webhooks/Dockerfile
• services/ee/docker/Dockerfile.dev
• services/ee/docker/Dockerfile.gh
• services/oss/docker/Dockerfile.dev
• services/oss/docker/Dockerfile.gh
• web/ee/docker/Dockerfile.dev
• web/ee/docker/Dockerfile.gh
• web/entrypoint.sh
• web/oss/docker/Dockerfile.dev
• web/oss/docker/Dockerfile.gh

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Fix rollback command to actually downgrade.

Line 34 uses alembic ... downgrade head, which does not revert to a previous revision. For “revert the migration,” use downgrade -1 (or a concrete target revision).

📝 Suggested docs fix

-docker exec -e PYTHONPATH=/api -w /api/ee/databases/postgres/migrations/core agenta-ee-dev-api-1 alembic -c alembic.ini downgrade head
+docker exec -e PYTHONPATH=/api -w /api/ee/databases/postgres/migrations/core agenta-ee-dev-api-1 alembic -c alembic.ini downgrade -1

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	docker exec -e PYTHONPATH=/api -w /api/ee/databases/postgres/migrations/core agenta-ee-dev-api-1 alembic -c alembic.ini downgrade head
	docker exec -e PYTHONPATH=/api -w /api/ee/databases/postgres/migrations/core agenta-ee-dev-api-1 alembic -c alembic.ini downgrade -1

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Fix tracing README commands: wrong migration directory and ineffective rollback target.

Line 16, Line 28, and Line 34 still point to .../migrations/core in a tracing README, and downgrade head won’t rollback the latest revision as described.

Proposed doc fix

-docker exec -e PYTHONPATH=/api -w /api/ee/databases/postgres/migrations/core agenta-ee-dev-api-1 alembic -c alembic.ini revision --autogenerate -m "migration message"
+docker exec -e PYTHONPATH=/api -w /api/ee/databases/postgres/migrations/tracing agenta-ee-dev-api-1 alembic -c alembic.ini revision --autogenerate -m "migration message"

-docker exec -e PYTHONPATH=/api -w /api/ee/databases/postgres/migrations/core agenta-ee-dev-api-1 alembic -c alembic.ini upgrade head
+docker exec -e PYTHONPATH=/api -w /api/ee/databases/postgres/migrations/tracing agenta-ee-dev-api-1 alembic -c alembic.ini upgrade head

-docker exec -e PYTHONPATH=/api -w /api/ee/databases/postgres/migrations/core agenta-ee-dev-api-1 alembic -c alembic.ini downgrade head
+docker exec -e PYTHONPATH=/api -w /api/ee/databases/postgres/migrations/tracing agenta-ee-dev-api-1 alembic -c alembic.ini downgrade -1

Also applies to: 28-28, 34-34

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Add a temporary fallback for crontab path compatibility.

Line 253 hard-switches to /api/crontab, but this GH compose variant uses tagged remote images; older tags that still write /app/crontab will fail cron startup and miss scheduled jobs.

💡 Suggested compatibility-safe command

-        command: supercronic /api/crontab
+        command: >
+            sh -c 'if [ -f /api/crontab ]; then
+              exec supercronic /api/crontab;
+            elif [ -f /app/crontab ]; then
+              exec supercronic /app/crontab;
+            else
+              echo "crontab file not found at /api/crontab or /app/crontab" >&2;
+              exit 1;
+            fi'

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Avoid hard-coupling the chart to a single image layout.

web.image is still user-overridable, but this now assumes every compatible image exposes /web/entrypoint.sh. Any deployment pinned to an older or custom web image with /app/entrypoint.sh will fail at startup as soon as the chart is upgraded.

💡 Suggested fix

-          command: ["/web/entrypoint.sh"]
+          command: [{{ .Values.web.entrypointPath | default "/web/entrypoint.sh" | quote }}]

Add a matching default in values.yaml so the new layout stays the default while preserving an escape hatch for pinned/custom images.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	command: ["/web/entrypoint.sh"]
	args: ["node", {{ include "agenta.webServerPath" . | quote }}]
	command: [{{ .Values.web.entrypointPath | default "/web/entrypoint.sh" | quote }}]
	args: ["node", {{ include "agenta.webServerPath" . | quote }}]

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Validate the exact python subpaths that the Dockerfiles consume.

This script only checks sdks/ and clients/, but both downstream Dockerfiles copy ./sdks/python and ./clients/python. If the parent directories exist but those subpaths do not, this passes and then fails later inside docker build with a much less actionable error.

💡 Suggested fix

-SDKS_SOURCE_DIR="$ROOT_DIR/sdks"
+SDKS_SOURCE_DIR="$ROOT_DIR/sdks"
+SDKS_PYTHON_SOURCE_DIR="$SDKS_SOURCE_DIR/python"
 API_SDKS_DIR="$ROOT_DIR/api/sdks"
 SERVICES_SDKS_DIR="$ROOT_DIR/services/sdks"

-CLIENTS_SOURCE_DIR="$ROOT_DIR/clients"
+CLIENTS_SOURCE_DIR="$ROOT_DIR/clients"
+CLIENTS_PYTHON_SOURCE_DIR="$CLIENTS_SOURCE_DIR/python"
 API_CLIENTS_DIR="$ROOT_DIR/api/clients"
 SERVICES_CLIENTS_DIR="$ROOT_DIR/services/clients"

-if [ ! -d "$SDKS_SOURCE_DIR" ]; then
-    printf "Missing SDKs directory: %s\n" "$SDKS_SOURCE_DIR" >&2
+if [ ! -d "$SDKS_PYTHON_SOURCE_DIR" ]; then
+    printf "Missing SDK Python directory: %s\n" "$SDKS_PYTHON_SOURCE_DIR" >&2
     exit 1
 fi

-if [ ! -d "$CLIENTS_SOURCE_DIR" ]; then
-    printf "Missing clients directory: %s\n" "$CLIENTS_SOURCE_DIR" >&2
+if [ ! -d "$CLIENTS_PYTHON_SOURCE_DIR" ]; then
+    printf "Missing clients Python directory: %s\n" "$CLIENTS_PYTHON_SOURCE_DIR" >&2
     exit 1
 fi

Also applies to: 31-39