feat: add Railway deployment config for verification worker

[oneshot2001]

Adds a lightweight Dockerfile.mock (python:3.11-slim, no SVF compilation) and railway.json for fast initial Railway deployment with USE_MOCK_RESULTS=true. The full SVF build path (Dockerfile) remains intact for when real verification is needed.

Summary by CodeRabbit

• New Features

  • Introduced V1 Enterprise API with REST endpoints, auth header support, and quota-bypass behavior for enterprise customers.

• Documentation

  • Expanded API docs: API-key handling, audit trail and test-data/logger utilities, and refined test/CI guidance.
  • Improved test structure by adding an API route test category.

• Chores

  • Added deployment and local runtime configuration artifacts, a mock runtime image for local testing, and an updated build/runtime config; ignored deployment output directory.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 67711dd and 8dc3fe7.

📒 Files selected for processing (1)

• worker/.gitignore

✅ Files skipped from review due to trivial changes (1)

• worker/.gitignore

---

📝 Walkthrough

Walkthrough

Adds V1 Enterprise REST API documentation, expands API key validation/audit logging and test structure notes, and adds a Python worker Dockerfile mock plus Railway and Vercel/Next.js deployment/config files.

Changes

Cohort / File(s)	Summary
Documentation CLAUDE.md	Expanded Test Structure (added Unit/API route tests), updated test/CI guidance, added V1 Enterprise public REST API section (endpoints, auth header format, quota behavior), and detailed API key handling (validation function path, dual-storage strategy, audit trail, test/mock utilities).
Worker image & deployment worker/Dockerfile.mock, worker/railway.json, worker/.gitignore	Added Python 3.11-slim Dockerfile mock (copies app & certs, installs requirements, exposes port 8000, env USE_MOCK_RESULTS=true, runs uvicorn); added Railway manifest referencing Dockerfile.mock with /health check and restart policy; added .vercel to worker ignore rules.
Next/Vercel config next.config.ts, vercel.json	Enabled turbopack root by resolving __dirname in Next config; added vercel.json with "framework":"nextjs".

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐇 I hopped through docs and left a neat trace,
A RESTful trail for enterprise customers to race.
I spun a mock Docker burrow, tuned deployment lights,
Kept keys and audits snug through testing nights,
Nibble, push, deploy — I celebrate in bytes.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: adding Railway deployment configuration for the verification worker via Dockerfile.mock and railway.json.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch deploy/railway-worker

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@worker/Dockerfile.mock`:
- Around line 1-16: Create and switch to a non-root user in the Dockerfile: add
steps to create a dedicated user (e.g., "appuser"), create or set a group if
desired, set appropriate ownership for /app and /app/certs (chown to appuser),
set HOME and switch to that user with USER appuser before the CMD so uvicorn
runs unprivileged; ensure any files created earlier (installed packages, copied
files) are accessible by that user and avoid running pip as root at runtime by
doing installation during build as root but ensuring the app directory
permissions are changed for the non-root user.

---

ℹ️ Review info

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 12804f6 and 68b4c07.

📒 Files selected for processing (3)

• CLAUDE.md
• worker/Dockerfile.mock
• worker/railway.json

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Run the container as a non-root user.

The image currently runs as root, which weakens container isolation and increases blast radius if compromised.

🔒 Proposed hardening patch

 FROM python:3.11-slim
 
 WORKDIR /app
 
 COPY requirements.txt .
 RUN pip3 install --no-cache-dir -r requirements.txt
 
 COPY certs/ /app/certs/
 COPY app/ /app/app/
+
+RUN addgroup --system app && adduser --system --ingroup app app \
+  && chown -R app:app /app
 
 EXPOSE 8000
 
 ENV USE_MOCK_RESULTS=true
+USER app
 
 # Use Railway's injected $PORT if set, otherwise fall back to 8000
 CMD ["sh", "-c", "uvicorn app.main:app --host 0.0.0.0 --port ${PORT:-8000}"]

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	FROM python:3.11-slim
	WORKDIR /app
	COPY requirements.txt .
	RUN pip3 install --no-cache-dir -r requirements.txt
	COPY certs/ /app/certs/
	COPY app/ /app/app/
	EXPOSE 8000
	ENV USE_MOCK_RESULTS=true
	# Use Railway's injected $PORT if set, otherwise fall back to 8000
	CMD ["sh", "-c", "uvicorn app.main:app --host 0.0.0.0 --port ${PORT:-8000}"]
	FROM python:3.11-slim
	WORKDIR /app
	COPY requirements.txt .
	RUN pip3 install --no-cache-dir -r requirements.txt
	COPY certs/ /app/certs/
	COPY app/ /app/app/
	RUN addgroup --system app && adduser --system --ingroup app app \
	&& chown -R app:app /app
	EXPOSE 8000
	ENV USE_MOCK_RESULTS=true
	USER app
	# Use Railway's injected $PORT if set, otherwise fall back to 8000
	CMD ["sh", "-c", "uvicorn app.main:app --host 0.0.0.0 --port ${PORT:-8000}"]

🧰 Tools

🪛 Trivy (0.69.1)

[error] 1-1: Image user should not be 'root'

Specify at least 1 USER command in Dockerfile with non-root user as argument

Rule: DS-0002

Learn more

(IaC/Dockerfile)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@worker/Dockerfile.mock` around lines 1 - 16, Create and switch to a non-root
user in the Dockerfile: add steps to create a dedicated user (e.g., "appuser"),
create or set a group if desired, set appropriate ownership for /app and
/app/certs (chown to appuser), set HOME and switch to that user with USER
appuser before the CMD so uvicorn runs unprivileged; ensure any files created
earlier (installed packages, copied files) are accessible by that user and avoid
running pip as root at runtime by doing installation during build as root but
ensuring the app directory permissions are changed for the non-root user.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
edgeproof-dev	Ready	Preview, Comment	Mar 3, 2026 11:01pm