redesign fully scaffolded and web login works

gateway/Dockerfile

@@ -1,4 +1,4 @@
-FROM node:22-alpine AS builder
+FROM node:22-slim AS builder
 
 WORKDIR /app
 
@@ -7,7 +7,7 @@ COPY package*.json ./
 COPY tsconfig.json ./
 
 # Install dependencies
-RUN npm ci
+RUN npm install
 
 # Copy source
 COPY src ./src
@@ -16,25 +16,52 @@ COPY src ./src
 RUN npm run build
 
 # Production image
-FROM node:22-alpine
+FROM node:22-slim
 
 WORKDIR /app
 
+# Install dependencies for Ollama (early in the build for caching)
+RUN apt-get update && apt-get install -y curl bash zstd ca-certificates && rm -rf /var/lib/apt/lists/*
+
+# Install Ollama (before npm dependencies for better caching)
+RUN curl -fsSL https://ollama.com/install.sh | sh
+
+# Create non-root user early (before pulling model)
+RUN groupadd --gid 1001 nodejs && \
+    useradd --uid 1001 --gid nodejs --shell /bin/bash --create-home nodejs && \
+    chown -R nodejs:nodejs /app
+
+# Pull embedding model (all-minilm: 90MB, CPU-friendly) as nodejs user
+# This is the most expensive operation, so do it early
+USER nodejs
+RUN ollama serve & \
+    OLLAMA_PID=$! && \
+    sleep 10 && \
+    ollama pull all-minilm && \
+    kill $OLLAMA_PID && \
+    wait $OLLAMA_PID || true
+
+# Switch back to root for remaining setup
+USER root
+
 # Copy package files
 COPY package*.json ./
 
 # Install production dependencies only
-RUN npm ci --omit=dev
+RUN npm install --omit=dev
 
 # Copy built application
 COPY --from=builder /app/dist ./dist
 
-# Create non-root user
-RUN addgroup -g 1001 -S nodejs && \
-    adduser -S nodejs -u 1001
+# Copy entrypoint script
+COPY entrypoint.sh ./
+RUN chmod +x entrypoint.sh
+
+# Ensure nodejs user owns everything
+RUN chown -R nodejs:nodejs /app
 
 USER nodejs
 
 EXPOSE 3000
 
-CMD ["node", "dist/main.js"]
+ENTRYPOINT ["./entrypoint.sh"]