feat: merge bootstrap into cameleer-logto image

Adds logto-entrypoint.sh that seeds DB, starts Logto, waits for health,
runs bootstrap, then keeps Logto running. Eliminates the separate
logto-bootstrap init container.

docker/cameleer-logto/logto-entrypoint.sh

@@ -0,0 +1,41 @@
+#!/bin/sh
+set -e
+
+echo "[entrypoint] Seeding Logto database..."
+npm run cli db seed -- --swe 2>/dev/null || true
+
+echo "[entrypoint] Starting Logto..."
+npm start &
+LOGTO_PID=$!
+
+echo "[entrypoint] Waiting for Logto to be ready..."
+for i in $(seq 1 120); do
+  if node -e "require('http').get('http://localhost:3001/oidc/.well-known/openid-configuration', r => process.exit(r.statusCode === 200 ? 0 : 1)).on('error', () => process.exit(1))" 2>/dev/null; then
+    echo "[entrypoint] Logto is ready."
+    break
+  fi
+  if [ "$i" -eq 120 ]; then
+    echo "[entrypoint] ERROR: Logto not ready after 120s"
+    exit 1
+  fi
+  sleep 1
+done
+
+# Run bootstrap if not already done
+BOOTSTRAP_FILE="/data/logto-bootstrap.json"
+if [ -f "$BOOTSTRAP_FILE" ]; then
+  CACHED_SECRET=$(jq -r '.m2mClientSecret // empty' "$BOOTSTRAP_FILE" 2>/dev/null)
+  CACHED_SPA=$(jq -r '.spaClientId // empty' "$BOOTSTRAP_FILE" 2>/dev/null)
+  if [ -n "$CACHED_SECRET" ] && [ -n "$CACHED_SPA" ]; then
+    echo "[entrypoint] Bootstrap already complete."
+  else
+    echo "[entrypoint] Incomplete bootstrap found, re-running..."
+    /scripts/logto-bootstrap.sh
+  fi
+else
+  echo "[entrypoint] Running bootstrap..."
+  /scripts/logto-bootstrap.sh
+fi
+
+echo "[entrypoint] Logto is running (PID $LOGTO_PID)."
+wait $LOGTO_PID

docker/logto-bootstrap.sh

@@ -47,8 +47,14 @@ TRAD_POST_LOGOUT_URIS="[\"${PROTO}://${HOST}\",\"${PROTO}://${HOST}/server\",\"$
 log() { echo "[bootstrap] $1"; }
 pgpass() { PGPASSWORD="${PG_PASSWORD:-cameleer_dev}"; export PGPASSWORD; }
 
-# Install jq + curl
-apk add --no-cache jq curl >/dev/null 2>&1
+# Install jq + curl if not already available (deps are baked into cameleer-logto image)
+if ! command -v jq >/dev/null 2>&1 || ! command -v curl >/dev/null 2>&1; then
+  if command -v apk >/dev/null 2>&1; then
+    apk add --no-cache jq curl >/dev/null 2>&1
+  elif command -v apt-get >/dev/null 2>&1; then
+    apt-get update -qq && apt-get install -y -qq jq curl >/dev/null 2>&1
+  fi
+fi
 
 # Read cached secrets from previous run
 if [ -f "$BOOTSTRAP_FILE" ]; then

ui/sign-in/Dockerfile

@@ -1,12 +1,28 @@
 # syntax=docker/dockerfile:1
 
+# Stage 1: Build custom sign-in UI
 FROM --platform=$BUILDPLATFORM node:22-alpine AS build
 ARG REGISTRY_TOKEN
 WORKDIR /ui
-COPY package.json package-lock.json .npmrc ./
+COPY ui/sign-in/package.json ui/sign-in/package-lock.json ui/sign-in/.npmrc ./
 RUN --mount=type=cache,target=/root/.npm echo "//gitea.siegeln.net/api/packages/cameleer/npm/:_authToken=${REGISTRY_TOKEN}" >> .npmrc && npm ci
-COPY . .
+COPY ui/sign-in/ .
 RUN npm run build
 
+# Stage 2: Logto with sign-in UI + bootstrap
 FROM ghcr.io/logto-io/logto:latest
+
+# Install bootstrap dependencies (curl, jq for API calls; postgresql-client for DB reads)
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    curl jq postgresql-client \
+    && rm -rf /var/lib/apt/lists/*
+
+# Custom sign-in UI
 COPY --from=build /ui/dist/ /etc/logto/packages/experience/dist/
+
+# Bootstrap scripts
+COPY docker/logto-bootstrap.sh /scripts/logto-bootstrap.sh
+COPY docker/cameleer-logto/logto-entrypoint.sh /scripts/entrypoint.sh
+RUN chmod +x /scripts/*.sh
+
+ENTRYPOINT ["/scripts/entrypoint.sh"]