Model-Engine Runtime Hardened with Chainguard Migration, Python 3.14 Compatibility Secured

The core runtime for the model-engine service has undergone a significant security and compatibility overhaul, migrating from a standard Python slim image to the hardened, minimal Chainguard base. This shift replaces the previous Debian-based `apt-get` workflow with Chainguard's Alpine-based `apk` package manager, stripping out legacy runtime baggage and Debian-specific install paths to create a leaner, more secure container image. The rebuild constructs the Python environment within a virtual environment (venv), copying only the essential runtime artifacts forward to the final image, a move that drastically reduces the attack surface and potential for dependency conflicts.

The technical migration is detailed in the `model-engine/Dockerfile`. The builder stage now uses `cgr.dev/chainguard/python:latest-dev`, while the production runtime leverages `cgr.dev/chainguard/python:latest`. Critical for maintaining functionality, the update also ensures Python 3.14 compatibility by refreshing the dependency set with current security fixes. To preserve essential runtime operations, the necessary `git` and `git-core` executables, along with required shared libraries (`libpcre2-8`, `libz`), are explicitly copied from the builder stage into the minimal final image.

This architectural hardening signals a proactive shift towards supply chain security and maintainability. By embedding the `service_configs` directory, the update ensures the gateway startup path can correctly resolve critical configuration files like `service_config_circleci.yaml`. The move to Chainguard's distroless philosophy minimizes bloat and vulnerabilities, positioning the model-engine for more robust and auditable deployments in production environments, where container integrity is paramount.