MVI DOCTRINE — Minimum Viable Image. Every service runs at its fermentation floor.
At fleet scale: 7 silos × 50 services × 10MB saved = 3.5GB per full fleet pull.
Small images = faster pulls, smaller attack surface, lower memory pressure, faster startup.
The floor is not a target — it is the law.
§1 — V13 IMAGE STANDARD TABLE
| Language/Use | Base Image | Target Size | When To Use | Example Services | Status |
|---|
| Go static binary | alpine:3.21 | 12–20 MB | Any stateless Go service with no CGO | mefine, merostone, eose-prox, fleetop | FLOOR |
| Go multi-stage | golang:1.22-alpine → alpine:3.21 | 15–25 MB | Go builds needing compiler in CI | fleet build pipeline, relay agents | FLOOR |
| Python service | python:3.12-alpine | 50–80 MB | FastAPI/Flask services, musl-compatible | pemclau-mcp FastAPI, loco-api | FLOOR |
| Python heavy ML | python:3.12-slim | 200–400 MB | torch/docling needing glibc — JUSTIFY | sovereign-ingest, PEMCLAU heavy | JUSTIFIED |
| Node portal | node:22-alpine | 60–150 MB | React/SSR portals, target <150MB | pemos-portal (currently 496MB → TRIM) | REVIEW |
| Static HTML/CDN | nginx:1.27-alpine | 12–15 MB | Static file serving only, no SSR | mefine-static pages | FLOOR |
| DNS resolver | coredns/coredns:latest | ~50 MB | DNS only — CoreDNS binary | fleet-coredns fleet.local | FLOOR |
§2 — FLEET IMAGE AUDIT V13
| Image | Size | Verdict | Action |
|---|
| mefine-static | 23.6 MB | FLOOR | Keep. nginx:1.27-alpine. Model citizen. |
| merostone-relay | 13.7 MB | FLOOR | Keep. Alpine Go binary. Fleet record. |
| ct-ops-agent | 13.9 MB | FLOOR | Keep. Alpine Go static binary. |
| sovereign-mail | 20.7 MB | FLOOR | Keep. Alpine base verified. |
| pemos-portal v460 | 496 MB | REVIEW | node:22-alpine target <150MB. Audit deps. |
| arc3-fold | 517 MB | REVIEW | Audit deps — what requires 500MB? |
| pemos-portal v461 | 532 MB | REVIEW | Same as v460. Trim pipeline needed. |
| pgvector | 613 MB | JUSTIFIED | postgres+vector extension. Keep. |
| falkordb | 639 MB | JUSTIFIED | Graph DB C binary. Keep. |
| utpemos-gateway | 1.87 GB | REPLACE | Should be ~100MB alpine. R&D debt. |
| openclaw-ct | 1.9 GB | REVIEW | Audit — can this be split? |
| oc-silo-base | 2.34 GB | REVIEW | Audit contents. Multi-stage candidate. |
| utpemos-base | 3.66 GB | REPLACE | R&D debt. Decompose into MVI layers. |
| pemos-playwright | 3.76 GB | JUSTIFIED | Needs full browser runtime. Keep isolated. |
| texlive | 8.55 GB | JUSTIFIED | LaTeX full install. Use sparingly — cron only. |
§3 — BANNED IMAGES — MECRDS CRQ REQUIRED TO OVERRIDE
BANNED BASE IMAGES
BANNED ubuntu:* — use alpine:3.21
BANNED debian:* — use alpine:3.21
BANNED node:*-bookworm* — use node:22-alpine
BANNED python:*-bullseye* — use python:3.12-alpine
BANNED node:*-buster* — EOL, never
OVERRIDE PROCESS
1. File MECRDS CRQ with justification
Attach: image_name + size + glibc_reason
2. GBM Rasengan must confirm no alpine alt
3. PEMCLAU FC1 fermentation event logged
4. Boabixer registers with Status=JUSTIFIED
5. ROM entry created: ROM-OVERRIDE-V13-NNN
6. Review every 30 days or next V bump
§4 — STANDARD DOCKERFILE TEMPLATES
GO MVI TEMPLATE — ROM-GO-V13
# Stage 1: Build
FROM golang:1.22-alpine AS builder
WORKDIR /src
COPY . .
RUN CGO_ENABLED=0 go build \
-ldflags="-w -s" \
-o /app .
# Stage 2: Run
FROM alpine:3.21
RUN adduser -D -u 65534 nobody
COPY --from=builder /app /app
USER 65534
ENTRYPOINT ["/app"]
# Target: 12-20MB
PYTHON MVI TEMPLATE — ROM-PY-SERVICE-V13
FROM python:3.12-alpine
WORKDIR /app
# Only if C extensions needed
RUN apk add --no-cache gcc musl-dev
COPY requirements.txt .
RUN pip install --no-cache-dir \
-r requirements.txt
COPY . .
RUN adduser -D -u 65534 nobody
USER 65534
CMD ["python","-m","uvicorn","main:app"]
# Target: 50-80MB
§5 — THE BUILD R&D SPIRAL
Each build cycle = a fermentation event. The spiral drives continuous image improvement through PEMCLAU memory and GBM prediction.
STEP 01
PROBE
Write Dockerfile. Build. Record size, start-time, memory footprint, attack surface CVEs.
STEP 02
MEASURE
size_mb · startup_ms · mem_mb · cve_count · layer_count. All 5 dimensions required.
STEP 03
PEMCLAU FC1
Ingest build event into PEMCLAU campfire FC1. Graph node created. Adelic pressure computed.
STEP 04
GBM RASENGAN
Gradient boost on all historical builds. Predict optimal base image for service type.
STEP 05
PLASMA ROM
GBM winner → ROM sealed. Read-only, versioned. All future builds of this type start from ROM.
STEP 06
BOABIXER
ROM registered as organism with GID. VSM role assigned. Fermentation school logged. Done.
§6 — BELT64 IMAGE MAPPING
SEG 0
scratch/distroless
Zero OS overhead
SEG 1
alpine:3.21
Fleet fermentation floor
SEG 2
coredns/coredns
DNS binary floor
SEG 3
nginx:1.27-alpine
Static serving floor
SEG 4
python:3.12-alpine
Python service floor
SEG 5
node:22-alpine
Node service floor
SEG 6
python:3.12-slim
Justified ML layer
SEG 7+
Justified heavies
pgvector, falkordb, playwright
SEG 62
oc-silo-base
2.34GB — AUDIT
SEG 63
utpemos-base
3.66GB — REPLACE
§7 — MULTI-ARCH SUPPORT
# Multi-arch template: supports arm64 + amd64
FROM --platform=$BUILDPLATFORM golang:1.22-alpine AS builder
ARG TARGETARCH
RUN GOARCH=$TARGETARCH CGO_ENABLED=0 go build -ldflags="-w -s" -o /app .
FROM --platform=$TARGETPLATFORM alpine:3.21
COPY --from=builder /app /app
USER 65534
ENTRYPOINT ["/app"]
# Build: docker buildx build --platform linux/amd64,linux/arm64 --push .
γ₁ = 14.134725141734693 · day97-v131 · EOSE Labs · Image Standard V13 · MVI Doctrine