fix: install lightspeed_rag_content module itself in hermetic built image

[raptorsun]

Description

This fixes the issue that python module lightspeed_rag_content is missing in the konflux image.

update requirement files for the docling upgrade by raptorsun@7f688b0#diff-50c86b7ed8ac2cf95bd48334961bf0530cdc77b5a56f852c5c61b89d735fd711R55-R56

Type of change

• Refactor
• New feature
• Bug fix
• CVE fix
• Optimization
• Documentation Update
• Configuration Update
• Bump-up service version
• Bump-up dependent library
• Bump-up library or tool used for development (does not change the final image)
• CI configuration change
• Konflux configuration change
• Unit tests improvement
• Integration tests improvement
• End to end tests improvement

Tools used to create PR

Identify any AI code assistants used in this PR (for transparency and review context)

• Assisted-by: (e.g., Claude, CodeRabbit, Ollama, etc., N/A if not used)
• Generated by: (e.g., tool name and version; N/A if not used)

Related Tickets & Documents

• Related Issue # https://issues.redhat.com/browse/LCORE-791
• Closes #

Checklist before requesting a review

• I have performed a self-review of my code.
• PR has passed all pre-merge test jobs.
• If it is a core feature, I have added thorough tests.

Testing

• Please provide detailed steps to perform tests related to this code change.
• How were the fix/results from this change verified? Please provide relevant screenshots or results.

Summary by CodeRabbit

• Chores
  • Updated dependency set: added griffe/griffecli/griffelib, pyclipper, mpire, semchunk, shapely, omegaconf, tree-sitter-* and others; removed legacy docling entries and adjusted torch and several package versions.
  • Added a new wheel-hash requirements file and expanded wheel/source hash coverage (opencv-python, rapidocr, sqlite-vec, etc.).
  • Adjusted build/pipeline install steps to include the new wheel-hash file and an explicit local package install for more reproducible builds.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

Adds a new PyPI wheel-hash file and moves several packages between wheel/source sets; updates Tekton prefetch inputs, Containerfile build steps, wheel/source hash files, requirements and override files, and the konflux requirements script.

Changes

Cohort / File(s)	Summary
Tekton prefetch configs ​.tekton/rag-tool-pull-request.yaml, ​.tekton/rag-tool-push.yaml	Added requirements.hashes.wheel.pypi.txt to prefetch inputs; removed et-xmlfile/docling* from binary.packages; added mpire, semchunk, shapely, omegaconf, griffe, griffecli, griffelib, pyclipper, tree-sitter-typescript and reordered package list. Hermetic flag removed from one prefetch block.
Container build Containerfile	COPY updated to include requirements.hashes.wheel.pypi.txt; conditional RUN now installs -r requirements.hashes.wheel.pypi.txt in addition to existing hashes and adds pip install --no-cache-dir --no-deps . when the cache/env file is present.
Build requirements requirements-build.txt	Bumped setuptools (80.10.2 → 82.0.0); added/expanded commented entries for tree-sitter, typer, colorlog, dill, multiprocess and related annotations.
Source hash lockfile requirements.hashes.source.txt	Large refresh: many additions (antlr4, colorlog, dill, docling*, starlette, tree-sitter variants, typer, uvicorn, urllib3, wcwidth), multiple version upgrades and hash updates across numerous packages; some removals.
Wheel hashes (PyPI) requirements.hashes.wheel.pypi.txt	New file: added sha256 wheel entries for griffe, griffecli, griffelib, omegaconf, opencv-python, pyclipper, rapidocr, sqlite-vec, etc.
Wheel hashes (local/wheel) requirements.hashes.wheel.txt	Removed docling/docling-core wheel entries; lxml upgraded to 6.0.2 (expanded hashes); torch downgraded to 2.8.0 with torchvision aligned; added mpire, semchunk, shapely, tornado; other legacy entries removed/adjusted.
Dependency overrides requirements.overrides.txt	Removed docling/docling-core; changed torch 2.9.0 → 2.8.0; added pypdfium2==4.30.0.
Konflux requirements script scripts/konflux_requirements.sh	Expanded PYPI_WHEELS to include omegaconf, griffe, griffecli, griffelib, pyclipper, tree-sitter-typescript, affecting wheel vs source splitting and hash generation.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• LCORE-791: konflux hermetic build #65: Adjusts hermetic prefetch-input and wheel-package wiring overlapping package list and Tekton prefetch changes.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: installing the lightspeed_rag_content module in the hermetic built image, which is the core purpose of the PR.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Note

Currently processing new changes in this PR. This may take a few minutes, please wait...

 ___________________________________
< Tom & Jerry level of bug chasing. >
 -----------------------------------
  \
   \   (\__/)
       (•ㅅ•)
       / 　 づ

_{✏️ Tip: You can disable in-progress messages and the fortune message in your review settings.}

Tip

Flake8 can be used to improve the quality of Python code reviews.

Flake8 is a Python linter that wraps PyFlakes, pycodestyle and Ned Batchelder's McCabe script.

To configure Flake8, add a '.flake8' or 'setup.cfg' file to your project root.

See Flake8 Documentation for more details.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Note

Currently processing new changes in this PR. This may take a few minutes, please wait...

 ___________________________________
< Tom & Jerry level of bug chasing. >
 -----------------------------------
  \
   \   (\__/)
       (•ㅅ•)
       / 　 づ

_{✏️ Tip: You can disable in-progress messages and the fortune message in your review settings.}

Tip

Flake8 can be used to improve the quality of Python code reviews.

Flake8 is a Python linter that wraps PyFlakes, pycodestyle and Ned Batchelder's McCabe script.

To configure Flake8, add a '.flake8' or 'setup.cfg' file to your project root.

See Flake8 Documentation for more details.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Note

Currently processing new changes in this PR. This may take a few minutes, please wait...

 ___________________________________
< Tom & Jerry level of bug chasing. >
 -----------------------------------
  \
   \   (\__/)
       (•ㅅ•)
       / 　 づ

_{✏️ Tip: You can disable in-progress messages and the fortune message in your review settings.}

Tip

Flake8 can be used to improve the quality of Python code reviews.

Flake8 is a Python linter that wraps PyFlakes, pycodestyle and Ned Batchelder's McCabe script.

To configure Flake8, add a '.flake8' or 'setup.cfg' file to your project root.

See Flake8 Documentation for more details.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds an editable pip install step (pip install -e .) to the Containerfile when cachi2 dependencies are available, enabling development-mode package installation alongside existing wheel and source requirements. No logic or error handling changes introduced.

Changes

Cohort / File(s)	Summary
Container Build Configuration Containerfile	Adds a single pip install line with --no-cache-dir --no-deps -e . flags in the conditional branch when cachi2.env is present, inserting after existing requirements installation.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

🐰 A single line hops into place,
Installing packages with gentle grace,
In editable mode, development flows,
Where -e magic and cachi2 glows!
Simple, swift, the build shall race. ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: adding an editable install of the lightspeed_rag_content module in the containerized build image.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Caution

Review failed

Failed to post review comments

📝 Walkthrough

Walkthrough

Adds an editable pip install step (pip install -e .) to the Containerfile when cachi2 dependencies are available, enabling development-mode package installation alongside existing wheel and source requirements. No logic or error handling changes introduced.

Changes

Cohort / File(s)	Summary
Container Build Configuration Containerfile	Adds a single pip install line with --no-cache-dir --no-deps -e . flags in the conditional branch when cachi2.env is present, inserting after existing requirements installation.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

🐰 A single line hops into place,
Installing packages with gentle grace,
In editable mode, development flows,
Where -e magic and cachi2 glows!
Simple, swift, the build shall race. ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: adding an editable install of the lightspeed_rag_content module in the containerized build image.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@Containerfile`:
- Line 42: Replace the editable install flag in the pip install command: change
"pip install --no-cache-dir --no-deps -e ." to a normal install and make it
hermetic by including the same flags used earlier; e.g. "pip install
--no-cache-dir --no-deps --no-index --find-links ${PIP_FIND_LINKS} ." and also
add "--no-build-isolation" if you must prevent build backends from attempting
network fetches; update the pip install line accordingly (the line containing
"pip install --no-cache-dir --no-deps -e .").

[raptorsun]

/retest

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

requirements-build.txt (1)

122-148: ⚠️ Potential issue | 🟡 Minor

Verify pkg_resources compatibility with setuptools 82.0.0

setuptools 82.0.0 (released Feb 8, 2026) removes pkg_resources—a breaking change. Projects or dependencies still relying on pkg_resources will fail. Confirm that the codebase and all dependencies (especially sentence-transformers, sqlalchemy, and other listed packages) do not depend on pkg_resources.

🧹 Nitpick comments (1)

requirements.hashes.source.txt (1)

5-6: Consider updating antlr4-python3-runtime to a more recent version if compatibility allows.

The pinned version 4.9.3 (Nov 2021) is approximately 2.75 years old, with multiple releases available, including 4.13.2 (Aug 2024). No known security vulnerabilities have been identified for 4.9.3. If this specific version is not required for compatibility, updating to a more recent release could provide access to bug fixes and improvements.

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@requirements.hashes.wheel.pypi.txt`:
- Around line 5-10: Remove the invalid PyPI entries "griffecli==2.0.0" and
"griffelib==2.0.0" from requirements.hashes.wheel.pypi.txt (or replace them with
the correct package names if there was a typo); keep the legitimate
"griffe==2.0.0" entry and ensure the file only contains verifiable PyPI packages
with correct --hash values so installations won't fail or pull unintended
packages.

🧹 Nitpick comments (1)

requirements.hashes.source.txt (1)

5-6: antlr4-python3-runtime pinned to old version 4.9.3.

This is a 2021-era release. This is likely pinned due to omegaconf's dependency constraint, but worth noting for future security reviews.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Search for references to griffe packages in the repository
rg -n 'griffe|griffecli|griffelib' --glob '*.txt' --glob '*.toml' --glob '*.cfg' --glob '*.py' -i

Repository: lightspeed-core/rag-content

Length of output: 235

---

🌐 Web query:

griffe package PyPI Python documentation

💡 Result:

Griffe is a Python package for extracting (“signatures for”) the structure and docstrings of Python codebases—commonly used to generate API documentation (e.g., via mkdocstrings) and to detect API breaking changes. (pypi.org)

• PyPI page (install + quick usage): pip install griffe and basic CLI/Python examples (e.g., griffe dump ..., griffe check ..., griffe.load(...)). (pypi.org)
• Official documentation (user guide + API reference): hosted at the Griffe docs site. (mkdocstrings.github.io)
• Related docs tooling: mkdocstrings’ Python handler uses Griffe to collect API data for MkDocs-based documentation sites. (mkdocstrings.github.io)

Citations:

• 1: https://pypi.org/pypi/griffe?utm_source=openai
• 2: https://pypi.org/pypi/griffe?utm_source=openai
• 3: https://mkdocstrings.github.io/griffe/?utm_source=openai
• 4: https://mkdocstrings.github.io/python/?utm_source=openai

---

🌐 Web query:

griffecli griffelib PyPI packages

💡 Result:

• griffecli (PyPI): I can’t find any PyPI project currently published under the name griffecli (no matching project page shows up in PyPI search results).
• griffelib (PyPI): I can’t find any PyPI project currently published under the name griffelib (no matching project page shows up in PyPI search results).
• What to use instead: The actively published package is griffe, which provides both the library and the griffe command-line tool. Install with pip install griffe. [1]

Sources:
[1] (pypi.org)

Citations:

• 1: https://pypi.org/project/griffe/?utm_source=openai

---

Remove griffecli and griffelib from requirements.hashes.wheel.pypi.txt—these packages do not exist on PyPI.

griffe==2.0.0 is a legitimate package for extracting Python code structure and docstrings (used in documentation tooling). However, griffecli and griffelib have no corresponding PyPI projects. These may be typos, removed packages, or placeholder entries that will cause installation to fail or potentially install malicious packages if they exist under those names. Verify the intended package names and either correct them or remove them from the file.

🤖 Prompt for AI Agents

In `@requirements.hashes.wheel.pypi.txt` around lines 5 - 10, Remove the invalid
PyPI entries "griffecli==2.0.0" and "griffelib==2.0.0" from
requirements.hashes.wheel.pypi.txt (or replace them with the correct package
names if there was a typo); keep the legitimate "griffe==2.0.0" entry and ensure
the file only contains verifiable PyPI packages with correct --hash values so
installations won't fail or pull unintended packages.

[coderabbitai]

Actionable comments posted: 2

🤖 Fix all issues with AI agents

In `@requirements-build.txt`:
- Line 118: The pin to setuptools==82.0.0 may break the build due to removal of
pkg_resources; search the codebase and dependency manifests for usages of
"pkg_resources" (and imports in modules/scripts), and if any are found update
those callers to use importlib.resources or importlib.metadata (or adapt import
paths) or update dependency versions that still require pkg_resources; if
migration is not possible before merge, modify requirements-build.txt to pin
setuptools to a pre-82 release (e.g., setuptools<82) and add a short TODO
comment explaining the temporary pin and that pkg_resources usages must be
migrated.

In `@requirements.hashes.wheel.txt`:
- Around line 104-108: The lxml dependency was bumped to 6.0.2 which has
breaking changes; search the repo for direct uses of lxml APIs and features
(e.g., any imports of MemDebug.dump or MemDebug.show, Schematron-related code,
reliance on automatic gzip/lzma decompression or HTTP/FTP URL parsing) and
update or remove those usages, ensure CI/tests run under Python >=3.8, and if
your code depends on automatic decompression or HTTP/FTP parsing enable the
corresponding libxml2 options or replace with explicit decompression/HTTP client
logic; after changes run the full test suite and fix any failures in modules
referencing lxml-specific features (look for references in code, tests, and
scripts).

🧹 Nitpick comments (1)

Containerfile (1)

41-42: Core fix: local package installation added to hermetic build — this addresses the PR objective.

Line 42 (pip install --no-cache-dir --no-deps .) is the key change that installs the lightspeed_rag_content module into the image, fixing the reported issue (LCORE-791). The split into two pip install commands (one for requirements, one for the local package) is clean.

One minor note: Line 42 omits --no-index --find-links ${PIP_FIND_LINKS} unlike Line 41. Since --no-deps prevents runtime dependency resolution this is likely fine, but if the build backend needs to fetch build requirements, it could attempt network access (which would fail in hermetic mode). Consider adding --no-build-isolation to be safe, as build deps should already be present.

Suggested hardening

-    pip install --no-cache-dir --no-deps . && \
+    pip install --no-cache-dir --no-deps --no-build-isolation . && \

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🌐 Web query:

setuptools 82.0.0 PyPI release

💡 Result:

Setuptools 82.0.0 was released on February 8, 2026 on PyPI, and requires Python ≥ 3.9. [1]

Key change in v82.0.0: pkg_resources was removed from Setuptools (with guidance to use importlib.resources / importlib.metadata, or pin an older setuptools if you still depend on pkg_resources). [2]

Files on PyPI include setuptools-82.0.0.tar.gz and setuptools-82.0.0-py3-none-any.whl. [1]

Sources: [1] [2]

---

Setuptools 82.0.0 includes a breaking change — verify pkg_resources dependency.

setuptools 82.0.0 was released on February 8, 2026 and is available on PyPI (requires Python ≥ 3.9). However, a critical change in this release is the removal of pkg_resources. Before merging, verify that neither the codebase nor its dependencies rely on pkg_resources. If they do, either migrate to importlib.resources / importlib.metadata or pin setuptools to an older version.

🤖 Prompt for AI Agents

In `@requirements-build.txt` at line 118, The pin to setuptools==82.0.0 may break
the build due to removal of pkg_resources; search the codebase and dependency
manifests for usages of "pkg_resources" (and imports in modules/scripts), and if
any are found update those callers to use importlib.resources or
importlib.metadata (or adapt import paths) or update dependency versions that
still require pkg_resources; if migration is not possible before merge, modify
requirements-build.txt to pin setuptools to a pre-82 release (e.g.,
setuptools<82) and add a short TODO comment explaining the temporary pin and
that pkg_resources usages must be migrated.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

lxml 6.0 breaking changes migration guide

💡 Result:

Key lxml 6.0.0 (released 2025-06-26) changes that can break/affect upgrades, plus what to do. [1]

1) Python version floor raised

• Breaking: support for Python < 3.8 removed. [1]
• Migrate: upgrade runtimes/CI to Python 3.8+ (and adjust python_requires, tox envs, docker images, etc.).

2) Automatic decompression is becoming opt-in (libxml2 ≥ 2.15)

• Behavior change / potential break: new parser option decompress=False controls automatic input decompression; code that relied on auto-decompression will need to enable it (once running against libxml2 2.15+). [1]
• Migrate: if you parse compressed inputs and expect transparent decompression, set decompress=True explicitly in the parser you use (where applicable). Otherwise, decompress in Python before parsing.

3) zlib/lzma “parse compressed bytes directly” is now optional

• Behavior change / portability: direct parsing of zlib (or lzma) compressed data is now considered optional and may disappear in future releases; don’t assume it’s always available. [1]
• Migrate: stop depending on this feature; decompress yourself; or gate it with:
  • "zlib" in etree.LIBXML_FEATURES (same idea for "lzma"). [1]

4) Schematron is deprecated (future removal)

• Future-breaking: lxml.etree.Schematron is deprecated and will become non-functional in a future lxml version as libxml2 removes it. [1]
• Migrate: plan to move Schematron validation to an alternative implementation/toolchain (don’t start new dependencies on Schematron).

5) URL parsing via libxml2 HTTP/FTP may stop working in wheels

• Behavior change: binary wheels ship libxml2 builds where direct HTTP/FTP parsing from URLs is disabled; test with "http" in etree.LIBXML_FEATURES. [1]
• Migrate: fetch content with Python HTTP clients (urllib/requests), then parse from bytes/streams.

6) Removed APIs

• Breaking: MemDebug.dump() and MemDebug.show() were removed. [1]
• Migrate: remove calls or replace with other profiling/debug approaches (these were tied to libxml2 functionality that was dropped).

If you share what you’re upgrading from (e.g., 4.9 → 6.0 or 5.x → 6.0) and which parts you use (Schematron, URL parsing, compressed inputs), I can turn this into a targeted checklist.

Sources: lxml 6.0.0 changelog / release notes. [1]

---

lxml major version bump from 5.4.0 to 6.0.2 introduces breaking changes.

Verify downstream code compatibility. Notable changes include: Python < 3.8 no longer supported, automatic decompression becoming opt-in (with libxml2 ≥ 2.15), direct zlib/lzma parsing now optional, Schematron deprecated, HTTP/FTP URL parsing disabled in wheels, and removal of MemDebug.dump()/MemDebug.show(). Ensure code doesn't rely on any of these features or update accordingly.

🤖 Prompt for AI Agents

In `@requirements.hashes.wheel.txt` around lines 104 - 108, The lxml dependency
was bumped to 6.0.2 which has breaking changes; search the repo for direct uses
of lxml APIs and features (e.g., any imports of MemDebug.dump or MemDebug.show,
Schematron-related code, reliance on automatic gzip/lzma decompression or
HTTP/FTP URL parsing) and update or remove those usages, ensure CI/tests run
under Python >=3.8, and if your code depends on automatic decompression or
HTTP/FTP parsing enable the corresponding libxml2 options or replace with
explicit decompression/HTTP client logic; after changes run the full test suite
and fix any failures in modules referencing lxml-specific features (look for
references in code, tests, and scripts).

[tisnik]

LGTM