Enterprise Deployment

Deploy SourcePrep's headless indexer inside your own cloud infrastructure. No code leaves your network. GPU or CPU images run on any container orchestrator.

Requires a Team or Enterprise license. See also: Team Sync Guide for the standard CI/CD setup.

Overview

SourcePrep ships two Docker images for headless indexing. Both run the full enrichment pipeline — parsing your code, reasoning about how it connects, clustering it into architectural groups, and producing the project atlas — then upload the resulting index to S3-compatible storage.

Image	Size	GPU	Use case
ghcr.io/ericbintner/prep-headless:cpu	~2-3 GB	No	CI runners + BYOK cloud LLM (OpenAI, Anthropic)
ghcr.io/ericbintner/prep-headless:gpu	~8-10 GB	Yes	Air-gapped / VPC with local Ollama + Qwen3

Air-Gapped Deployment

The :gpu image includes Ollama and a pre-baked Qwen3:4b model. No network access is required after the image is pulled. This is suitable for regulated environments where source code cannot leave the network.

Setup

Pull the GPU image to your internal registry:

docker pull ghcr.io/ericbintner/prep-headless:gpu
docker tag ghcr.io/ericbintner/prep-headless:gpu registry.internal/prep:gpu
docker push registry.internal/prep:gpu

Run with GPU access:

docker run --gpus all \
  -e PREP_S3_ENDPOINT=https://minio.internal:9000 \
  -e PREP_S3_BUCKET=prep-indexes \
  -e PREP_S3_ACCESS_KEY=$ACCESS_KEY \
  -e PREP_S3_SECRET_KEY=$SECRET_KEY \
  -v /mnt/repos/my-project:/workspace \
  registry.internal/prep:gpu \
  sync-headless \
    --repo-path /workspace \
    --model-provider local \
    --model-name qwen3:4b \
    --embedder native

The entrypoint script automatically starts Ollama in the background when --model-provider local is specified.

Using Larger Models

The default image includes qwen3:4b (~2.5 GB). For better enrichment quality on large codebases, you can bake a larger model into a custom image:

FROM ghcr.io/ericbintner/prep-headless:gpu
RUN ollama serve & sleep 3 && ollama pull qwen3:8b && kill %1 || true

AWS ECS / Fargate

Run the headless indexer as an ECS task with GPU support. A reference task definition is provided in the prep-deploy repository under aws/.

Use p3.2xlarge or g4dn.xlarge instance types for GPU tasks.
Storage: Internal S3 with IAM role auth (no static keys needed).
Trigger via EventBridge rule on CodeCommit/CodePipeline events or GitHub webhook.
For CPU-only: any Fargate task type works (no GPU instance required).

Azure

Use Azure Container Apps with GPU profiles or Azure ML Processing Jobs.

Storage: Azure Blob Storage (S3-compatible via PREP_S3_ENDPOINT).
Auth: Managed Identity or connection string in Key Vault.
Trigger: Azure DevOps pipeline or GitHub Actions webhook.

Serverless GPU (RunPod / Modal)

For teams that want GPU-powered indexing without managing infrastructure. Both RunPod and Modal scale to zero when idle, so you only pay for actual indexing time.

Install the Modal CLI: pip install modal && modal setup
Save your S3 credentials as a Modal Secret named prep-s3-creds.
Deploy the adapter: modal deploy modal/modal_adapter.py
Copy the webhook URL into your GitHub Action.

Adapter source: prep-deploy/modal/

RunPod

Build and push the RunPod image:

docker build -f runpod/Dockerfile.runpod -t my-org/prep-runpod .
docker push my-org/prep-runpod

Create a Serverless Endpoint in the RunPod dashboard using your image.
Set S3 credentials as endpoint environment variables.
Trigger via GitHub Actions webhook or API call.

Handler source: prep-deploy/runpod/

Cost Comparison

Approximate costs for a ~5,000-file codebase with 5 merges/day.

Method	Per run	Monthly (est.)	Privacy
CPU + OpenAI (gpt-4.1-mini)	~$8	~$1,200	Code sent to OpenAI
GPU + Qwen3 (RunPod A4000)	~$0.60	~$90	Fully private
GPU incremental (typical PR)	~$0.05	~$8	Fully private
Air-gapped (own GPU server)	$0	Hardware cost only	Fully private

Security Posture

No telemetry. SourcePrep does not phone home, collect usage data, or send any information to external servers.
No cloud dependency. The GPU image includes everything needed to run completely offline.
Secrets leakage detection. SourcePrep warns if credential-like keys appear in team_config.json (which is committed to Git).
S3 credentials are resolved from environment variables or a gitignored .sourceprep/.secrets file — never from committed files.
Offline license activation. Enterprise licenses are Ed25519-signed and validated locally. No internet required after activation.

Enterprise Features

Enterprise licenses include all Team features plus:

Feature	Status	Description
Air-gapped deployment	Available	GPU Docker image with baked-in models, no internet required
VPC deployment	Available	AWS ECS, Azure, or any container orchestrator with GPU support
Offline licensing	Available	Ed25519-signed license files, no phone-home after activation
SSO (SAML/OIDC)	Roadmap	Single sign-on integration for identity management
SCIM provisioning	Roadmap	Automated user provisioning and deprovisioning
Audit logging	Roadmap	Who accessed what, exportable audit trail

Roadmap features are actively in development. Contact [email protected] to discuss your requirements and timeline.

team_config.json Reference

The team configuration file is committed to your repository at .sourceprep/team_config.json. It contains only non-secret settings — credentials are resolved from environment variables or.sourceprep/.secrets (gitignored).

Sync Configuration

{
  "sync": {
    "enabled": true,
    "s3_endpoint": "https://<account-id>.r2.cloudflarestorage.com",
    "s3_bucket": "prep-team-indexes",
    "s3_prefix": "my-repo-name",
    "poll_interval_minutes": 30
  }
}

Policy Configuration

{
  "format_version": 1,
  "enforcement": {
    "mode": "warn"
  },
  "policy": {
    "include_globs": ["src/**", "lib/**"],
    "exclude_globs": ["**/node_modules/**", "**/dist/**"]
  },
  "features": {
    "trace_enabled_default": true
  },
  "models": {
    "embedding_provider": "native",
    "embedding_model": "nomic-embed-text-v1.5"
  }
}

Field	Type	Description
enforcement.mode	`"warn"` \| `"strict"`	Warn logs policy violations; strict blocks them
policy.include_globs	string[]	Glob patterns for files to include in indexing
policy.exclude_globs	string[]	Glob patterns for files to exclude from indexing
sync.enabled	boolean	Enable remote sync from S3 bucket
sync.s3_endpoint	string	S3-compatible endpoint URL
sync.s3_bucket	string	Bucket name
sync.s3_prefix	string	Key prefix (usually repo name)
sync.poll_interval_minutes	number	How often local clients check for updates (default: 30)

CLI Reference

prep sync-headless \
  --repo-path .                     # Path to a pre-cloned repository
  --repo-url https://...            # Or: clone from URL (uses $GIT_TOKEN for auth)
  --branch main                     # Branch to index (default: main)
  --model-provider openai           # local | openai | anthropic | google
  --model-name gpt-4.1-mini         # Model name for enrichment pipeline
  --api-key sk-...                   # API key (or use env: OPENAI_API_KEY, etc.)
  --embedder native                 # native (ONNX, CPU) | ollama
  --full                            # Force full rebuild (skip incremental)
  --s3-endpoint https://...         # S3 endpoint (or PREP_S3_ENDPOINT env)
  --s3-bucket my-bucket             # S3 bucket (or PREP_S3_BUCKET env)
  --s3-prefix my-repo               # S3 prefix (or PREP_S3_PREFIX env)
  --s3-access-key AKIA...           # S3 access key (or PREP_S3_ACCESS_KEY env)
  --s3-secret-key ...               # S3 secret key (or PREP_S3_SECRET_KEY env)

Resources

Team Sync Guide — Standard CI/CD setup with GitHub Actions
prep-deploy repository — Dockerfiles, platform adapters, and reference configurations
Pricing — Team & Enterprise plans
[email protected] — Enterprise sales and custom deployments