Align OS and VM runtime defaults

SecAI-Hub · SecAI-Hub · commit 11cb3619d940 · 2026-04-24T11:07:59.000-07:00
diff --git a/files/scripts/build-services.sh b/files/scripts/build-services.sh
@@ -354,7 +354,7 @@ if [ -d "/tmp/services/ui" ]; then
 export PYTHONPATH="${PYTHONPATH:-/usr/lib/python3/site-packages}"
 exec gunicorn \
     --bind "${BIND_ADDR:-127.0.0.1:8480}" \
-    --workers "${GUNICORN_WORKERS:-2}" \
+    --workers "${GUNICORN_WORKERS:-1}" \
     --threads "${GUNICORN_THREADS:-4}" \
     --timeout "${GUNICORN_TIMEOUT:-60}" \
     --graceful-timeout 15 \
@@ -393,6 +393,8 @@ if [ ! -f /var/lib/secure-ai/.diffusion-ready ]; then
     exit 1
 fi
 source /var/lib/secure-ai/diffusion-venv/bin/activate
+export LANG="${LANG:-C.UTF-8}"
+export LC_ALL="${LC_ALL:-C.UTF-8}"
 export PYTHONPATH="/opt/secure-ai/services/diffusion-worker:${PYTHONPATH:-}"
 exec gunicorn \
     --chdir /opt/secure-ai/services/diffusion-worker \
diff --git a/files/system/usr/lib/systemd/system/secure-ai-ui.service b/files/system/usr/lib/systemd/system/secure-ai-ui.service
@@ -20,6 +20,7 @@ Environment=SECURE_AI_ROOT=/var/lib/secure-ai
 Environment=AUTH_DATA_DIR=/var/lib/secure-ai/auth
 Environment=AUDIT_LOG_PATH=/var/lib/secure-ai/logs/ui-audit.jsonl
 Environment=SERVICE_TOKEN_PATH=/run/secure-ai/service-token
+Environment=GUNICORN_WORKERS=1
 
 # Filesystem isolation
 DynamicUser=yes
diff --git a/tests/test_gunicorn_config.py b/tests/test_gunicorn_config.py
@@ -18,6 +18,7 @@
 
 REPO_ROOT = Path(__file__).resolve().parent.parent
 UNITS_DIR = REPO_ROOT / "files" / "system" / "usr" / "lib" / "systemd" / "system"
+BUILD_SCRIPT = REPO_ROOT / "files" / "scripts" / "build-services.sh"
 
 # Services being migrated to Gunicorn (agent excluded)
 GUNICORN_SERVICES = {
@@ -110,6 +111,23 @@ def test_agent_not_using_gunicorn(self):
             "Agent service should NOT use gunicorn (keeps make_server)"
 
 
+class TestOsVmGunicornRuntimeDefaults:
+    """OS and VM images should inherit the same stable runtime defaults as sandbox."""
+
+    def test_ui_unit_forces_single_worker(self):
+        content = _read_unit("secure-ai-ui.service")
+        assert "Environment=GUNICORN_WORKERS=1" in content
+
+    def test_ui_wrapper_defaults_to_single_worker(self):
+        content = BUILD_SCRIPT.read_text(encoding="utf-8")
+        assert '--workers "${GUNICORN_WORKERS:-1}"' in content
+
+    def test_diffusion_wrapper_sets_utf8_locale(self):
+        content = BUILD_SCRIPT.read_text(encoding="utf-8")
+        assert 'export LANG="${LANG:-C.UTF-8}"' in content
+        assert 'export LC_ALL="${LC_ALL:-C.UTF-8}"' in content
+
+
 class TestModuleExportsApp:
     """Each Flask service module must export 'app' at module level for WSGI import."""
 
