lightspeed-core
diff --git a/‎.konflux/requirements.hashes.source.txt‎
Lines changed: 3 additions & 0 deletions b/‎.konflux/requirements.hashes.source.txt‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎.konflux/requirements.hashes.wheel.txt‎
Lines changed: 0 additions & 2 deletions b/‎.konflux/requirements.hashes.wheel.txt‎
Lines changed: 0 additions & 2 deletions
diff --git a/‎.konflux/requirements.hermetic.txt‎
Lines changed: 2 additions & 2 deletions b/‎.konflux/requirements.hermetic.txt‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎.tekton/lightspeed-stack-pull-request.yaml‎
Lines changed: 19 additions & 7 deletions b/‎.tekton/lightspeed-stack-pull-request.yaml‎
Lines changed: 19 additions & 7 deletions
diff --git a/‎.tekton/lightspeed-stack-push.yaml‎
Lines changed: 19 additions & 7 deletions b/‎.tekton/lightspeed-stack-push.yaml‎
Lines changed: 19 additions & 7 deletions
diff --git a/‎Makefile‎
Lines changed: 88 additions & 5 deletions b/‎Makefile‎
Lines changed: 88 additions & 5 deletions
@@ -500,6 +500,9 @@ importlib-metadata==8.5.0 \
 joserfc==1.6.4 \
     --hash=sha256:34ce5f499bfcc5e9ad4cc75077f9278ab3227b71da9aaf28f9ab705f8a560d3c \
     --hash=sha256:3e4a22b509b41908989237a045e25c8308d5fd47ab96bdae2dd8057c6451003a
+idna==3.15 \
+    --hash=sha256:048adeaf8c2d788c40fee287673ccaa74c24ffd8dcf09ffa555a2fbb59f10ac8 \
+    --hash=sha256:ca962446ea538f7092a95e057da437618e886f4d349216d2b1e294abfdb65fdc
 jsonpath-ng==1.8.0 \
     --hash=sha256:54252968134b5e549ea5b872f1df1168bd7defe1a52fed5a358c194e1943ddc3 \
     --hash=sha256:b8dde192f8af58d646fc031fac9c99fe4d00326afc4148f1f043c601a8cfe138
 
@@ -84,8 +84,6 @@ httpx==0.28.1 \
     --hash=sha256:c75bc8d287ff8e92be7e4359732032ba1b93fa3f920ee1cb179ba09bb613dc7a
 httpx-sse==0.4.3 \
     --hash=sha256:74d0e4713b33a61ca0083d00841f00f12d6b3dd311edb62ccc85809b607b9fb5
-idna==3.11 \
-    --hash=sha256:e1049ef074501ba8c5d802d712b257889257f6d2f460f959f26c4b2d4375923c
 jinja2==3.1.6 \
     --hash=sha256:961c7281585491fb02ca0027b29e9ffc7a1bd7b52a5e03095f3a4e3afc42336e
 jiter==0.12.0 \
 
@@ -1,2 +1,2 @@
-uv==0.9.16
-pip==25.3
+uv==0.11.6
+pip==26.1
@@ -58,7 +58,7 @@ spec:
            ],
            "requirements_build_files": ["requirements-build.txt"],
            "binary": {
-             "packages": "aiohappyeyeballs,aiosignal,aiosqlite,annotated-doc,annotated-types,anyio,asyncpg,cffi,chevron,cryptography,click,dill,distro,dnspython,docstring-parser,durationpy,einops,email-validator,faiss-cpu,fire,frozenlist,fsspec,google-crc32c,google-genai,grpcio,grpcio-status,h11,hf-xet,httpcore,httpx,httpx-sse,idna,importlib-metadata,jinja2,jiter,joblib,jsonschema-specifications,kubernetes,markdown-it-py,mdurl,mpmath,multidict,networkx,numpy,oauthlib,packaging,pandas,peft,pillow,prometheus-client,prompt-toolkit,propcache,psycopg2-binary,pyarrow,pyasn1-modules,pycparser,pydantic,pydantic-core,python-dateutil,pyyaml,referencing,requests-oauthlib,rpds-py,safetensors,scikit-learn,scipy,setuptools,six,sniffio,sqlalchemy,sympy,termcolor,threadpoolctl,tiktoken,tokenizers,torch,tqdm,transformers,tree-sitter,triton,typing-extensions,typing-inspection,websocket-client,websockets,wrapt,xxhash,yarl,zipp,uv,pip,maturin",
+             "packages": "aiohappyeyeballs,aiosignal,aiosqlite,annotated-doc,annotated-types,anyio,asyncpg,cffi,chevron,cryptography,click,dill,distro,dnspython,docstring-parser,durationpy,einops,email-validator,faiss-cpu,fire,frozenlist,fsspec,google-crc32c,google-genai,grpcio,grpcio-status,h11,hf-xet,httpcore,httpx,httpx-sse,importlib-metadata,jinja2,jiter,joblib,jsonschema-specifications,kubernetes,markdown-it-py,mdurl,mpmath,multidict,networkx,numpy,oauthlib,packaging,pandas,peft,pillow,prometheus-client,prompt-toolkit,propcache,psycopg2-binary,pyarrow,pyasn1-modules,pycparser,pydantic,pydantic-core,python-dateutil,pyyaml,referencing,requests-oauthlib,rpds-py,safetensors,scikit-learn,scipy,setuptools,six,sniffio,sqlalchemy,sympy,termcolor,threadpoolctl,tiktoken,tokenizers,torch,tqdm,transformers,tree-sitter,triton,typing-extensions,typing-inspection,websocket-client,websockets,wrapt,xxhash,yarl,zipp,uv,pip,maturin",
              "os": "linux",
              "arch": "x86_64,aarch64",
              "py_version": 312
@@ -149,6 +149,10 @@ spec:
       default: 'true'
       description: Use the package registry proxy when prefetching dependencies
       type: string
+    - name: sast-target-dirs
+      type: string
+      default: .
+      description: Target directories to scan with SAST tools. Multiple values should be separated with commas.
     results:
     - description: ""
       name: IMAGE_URL
@@ -172,7 +176,7 @@ spec:
         - name: name
           value: init
         - name: bundle
-          value: quay.io/konflux-ci/tekton-catalog/task-init:0.4@sha256:b797dd453ddad669365de6de4649e3a9e37e77aa26eb9862ca079a36cbfe64a4
+          value: quay.io/konflux-ci/tekton-catalog/task-init:0.4@sha256:5a423246792ac501ea279229b42ee57da9927da441c04b5c9ff86817b0856b08
         - name: kind
           value: task
         resolver: bundles
@@ -219,7 +223,7 @@ spec:
         - name: name
           value: prefetch-dependencies-oci-ta
         - name: bundle
-          value: quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta:0.3@sha256:1b209c0d93e52e418f3e6cd4b4fd915a84e4bd7f68e1cfd0d6446133540d7f43
+          value: quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta:0.3@sha256:a2efbcdcecfa5293a622eb356a18f5c88e5714046b214fe8730b43b1a7dbb77d
         - name: kind
           value: task
         resolver: bundles
@@ -342,7 +346,7 @@ spec:
         - name: name
           value: deprecated-image-check
         - name: bundle
-          value: quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check:0.5@sha256:57d1f556982115311f603dd9a728c52a7a1d092f022e1db4560da01eca9e5d17
+          value: quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check:0.5@sha256:e78d0d3baf3c8cfc1a5ad278196b74032d9568b143a87c7a79ab780fedfb296e
         - name: kind
           value: task
         resolver: bundles
@@ -369,7 +373,7 @@ spec:
         - name: name
           value: clair-scan
         - name: bundle
-          value: quay.io/konflux-ci/tekton-catalog/task-clair-scan:0.3@sha256:cd49cdea7e5403a87c4774bd8ea10bc4e6aeb83841ff490cbe42b782779513a7
+          value: quay.io/konflux-ci/tekton-catalog/task-clair-scan:0.3@sha256:8fad4c2e2f470f82ee43d6b2ac72327b4d9c6e9cb514a678911c1c9359c29894
         - name: kind
           value: task
         resolver: bundles
@@ -394,7 +398,7 @@ spec:
         - name: name
           value: ecosystem-cert-preflight-checks
         - name: bundle
-          value: quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks:0.2@sha256:25dcef1d9270b2e03fe6710a733171f7c7208e341fc627dac3a579088f44af34
+          value: quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks:0.2@sha256:9c300728a03f41beee9a689422d66513d32ab5f804664fe561b11cebacd07799
         - name: kind
           value: task
         resolver: bundles
@@ -415,6 +419,8 @@ spec:
         value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)
       - name: ARGS
         value: --project-name=lightspeed-stack --report --org=dca2ca89-7e51-4a3a-b7a5-6ad5633057b8
+      - name: TARGET_DIRS
+        value: $(params.sast-target-dirs)
       runAfter:
       - build-image-index
       taskRef:
@@ -487,6 +493,8 @@ spec:
         value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)
       - name: CACHI2_ARTIFACT
         value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)
+      - name: TARGET_DIRS
+        value: $(params.sast-target-dirs)
       runAfter:
       - coverity-availability-check
       taskRef:
@@ -534,6 +542,8 @@ spec:
         value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)
       - name: CACHI2_ARTIFACT
         value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)
+      - name: TARGET_DIRS
+        value: $(params.sast-target-dirs)
       runAfter:
       - build-image-index
       taskRef:
@@ -560,6 +570,8 @@ spec:
         value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)
       - name: CACHI2_ARTIFACT
         value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)
+      - name: TARGET_DIRS
+        value: $(params.sast-target-dirs)
       runAfter:
       - build-image-index
       taskRef:
@@ -629,7 +641,7 @@ spec:
         - name: name
           value: rpms-signature-scan
         - name: bundle
-          value: quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan:0.2@sha256:1d807f6be3be2bd8bff76321e9599bbafce8196dcd9597eeffd9df65466682af
+          value: quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan:0.2@sha256:d4e3499ad4af6869470233bef6faaa1bdd69ef56276841eeec93ce6e62deeb93
         - name: kind
           value: task
         resolver: bundles
 
@@ -50,7 +50,7 @@ spec:
           ],
           "requirements_build_files": ["requirements-build.txt"],
           "binary": {
-            "packages": "aiohappyeyeballs,aiosignal,aiosqlite,annotated-doc,annotated-types,anyio,asyncpg,cffi,chevron,cryptography,click,dill,distro,dnspython,docstring-parser,durationpy,einops,email-validator,faiss-cpu,fire,frozenlist,fsspec,google-crc32c,google-genai,grpcio,grpcio-status,h11,hf-xet,httpcore,httpx,httpx-sse,idna,importlib-metadata,jinja2,jiter,joblib,jsonschema-specifications,kubernetes,markdown-it-py,mdurl,mpmath,multidict,networkx,numpy,oauthlib,packaging,pandas,peft,pillow,prometheus-client,prompt-toolkit,propcache,psycopg2-binary,pyarrow,pyasn1-modules,pycparser,pydantic,pydantic-core,python-dateutil,pyyaml,referencing,requests-oauthlib,rpds-py,safetensors,scikit-learn,scipy,setuptools,six,sniffio,sqlalchemy,sympy,termcolor,threadpoolctl,tiktoken,tokenizers,torch,tqdm,transformers,tree-sitter,triton,typing-extensions,typing-inspection,websocket-client,websockets,wrapt,xxhash,yarl,zipp,uv,pip,maturin",
+            "packages": "aiohappyeyeballs,aiosignal,aiosqlite,annotated-doc,annotated-types,anyio,asyncpg,cffi,chevron,cryptography,click,dill,distro,dnspython,docstring-parser,durationpy,einops,email-validator,faiss-cpu,fire,frozenlist,fsspec,google-crc32c,google-genai,grpcio,grpcio-status,h11,hf-xet,httpcore,httpx,httpx-sse,importlib-metadata,jinja2,jiter,joblib,jsonschema-specifications,kubernetes,markdown-it-py,mdurl,mpmath,multidict,networkx,numpy,oauthlib,packaging,pandas,peft,pillow,prometheus-client,prompt-toolkit,propcache,psycopg2-binary,pyarrow,pyasn1-modules,pycparser,pydantic,pydantic-core,python-dateutil,pyyaml,referencing,requests-oauthlib,rpds-py,safetensors,scikit-learn,scipy,setuptools,six,sniffio,sqlalchemy,sympy,termcolor,threadpoolctl,tiktoken,tokenizers,torch,tqdm,transformers,tree-sitter,triton,typing-extensions,typing-inspection,websocket-client,websockets,wrapt,xxhash,yarl,zipp,uv,pip,maturin",
             "os": "linux",
             "arch": "x86_64,aarch64",
             "py_version": 312
@@ -137,6 +137,10 @@ spec:
       default: 'true'
       description: Use the package registry proxy when prefetching dependencies
       type: string
+    - name: sast-target-dirs
+      type: string
+      default: .
+      description: Target directories to scan with SAST tools. Multiple values should be separated with commas.
     results:
     - description: ""
       name: IMAGE_URL
@@ -157,7 +161,7 @@ spec:
         - name: name
           value: init
         - name: bundle
-          value: quay.io/konflux-ci/tekton-catalog/task-init:0.4@sha256:b797dd453ddad669365de6de4649e3a9e37e77aa26eb9862ca079a36cbfe64a4
+          value: quay.io/konflux-ci/tekton-catalog/task-init:0.4@sha256:5a423246792ac501ea279229b42ee57da9927da441c04b5c9ff86817b0856b08
         - name: kind
           value: task
         resolver: bundles
@@ -204,7 +208,7 @@ spec:
         - name: name
           value: prefetch-dependencies-oci-ta
         - name: bundle
-          value: quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta:0.3@sha256:1b209c0d93e52e418f3e6cd4b4fd915a84e4bd7f68e1cfd0d6446133540d7f43
+          value: quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta:0.3@sha256:a2efbcdcecfa5293a622eb356a18f5c88e5714046b214fe8730b43b1a7dbb77d
         - name: kind
           value: task
         resolver: bundles
@@ -323,7 +327,7 @@ spec:
         - name: name
           value: deprecated-image-check
         - name: bundle
-          value: quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check:0.5@sha256:57d1f556982115311f603dd9a728c52a7a1d092f022e1db4560da01eca9e5d17
+          value: quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check:0.5@sha256:e78d0d3baf3c8cfc1a5ad278196b74032d9568b143a87c7a79ab780fedfb296e
         - name: kind
           value: task
         resolver: bundles
@@ -350,7 +354,7 @@ spec:
         - name: name
           value: clair-scan
         - name: bundle
-          value: quay.io/konflux-ci/tekton-catalog/task-clair-scan:0.3@sha256:cd49cdea7e5403a87c4774bd8ea10bc4e6aeb83841ff490cbe42b782779513a7
+          value: quay.io/konflux-ci/tekton-catalog/task-clair-scan:0.3@sha256:8fad4c2e2f470f82ee43d6b2ac72327b4d9c6e9cb514a678911c1c9359c29894
         - name: kind
           value: task
         resolver: bundles
@@ -375,7 +379,7 @@ spec:
         - name: name
           value: ecosystem-cert-preflight-checks
         - name: bundle
-          value: quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks:0.2@sha256:25dcef1d9270b2e03fe6710a733171f7c7208e341fc627dac3a579088f44af34
+          value: quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks:0.2@sha256:9c300728a03f41beee9a689422d66513d32ab5f804664fe561b11cebacd07799
         - name: kind
           value: task
         resolver: bundles
@@ -396,6 +400,8 @@ spec:
         value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)
       - name: ARGS
         value: --project-name=lightspeed-stack --report --org=dca2ca89-7e51-4a3a-b7a5-6ad5633057b8
+      - name: TARGET_DIRS
+        value: $(params.sast-target-dirs)
       runAfter:
       - build-image-index
       taskRef:
@@ -468,6 +474,8 @@ spec:
         value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)
       - name: CACHI2_ARTIFACT
         value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)
+      - name: TARGET_DIRS
+        value: $(params.sast-target-dirs)
       runAfter:
       - coverity-availability-check
       taskRef:
@@ -515,6 +523,8 @@ spec:
         value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)
       - name: CACHI2_ARTIFACT
         value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)
+      - name: TARGET_DIRS
+        value: $(params.sast-target-dirs)
       runAfter:
       - build-image-index
       taskRef:
@@ -541,6 +551,8 @@ spec:
         value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)
       - name: CACHI2_ARTIFACT
         value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)
+      - name: TARGET_DIRS
+        value: $(params.sast-target-dirs)
       runAfter:
       - build-image-index
       taskRef:
@@ -613,7 +625,7 @@ spec:
         - name: name
           value: rpms-signature-scan
         - name: bundle
-          value: quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan:0.2@sha256:1d807f6be3be2bd8bff76321e9599bbafce8196dcd9597eeffd9df65466682af
+          value: quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan:0.2@sha256:d4e3499ad4af6869470233bef6faaa1bdd69ef56276841eeec93ce6e62deeb93
         - name: kind
           value: task
         resolver: bundles
 
@@ -11,13 +11,96 @@ PYTHON_REGISTRY = pypi
 CONFIG ?= lightspeed-stack.yaml
 LLAMA_STACK_CONFIG ?= run.yaml
 
-run: ## Run the service locally
+# Container configuration
+LLAMA_STACK_CONTAINER_NAME ?= lightspeed-llama-stack
+LLAMA_STACK_IMAGE ?= lightspeed-llama-stack:local
+LLAMA_STACK_PORT ?= 8321
+CONTAINER_RUNTIME ?= $(shell command -v podman 2>/dev/null || command -v docker 2>/dev/null)
+
+.PHONY: run build-llama-stack-image remove-llama-stack-container start-llama-stack-container wait-for-llama-stack-health clean-llama-stack
+
+run: start-llama-stack-container ## Run the service locally with llama-stack container
+	@echo "Starting Lightspeed Core Stack..."
 	uv run src/lightspeed_stack.py -c $(CONFIG)
 
-run-llama-stack: ## Start Llama Stack with enriched config (for local service mode)
-	uv run src/llama_stack_configuration.py -c $(CONFIG) -i $(LLAMA_STACK_CONFIG) -o $(LLAMA_STACK_CONFIG) && \
-	AZURE_API_KEY=$$(grep '^AZURE_API_KEY=' .env | cut -d'=' -f2-) \
-	uv run llama stack run $(LLAMA_STACK_CONFIG)
+build-llama-stack-image: remove-llama-stack-container ## Build llama-stack container image
+	@echo "Building llama-stack container image..."
+	@if [ -z "$(CONTAINER_RUNTIME)" ]; then \
+		echo "ERROR: No container runtime found. Install podman or docker."; \
+		exit 1; \
+	fi
+	$(CONTAINER_RUNTIME) build -f deploy/llama-stack/test.containerfile -t $(LLAMA_STACK_IMAGE) .
+
+remove-llama-stack-container: ## Remove existing llama-stack container
+	@if [ -n "$(CONTAINER_RUNTIME)" ] && $(CONTAINER_RUNTIME) inspect $(LLAMA_STACK_CONTAINER_NAME) >/dev/null 2>&1; then \
+		echo "Removing existing llama-stack container..."; \
+		$(CONTAINER_RUNTIME) rm -f $(LLAMA_STACK_CONTAINER_NAME); \
+	fi
+
+start-llama-stack-container: build-llama-stack-image ## Start llama-stack container
+	@echo "Starting llama-stack container..."
+	$(CONTAINER_RUNTIME) run -d \
+		--name $(LLAMA_STACK_CONTAINER_NAME) \
+		-p $(LLAMA_STACK_PORT):8321 \
+		--health-cmd "curl -f http://localhost:8321/v1/health || exit 1" \
+		--health-interval 10s \
+		--health-timeout 5s \
+		--health-retries 3 \
+		--health-start-period 15s \
+		-v $(PWD)/$(LLAMA_STACK_CONFIG):/opt/app-root/run.yaml:ro,z \
+		-v $(PWD)/$(CONFIG):/opt/app-root/lightspeed-stack.yaml:ro,z \
+		-v $(PWD)/scripts/llama-stack-entrypoint.sh:/opt/app-root/enrich-entrypoint.sh:ro,z \
+		-v $(PWD)/src/llama_stack_configuration.py:/opt/app-root/llama_stack_configuration.py:ro,z \
+		-e OPENAI_API_KEY \
+		-e EXTERNAL_PROVIDERS_DIR=$${EXTERNAL_PROVIDERS_DIR:-/opt/app-root/external_providers} \
+		-e BRAVE_SEARCH_API_KEY \
+		-e TAVILY_SEARCH_API_KEY \
+		-e E2E_OPENAI_MODEL=$${E2E_OPENAI_MODEL:-gpt-4o-mini} \
+		-e TENANT_ID=$${TENANT_ID:-} \
+		-e CLIENT_ID=$${CLIENT_ID:-} \
+		-e CLIENT_SECRET \
+		-e RHAIIS_URL=$${RHAIIS_URL:-} \
+		-e RHAIIS_PORT=$${RHAIIS_PORT:-} \
+		-e RHAIIS_API_KEY \
+		-e RHAIIS_MODEL=$${RHAIIS_MODEL:-} \
+		-e RHEL_AI_URL=$${RHEL_AI_URL:-} \
+		-e RHEL_AI_PORT=$${RHEL_AI_PORT:-} \
+		-e RHEL_AI_API_KEY \
+		-e RHEL_AI_MODEL=$${RHEL_AI_MODEL:-} \
+		-e GOOGLE_APPLICATION_CREDENTIALS \
+		-e VERTEX_AI_PROJECT=$${VERTEX_AI_PROJECT:-} \
+		-e VERTEX_AI_LOCATION=$${VERTEX_AI_LOCATION:-} \
+		-e WATSONX_BASE_URL=$${WATSONX_BASE_URL:-} \
+		-e WATSONX_PROJECT_ID=$${WATSONX_PROJECT_ID:-} \
+		-e WATSONX_API_KEY \
+		-e LITELLM_DROP_PARAMS=true \
+		-e AWS_BEARER_TOKEN_BEDROCK \
+		-e LLAMA_STACK_LOGGING=$${LLAMA_STACK_LOGGING:-} \
+		-e FAISS_VECTOR_STORE_ID=$${FAISS_VECTOR_STORE_ID:-} \
+		$(LLAMA_STACK_IMAGE)
+	@$(MAKE) wait-for-llama-stack-health
+
+wait-for-llama-stack-health: ## Wait for llama-stack container to be healthy
+	@echo "Waiting for llama-stack container to be healthy..."
+	@for i in {1..30}; do \
+		STATUS=$$($(CONTAINER_RUNTIME) inspect --format='{{.State.Health.Status}}' $(LLAMA_STACK_CONTAINER_NAME) 2>/dev/null || echo "no-healthcheck"); \
+		if [ "$$STATUS" = "healthy" ]; then \
+			echo "✓ Llama-stack is healthy and ready!"; \
+			exit 0; \
+		fi; \
+		echo "  Health status: $$STATUS (attempt $$i/30)"; \
+		sleep 2; \
+	done; \
+	echo "✗ ERROR: Llama-stack did not become healthy within 60 seconds"; \
+	echo "Container logs:"; \
+	$(CONTAINER_RUNTIME) logs $(LLAMA_STACK_CONTAINER_NAME); \
+	exit 1
+
+clean-llama-stack: remove-llama-stack-container ## Remove container and image
+	@if [ -n "$(CONTAINER_RUNTIME)" ] && $(CONTAINER_RUNTIME) images -q $(LLAMA_STACK_IMAGE) | grep -q .; then \
+		echo "Removing llama-stack image..."; \
+		$(CONTAINER_RUNTIME) rmi $(LLAMA_STACK_IMAGE); \
+	fi
 
 test-unit: ## Run the unit tests
 	@echo "Running unit tests..."