feat(deploy): self-contained containerd with embedded MCP image

- Add Dockerfile.containerd: multi-stage build that compiles MCP binary,
  assembles rootfs, creates Docker image tar, and bundles it with containerd
- Add containerd-entrypoint.sh: auto-imports MCP image on first start
- Fix MCP image reference: rename busybox_image to image in config,
  use fully-qualified docker.io/library/memoh-mcp:latest everywhere
- Make image ref configurable via config.toml instead of hardcoded
- Simplify deploy.sh: remove manual nerdctl/containerd-install steps

scripts/containerd-install.sh

@@ -1,131 +0,0 @@
-#!/usr/bin/env sh
-set -e
-
-detect_distro() {
-  DISTRO_ID="unknown"
-  DISTRO_LIKE=""
-
-  # shellcheck disable=SC1091
-  if [ -r /etc/os-release ]; then
-    . /etc/os-release
-    if [ -n "${ID:-}" ]; then
-      DISTRO_ID="$ID"
-    fi
-    if [ -n "${ID_LIKE:-}" ]; then
-      DISTRO_LIKE="$ID_LIKE"
-    fi
-  fi
-}
-
-detect_distro
-
-if [ "$(uname -s)" = "Darwin" ]; then
-  limactl start default
-  limactl shell default -- sudo containerd --version
-  exit $?
-fi
-
-if command -v containerd >/dev/null 2>&1 \
-  && command -v nerdctl >/dev/null 2>&1 \
-  && command -v buildctl >/dev/null 2>&1 \
-  && command -v buildkitd >/dev/null 2>&1; then
-  containerd --version
-  nerdctl --version
-  buildctl --version
-  exit 0
-fi
-
-if ! command -v containerd >/dev/null 2>&1; then
-  echo "Detected distro: ${DISTRO_ID}${DISTRO_LIKE:+ (like: $DISTRO_LIKE)}"
-
-  if command -v apt-get >/dev/null 2>&1; then
-    sudo apt-get update
-    # Debian/Ubuntu usually provide "containerd"; some setups use "containerd.io".
-    sudo apt-get install -y containerd || sudo apt-get install -y containerd.io
-  elif command -v dnf >/dev/null 2>&1; then
-    sudo dnf install -y containerd || sudo dnf install -y containerd.io
-  elif command -v yum >/dev/null 2>&1; then
-    sudo yum install -y containerd || sudo yum install -y containerd.io
-  elif command -v apk >/dev/null 2>&1; then
-    sudo apk add --no-cache containerd
-  elif command -v zypper >/dev/null 2>&1; then
-    sudo zypper --non-interactive install -y containerd
-  elif command -v pacman >/dev/null 2>&1; then
-    sudo pacman -Sy --noconfirm containerd
-  else
-    echo "No supported package manager found. Install containerd manually."
-    exit 1
-  fi
-fi
-
-if ! command -v nerdctl >/dev/null 2>&1 || ! command -v buildctl >/dev/null 2>&1 || ! command -v buildkitd >/dev/null 2>&1; then
-  OS="$(uname -s | tr '[:upper:]' '[:lower:]')"
-  ARCH="$(uname -m)"
-  NERDCTL_VERSION="${NERDCTL_VERSION:-}"
-
-  if [ "$OS" != "linux" ]; then
-    echo "Automatic nerdctl installation from release is only supported on Linux."
-    exit 1
-  fi
-
-  case "$ARCH" in
-    x86_64|amd64)
-      ARCH="amd64"
-      ;;
-    aarch64|arm64)
-      ARCH="arm64"
-      ;;
-    *)
-      echo "Unsupported architecture for nerdctl release: $ARCH"
-      exit 1
-      ;;
-  esac
-
-  if [ -z "$NERDCTL_VERSION" ]; then
-    RELEASES_API_URL="https://api.github.com/repos/containerd/nerdctl/releases/latest"
-    if command -v curl >/dev/null 2>&1; then
-      NERDCTL_VERSION="$(curl -fsSL "$RELEASES_API_URL" | sed -n 's/.*"tag_name":[[:space:]]*"v\{0,1\}\([^"]*\)".*/\1/p' | head -n1)"
-    elif command -v wget >/dev/null 2>&1; then
-      NERDCTL_VERSION="$(wget -qO- "$RELEASES_API_URL" | sed -n 's/.*"tag_name":[[:space:]]*"v\{0,1\}\([^"]*\)".*/\1/p' | head -n1)"
-    fi
-  fi
-
-  if [ -z "$NERDCTL_VERSION" ]; then
-    echo "Failed to detect latest nerdctl version. Set NERDCTL_VERSION manually."
-    exit 1
-  fi
-
-  NERDCTL_TARBALL="nerdctl-full-${NERDCTL_VERSION}-linux-${ARCH}.tar.gz"
-  NERDCTL_URL="https://github.com/containerd/nerdctl/releases/download/v${NERDCTL_VERSION}/${NERDCTL_TARBALL}"
-  TMP_DIR="$(mktemp -d)"
-  TMP_TARBALL="${TMP_DIR}/${NERDCTL_TARBALL}"
-
-  cleanup() {
-    rm -rf "$TMP_DIR"
-  }
-  trap cleanup EXIT INT TERM
-
-  if command -v curl >/dev/null 2>&1; then
-    curl -fsSL "$NERDCTL_URL" -o "$TMP_TARBALL"
-  elif command -v wget >/dev/null 2>&1; then
-    wget -qO "$TMP_TARBALL" "$NERDCTL_URL"
-  else
-    echo "curl or wget is required to download nerdctl."
-    exit 1
-  fi
-
-  tar -xzf "$TMP_TARBALL" -C "$TMP_DIR"
-  sudo install -m 0755 "$TMP_DIR/bin/nerdctl" /usr/local/bin/nerdctl
-  sudo install -m 0755 "$TMP_DIR/bin/buildctl" /usr/local/bin/buildctl
-  sudo install -m 0755 "$TMP_DIR/bin/buildkitd" /usr/local/bin/buildkitd
-
-  if command -v systemctl >/dev/null 2>&1 && [ -f "$TMP_DIR/lib/systemd/system/buildkit.service" ]; then
-    sudo install -m 0644 "$TMP_DIR/lib/systemd/system/buildkit.service" /etc/systemd/system/buildkit.service
-    sudo systemctl daemon-reload
-    sudo systemctl enable --now buildkit.service || true
-  fi
-fi
-
-containerd --version
-nerdctl --version
-buildctl --version

scripts/install.sh

@@ -0,0 +1,126 @@
+#!/bin/sh
+set -e
+
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+RED='\033[0;31m'
+NC='\033[0m'
+
+REPO="https://github.com/memohai/Memoh.git"
+BRANCH="feat/containerd-in-docker"
+DIR="Memoh"
+SILENT=false
+
+# Parse flags
+for arg in "$@"; do
+  case "$arg" in
+    -y|--yes) SILENT=true ;;
+  esac
+done
+
+# Auto-silent if no TTY available
+if [ "$SILENT" = false ] && ! [ -e /dev/tty ]; then
+  SILENT=true
+fi
+
+echo "${GREEN}========================================${NC}"
+echo "${GREEN}   Memoh One-Click Install${NC}"
+echo "${GREEN}========================================${NC}"
+echo ""
+
+# Check Docker
+if ! command -v docker >/dev/null 2>&1; then
+    echo "${RED}Error: Docker is not installed${NC}"
+    echo "Install Docker first: https://docs.docker.com/get-docker/"
+    exit 1
+fi
+if ! docker compose version >/dev/null 2>&1; then
+    echo "${RED}Error: Docker Compose v2 is required${NC}"
+    echo "Install: https://docs.docker.com/compose/install/"
+    exit 1
+fi
+echo "${GREEN}✓ Docker and Docker Compose detected${NC}"
+echo ""
+
+# Generate random JWT secret
+gen_secret() {
+  if command -v openssl >/dev/null 2>&1; then
+    openssl rand -base64 32
+  else
+    head -c 32 /dev/urandom | base64 | tr -d '\n'
+  fi
+}
+
+# Configuration defaults
+ADMIN_USER="admin"
+ADMIN_PASS="admin123"
+JWT_SECRET="$(gen_secret)"
+PG_PASS="memoh123"
+
+if [ "$SILENT" = false ]; then
+  echo "Configure Memoh (press Enter to use defaults):" > /dev/tty
+  echo "" > /dev/tty
+
+  printf "  Admin username [%s]: " "$ADMIN_USER" > /dev/tty
+  read -r input < /dev/tty || true
+  [ -n "$input" ] && ADMIN_USER="$input"
+
+  printf "  Admin password [%s]: " "$ADMIN_PASS" > /dev/tty
+  read -r input < /dev/tty || true
+  [ -n "$input" ] && ADMIN_PASS="$input"
+
+  printf "  JWT secret [auto-generated]: " > /dev/tty
+  read -r input < /dev/tty || true
+  [ -n "$input" ] && JWT_SECRET="$input"
+
+  printf "  Postgres password [%s]: " "$PG_PASS" > /dev/tty
+  read -r input < /dev/tty || true
+  [ -n "$input" ] && PG_PASS="$input"
+
+  echo "" > /dev/tty
+fi
+
+# Clone or update
+if [ -d "$DIR" ]; then
+    echo "Updating existing installation..."
+    cd "$DIR"
+    git pull --ff-only 2>/dev/null || true
+else
+    echo "Cloning Memoh..."
+    git clone --depth 1 -b "$BRANCH" "$REPO" "$DIR"
+    cd "$DIR"
+fi
+
+# Generate config.toml from template
+cp docker/config/config.docker.toml config.toml
+sed -i.bak "s|username = \"admin\"|username = \"${ADMIN_USER}\"|" config.toml
+sed -i.bak "s|password = \"admin123\"|password = \"${ADMIN_PASS}\"|" config.toml
+sed -i.bak "s|jwt_secret = \".*\"|jwt_secret = \"${JWT_SECRET}\"|" config.toml
+sed -i.bak "s|password = \"memoh123\"|password = \"${PG_PASS}\"|" config.toml
+export POSTGRES_PASSWORD="${PG_PASS}"
+rm -f config.toml.bak
+
+# Use generated config
+export MEMOH_CONFIG=./config.toml
+
+echo ""
+echo "${GREEN}Starting services (first build may take a few minutes)...${NC}"
+docker compose up -d --build
+
+echo ""
+echo "${GREEN}========================================${NC}"
+echo "${GREEN}   Memoh is running!${NC}"
+echo "${GREEN}========================================${NC}"
+echo ""
+echo "  Web UI:          http://localhost"
+echo "  API:             http://localhost:8080"
+echo "  Agent Gateway:   http://localhost:8081"
+echo ""
+echo "  Admin login:     ${ADMIN_USER} / ${ADMIN_PASS}"
+echo ""
+echo "Commands:"
+echo "  cd ${DIR} && docker compose ps       # Status"
+echo "  cd ${DIR} && docker compose logs -f   # Logs"
+echo "  cd ${DIR} && docker compose down      # Stop"
+echo ""
+echo "${YELLOW}First startup may take 1-2 minutes, please be patient.${NC}"

scripts/mcp-image-down.sh

@@ -1,16 +0,0 @@
-#!/usr/bin/env sh
-set -e
-
-IMAGE="memoh-mcp:dev"
-
-if [ "$(uname -s)" = "Darwin" ]; then
-  limactl shell default -- nerdctl rmi -f "$IMAGE"
-  exit $?
-fi
-
-if ! command -v nerdctl >/dev/null 2>&1; then
-  echo "nerdctl not found. Install nerdctl to remove images."
-  exit 1
-fi
-
-nerdctl rmi -f "$IMAGE"

scripts/mcp-image-up.sh

@@ -1,18 +0,0 @@
-#!/usr/bin/env sh
-set -e
-
-IMAGE="memoh-mcp:dev"
-
-if [ "$(uname -s)" = "Darwin" ]; then
-  limactl shell default -- nerdctl build -f docker/Dockerfile.mcp -t "$IMAGE" .
-  # Import into rootful containerd so the Go agent can find the image
-  limactl shell default -- sh -c "nerdctl save $IMAGE | sudo nerdctl load"
-  exit $?
-fi
-
-if ! command -v nerdctl >/dev/null 2>&1; then
-  echo "nerdctl not found. Install nerdctl to build images."
-  exit 1
-fi
-
-nerdctl build -f docker/Dockerfile.mcp -t "$IMAGE" .