From 2b7e3ef3a18073372e9c85e4f7f420953cb683d6 Mon Sep 17 00:00:00 2001
From: Patrick Skowronek <86347677+patrick-skowronek@users.noreply.github.com>
Date: Mon, 11 May 2026 11:35:32 +0200
Subject: [PATCH 1/8] fix: replace old dpc link (#384)

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 0574acc1..03a1b637 100644
--- a/README.md
+++ b/README.md
@@ -42,7 +42,7 @@ This repository is the starting point for any information and tools you will nee
 
 The data protection officer at your site will probably want to know exactly what our software does with patient data, and you may need to get their approval before you are allowed to install a Bridgehead. To help you with this, we have provided some data protection concepts:
 
-- [Germany](https://www.bbmri.de/biobanking/it/infrastruktur/datenschutzkonzept/)
+- [Germany](https://www.netzwerk-universitaetsmedizin.de/plattformen/gbn/biobanking/it/infrastruktur/datenschutzkonzept)
 
 ### Hardware
 

From cbf75f632f3f268676d03e12ecbeb1f4cdec9b3e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Radovan=20Tom=C3=A1=C5=A1ik?=
 <radovan.tomasik@bbmri-eric.eu>
Date: Mon, 11 May 2026 12:55:44 +0200
Subject: [PATCH 2/8] Fix image reference for data-quality-agent service (#381)

---
 bbmri/modules/data-quality-agent-compose.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/bbmri/modules/data-quality-agent-compose.yml b/bbmri/modules/data-quality-agent-compose.yml
index 443bec8f..272f982b 100644
--- a/bbmri/modules/data-quality-agent-compose.yml
+++ b/bbmri/modules/data-quality-agent-compose.yml
@@ -2,7 +2,7 @@ version: "3.7"
 
 services:
   data-quality-agent:
-    image: ghcr.io/bbmri-cz/data-quality-server:${DATA_QUALITY_AGENT_TAG}
+    image: ghcr.io/bbmri-cz/data-quality-agent:${DATA_QUALITY_AGENT_TAG}
     container_name: bridgehead-bbmri-data-quality-agent
     environment:
       APP_SETTING_FHIR_URL: http://bridgehead-bbmri-blaze:8080/fhir

From 47b793668ae818243b79c553b3de09ebfbbc638b Mon Sep 17 00:00:00 2001
From: Martin Jurk <96107909+Martin1088@users.noreply.github.com>
Date: Tue, 12 May 2026 13:56:35 +0200
Subject: [PATCH 3/8] Feature/ml itcc (#380)

* sites moved to etc itcc.comf

* mainzelliste test

* volume

* fix image

* db name chaged

* ingest component test

* clean up

* maizelliste env db

* test server ip

* beam sockets

* teswt socket and task

* secure db and ml

* refactor and patient endpoints

* partner id

* new refactor and encription key generation

* db deleted

* keyset to var/
---
 itcc/docker-compose.yml             |  8 ++--
 itcc/modules/itcc-omics-ingest.sh   | 21 ++++++++++
 itcc/modules/itcc-omics-ingest.yaml | 65 ++++++++++++++++++++++++++---
 itcc/vars                           |  3 ++
 4 files changed, 88 insertions(+), 9 deletions(-)

diff --git a/itcc/docker-compose.yml b/itcc/docker-compose.yml
index 49edff0a..ae9e09fb 100644
--- a/itcc/docker-compose.yml
+++ b/itcc/docker-compose.yml
@@ -2,7 +2,7 @@ version: "3.7"
 
 services:
   blaze:
-    image: docker.verbis.dkfz.de/cache/samply/blaze:${BLAZE_TAG}
+    image: docker.verbis.dkfz.de/cache/samply/blaze:latest
     container_name: bridgehead-itcc-blaze
     environment:
       BASE_URL: "http://bridgehead-itcc-blaze:8080"
@@ -32,7 +32,7 @@ services:
       BEAM_PROXY_URL: http://beam-proxy:8081
       RETRY_COUNT: ${FOCUS_RETRY_COUNT}
       EPSILON: 0.28
-      QUERIES_TO_CACHE: '/queries_to_cache.conf'
+      QUERIES_TO_CACHE: "/queries_to_cache.conf"
       ENDPOINT_TYPE: ${FOCUS_ENDPOINT_TYPE:-blaze}
     volumes:
       - /srv/docker/bridgehead/itcc/queries_to_cache.conf:/queries_to_cache.conf:ro
@@ -41,12 +41,13 @@ services:
       - "blaze"
 
   beam-proxy:
-    image: docker.verbis.dkfz.de/cache/samply/beam-proxy:${BEAM_TAG}
+    image: docker.verbis.dkfz.de/cache/samply/beam-proxy:develop-sockets
     container_name: bridgehead-beam-proxy
     environment:
       BROKER_URL: ${BROKER_URL}
       PROXY_ID: ${PROXY_ID}
       APP_focus_KEY: ${FOCUS_BEAM_SECRET_SHORT}
+      APP_omics-endpoint_KEY: ${FOCUS_BEAM_SECRET_SHORT}
       PRIVKEY_FILE: /run/secrets/proxy.pem
       ALL_PROXY: http://forward_proxy:3128
       TLS_CA_CERTIFICATES_DIR: /conf/trusted-ca-certs
@@ -59,7 +60,6 @@ services:
       - /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro
       - /srv/docker/bridgehead/itcc/root.crt.pem:/conf/root.crt.pem:ro
 
-
 volumes:
   blaze-data:
 
diff --git a/itcc/modules/itcc-omics-ingest.sh b/itcc/modules/itcc-omics-ingest.sh
index a078140a..9d0dcb41 100644
--- a/itcc/modules/itcc-omics-ingest.sh
+++ b/itcc/modules/itcc-omics-ingest.sh
@@ -3,4 +3,25 @@
 if [ -n "$ENABLE_OMICS" ];then
   OVERRIDE+=" -f ./$PROJECT/modules/itcc-omics-ingest.yaml"
   GENERATE_API_KEY="$(generate_simple_password 'omics')"
+  PATIENTLIST_POSTGRES_PASSWORD=="$(generate_simple_password 'mainzelliste')"
+  KEYSET=/var/bridgehead/mainzelliste/keyset_siv.json
+  if [ ! -f "$KEYSET" ]; then
+    mkdir -p "$(dirname "$KEYSET")"
+    KEY_ID=$(($(openssl rand -hex 4 | sed 's/^/0x/') & 0x7FFFFFFF))
+    VALUE=$({ printf '\x12\x40'; openssl rand 64; } | base64 | tr -d '\n')
+    jq -n --argjson id "$KEY_ID" --arg value "$VALUE" '{
+      primaryKeyId: $id,
+      key: [{
+        keyData: {
+          typeUrl: "type.googleapis.com/google.crypto.tink.AesSivKey",
+          value: $value,
+          keyMaterialType: "SYMMETRIC"
+        },
+        status: "ENABLED",
+        keyId: $id,
+        outputPrefixType: "TINK"
+      }]
+    }' > "$KEYSET"
+    chmod 600 "$KEYSET"
+  fi
 fi
\ No newline at end of file
diff --git a/itcc/modules/itcc-omics-ingest.yaml b/itcc/modules/itcc-omics-ingest.yaml
index 81084331..74ae5274 100644
--- a/itcc/modules/itcc-omics-ingest.yaml
+++ b/itcc/modules/itcc-omics-ingest.yaml
@@ -1,14 +1,69 @@
 services:
   omics-endpoint:
-    image: ghcr.io/samply/itcc-omics-ingest:main
+    image: samply/itcc-omics-ingest:main
     environment:
-      - API_KEY=${GENERATE_API_KEY}
-    volumes:
-      - /var/cache/bridgehead/omics/data:/data/uploads
+      API_KEY: ${GENERATE_API_KEY}
+      BEAM_APP_ID_LONG: omics-endpoint.${PROXY_ID}
+      BEAM_SECRET: ${FOCUS_BEAM_SECRET_SHORT}
+      DWH_SOCKET_ID: ${DWH_SOCKET_ID}
+      DWH_TASK_ID: ${DWH_TASK_ID}
+      PARTNER_ID: ${SITE_ID}
+      ML_API_KEY: ${GENERATE_API_KEY}
     labels:
-      - "traefik.http.routers.omics.rule=Host(`${HOST}`) && PathPrefix(`/api/omics`)"
+      - "traefik.http.routers.omics.rule=Host(`${HOST}`) &&
+        PathPrefix(`/api/upload`)"
       - "traefik.enable=true"
       - "traefik.http.services.omics.loadbalancer.server.port=6080"
       - "traefik.http.routers.omics.tls=true"
       - "traefik.http.middlewares.omics-stripprefix.stripprefix.prefixes=/api"
       - "traefik.http.routers.omics.middlewares=omics-stripprefix"
+
+  patientlist-db:
+    image: postgres:${POSTGRES_TAG}
+    container_name: bridgehead-patientlist-db
+    restart: unless-stopped
+    environment:
+      POSTGRES_DB: mainzelliste
+      POSTGRES_USER: ${ML_DB_USER}
+      POSTGRES_PASSWORD: ${PATIENTLIST_POSTGRES_PASSWORD}
+    volumes:
+      - "patientlist-db-data:/var/lib/postgresql/data"
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U ${ML_DB_USER} -d mainzelliste"]
+      interval: 5s
+      timeout: 5s
+      retries: 10
+      start_period: 10s
+
+  patientlist:
+    image: medicalinformatics/mainzelliste:latest
+    container_name: bridgehead-patientlist
+    restart: unless-stopped
+    depends_on:
+      patientlist-db:
+        condition: service_healthy
+    environment:
+      ML_API_KEY: ${GENERATE_API_KEY}
+      ML_DB_HOST: patientlist-db
+      ML_DB_PORT: "5432"
+      ML_DB_NAME: mainzelliste
+      ML_DB_USER: ${ML_DB_USER}
+      ML_DB_PASS: ${PATIENTLIST_POSTGRES_PASSWORD}
+      ML_DB_DRIVER: org.postgresql.Driver
+      ML_DB_TYPE: postgresql
+      ML_LOG_LEVEL: INFO
+      ML_ALLOWEDREMOTEADDRESSES: "127.0.0.1,::1,172.16.0.0/12"
+
+    secrets:
+      - mainzelliste.docker.conf
+      - source: symmetric_key
+        target: /etc/resources/keys/symmetric_key.json
+
+volumes:
+  patientlist-db-data:
+secrets:
+  mainzelliste.docker.conf:
+    file: /etc/bridgehead/mainzelliste/mainzelliste.docker.conf
+
+  symmetric_key:
+    file: /var/bridgehead/mainzelliste/keyset_siv.json
diff --git a/itcc/vars b/itcc/vars
index 3eee6525..26fbc254 100644
--- a/itcc/vars
+++ b/itcc/vars
@@ -7,6 +7,9 @@ SUPPORT_EMAIL=arturo.macias@dkfz-heidelberg.de
 PRIVATEKEYFILENAME=/etc/bridgehead/pki/${SITE_ID}.priv.pem
 BROKER_URL_FOR_PREREQ=$BROKER_URL
 PUBLIC_ENVIRONMENT=prod
+DWH_SOCKET_ID=socket.itcc-datalake.${BROKER_ID}
+DWH_TASK_ID=task.itcc-datalake.${BROKER_ID}
+ML_DB_USER=mainzelliste
 
 for module in $PROJECT/modules/*.sh
 do

From 112be2a2d663d52d0d1e9638ca5700c01239e23a Mon Sep 17 00:00:00 2001
From: Pierre Delpy <75260699+PierreDelpy@users.noreply.github.com>
Date: Fri, 22 May 2026 12:58:17 +0200
Subject: [PATCH 4/8] Fix/pscc lens local (#385)

* fix: deployment of local pscc lens instance
---
 pscc/modules/lens-compose.yml | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/pscc/modules/lens-compose.yml b/pscc/modules/lens-compose.yml
index 4571c7b2..f5ef163e 100644
--- a/pscc/modules/lens-compose.yml
+++ b/pscc/modules/lens-compose.yml
@@ -2,7 +2,9 @@ version: "3.7"
 services:
   lens:
     container_name: lens-federated-search
-    image: docker.verbis.dkfz.de/ccp/lens:${SITE_ID}
+    image: docker.verbis.dkfz.de/ccp/lens:pscc
+    environment:
+      PUBLIC_SPOT_URL: https://${HOST}/prod
     labels:
       - "traefik.http.services.lens.loadbalancer.server.port=3000"
       - "traefik.enable=true"
@@ -11,7 +13,6 @@ services:
 
   spot:
     image: samply/rustyspot:latest
-    platform: linux/amd64
     environment:
       HTTP_PROXY: ${HTTP_PROXY_URL}
       HTTPS_PROXY: ${HTTPS_PROXY_URL}
@@ -37,4 +38,8 @@ services:
       - "traefik.http.routers.spot.rule=Host(`${HOST}`) && PathPrefix(`/prod`)"
       - "traefik.http.middlewares.stripprefix_spot.stripprefix.prefixes=/prod"
       - "traefik.http.routers.spot.tls=true"
-      - "traefik.http.routers.spot.middlewares=corsheaders2,stripprefix_spot,auth"
\ No newline at end of file
+      - "traefik.http.routers.spot.middlewares=corsheaders2,stripprefix_spot,auth"
+
+  beam-proxy:
+    environment:
+      APP_spot_KEY: ${FOCUS_BEAM_SECRET_SHORT}
\ No newline at end of file

From 4211528f563ced414f7a764e5b30df5652b5cfe4 Mon Sep 17 00:00:00 2001
From: afigueroaDkfz <146178090+afigueroaDkfz@users.noreply.github.com>
Date: Tue, 26 May 2026 16:16:06 +0200
Subject: [PATCH 5/8] fix: make url dynamic based on host configuration (#386)

---
 itcc/modules/lens-compose.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/itcc/modules/lens-compose.yml b/itcc/modules/lens-compose.yml
index 5a5b78cc..a548cde9 100644
--- a/itcc/modules/lens-compose.yml
+++ b/itcc/modules/lens-compose.yml
@@ -7,6 +7,7 @@ services:
       HOST: "0.0.0.0"
       BIND_ADDR: "0.0.0.0:3000"
       PUBLIC_ENVIRONMENT: ${PUBLIC_ENVIRONMENT}
+      PUBLIC_SPOT_URL: https://${HOST}/prod
     labels:
       - "traefik.enable=true"
       - "traefik.http.routers.itcc.rule=Host(`${HOST}`) && PathPrefix(`/`)"

From e3a8cf790c11f5525b98e6e05d0d28ca95d2a130 Mon Sep 17 00:00:00 2001
From: Enola Knezevic <115070135+enola-dkfz@users.noreply.github.com>
Date: Fri, 29 May 2026 15:28:04 +0200
Subject: [PATCH 6/8] use latest blaze in test (#387)

---
 versions/test | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/versions/test b/versions/test
index 10fb37e1..648e371e 100644
--- a/versions/test
+++ b/versions/test
@@ -1,6 +1,6 @@
 FOCUS_TAG=develop
 BEAM_TAG=develop
-BLAZE_TAG=0.32
+BLAZE_TAG=latest
 POSTGRES_TAG=15.13-alpine
 TEILER_DASHBOARD_TAG=develop
 MTBA_TAG=develop

From 54291c06f789223bced47c1956f7aea2563abcf0 Mon Sep 17 00:00:00 2001
From: Tobias Kussel <TKussel@users.noreply.github.com>
Date: Tue, 2 Jun 2026 15:03:35 +0200
Subject: [PATCH 7/8] =?UTF-8?q?Fix=20spelling=20of=20'Charite'=20to=20'Cha?=
 =?UTF-8?q?rit=C3=A9'=20in=20DNPM=20targets=20(#389)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 minimal/modules/dnpm-central-targets.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/minimal/modules/dnpm-central-targets.json b/minimal/modules/dnpm-central-targets.json
index 5469da03..9b28c373 100644
--- a/minimal/modules/dnpm-central-targets.json
+++ b/minimal/modules/dnpm-central-targets.json
@@ -49,7 +49,7 @@
             "beamconnect": "dnpm-connect.dnpm-bridge.broker.ccp-it.dktk.dkfz.de"
         },
         {
-            "id": "Charite",
+            "id": "Charité",
             "name": "Berlin",
             "virtualhost": "charite.dnpm.de",
             "beamconnect": "dnpm-connect.berlin-test.broker.ccp-it.dktk.dkfz.de"

From b7a8646e917708de240da6f591f9e99acc6198e7 Mon Sep 17 00:00:00 2001
From: Enola Knezevic <115070135+enola-dkfz@users.noreply.github.com>
Date: Wed, 17 Jun 2026 13:24:32 +0200
Subject: [PATCH 8/8] latest blaze in acceptance and 1.8 in production (#388)

---
 versions/acceptance | 2 +-
 versions/prod       | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/versions/acceptance b/versions/acceptance
index 10fb37e1..648e371e 100644
--- a/versions/acceptance
+++ b/versions/acceptance
@@ -1,6 +1,6 @@
 FOCUS_TAG=develop
 BEAM_TAG=develop
-BLAZE_TAG=0.32
+BLAZE_TAG=latest
 POSTGRES_TAG=15.13-alpine
 TEILER_DASHBOARD_TAG=develop
 MTBA_TAG=develop
diff --git a/versions/prod b/versions/prod
index 29e7c5bc..a336e123 100644
--- a/versions/prod
+++ b/versions/prod
@@ -1,6 +1,6 @@
 FOCUS_TAG=main
 BEAM_TAG=main
-BLAZE_TAG=0.32
+BLAZE_TAG=1.8
 POSTGRES_TAG=15.13-alpine
 TEILER_DASHBOARD_TAG=main
 MTBA_TAG=main