# ── Build Stage ──────────────────────────────────────────────────────────────
FROM golang:1.23-alpine AS builder

# Install build dependencies
RUN apk add --no-cache git ca-certificates tzdata

WORKDIR /build

# Copy go.mod and go.sum first for layer caching
COPY gateway/go.mod gateway/go.sum ./
RUN go mod download

# Copy source code
COPY gateway/ .

# Build the binary
RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 \
    go build -ldflags="-w -s -X main.version=$(git describe --tags --always 2>/dev/null || echo dev)" \
    -o gateway ./cmd/gateway/

# ── Runtime Stage ─────────────────────────────────────────────────────────────
FROM alpine:3.20

# Install runtime dependencies
RUN apk add --no-cache \
    ca-certificates \
    tzdata \
    wget \
    bash \
    curl \
    # For shell_exec tool
    jq \
    && rm -rf /var/cache/apk/*

WORKDIR /app

# Copy binary from builder
COPY --from=builder /build/gateway /usr/local/bin/gateway

# Copy timezone data
COPY --from=builder /usr/share/zoneinfo /usr/share/zoneinfo

# Ensure binary is executable
RUN chmod +x /usr/local/bin/gateway

# Run as root so we can access /var/run/docker.sock (mounted from host)
# The gateway only reads Docker API — no write access to host filesystem
USER root

# Expose port
EXPOSE 18789

# Health check
HEALTHCHECK --interval=15s --timeout=5s --start-period=10s --retries=3 \
    CMD wget -qO- http://localhost:18789/health || exit 1

ENTRYPOINT ["/usr/local/bin/gateway"]