# Multi-stage build: compile in a Rust builder, run on a slim runtime.

FROM docker.io/rust:1.88-bookworm AS builder
WORKDIR /build
COPY Cargo.toml ./
COPY src ./src
COPY tests ./tests
COPY migrations ./migrations
# Release build for the server binary only; the library doesn't need to
# ship as a separate artifact.
RUN cargo build --release --bin chukwa-serve

FROM docker.io/debian:bookworm-slim AS runtime
# ca-certificates: needed for outbound TLS (none today, but cheap).
# tini: clean signal handling so Ctrl-C / k8s termination work.
RUN apt-get update \
    && apt-get install -y --no-install-recommends ca-certificates git tini zip \
    && rm -rf /var/lib/apt/lists/*
WORKDIR /app
COPY --from=builder /build/target/release/chukwa-serve /usr/local/bin/chukwa-serve
# Ship the source tree so the in-process codebase navigator (browse_codebase,
# list_code_files, search_code, read_code) can read the exact code this
# binary was built from. Kept under /app/repo and owned read-only.
COPY Cargo.toml /app/repo/Cargo.toml
COPY src /app/repo/src
COPY tests /app/repo/tests
COPY migrations /app/repo/migrations
COPY docs /app/repo/docs
COPY Containerfile /app/repo/Containerfile
COPY k8s /app/repo/k8s
COPY .git /app/repo/.git
# Build-time snapshot of the working tree only (no .git), served by the
# get_repo_zip MCP tool as a prebuilt blob. Creating this at build time
# avoids any on-demand archive work in the request path.
RUN cd /app \
    && zip -r -q chukwa-repo.zip repo -x 'repo/.git/*' 'repo/.git'
RUN useradd --system --uid 1000 --home /app chukwa \
    && mkdir -p /var/lib/chukwa \
    && chown -R chukwa:chukwa /var/lib/chukwa /app
USER chukwa
ENV CHUKWA_RUN_DIR=/var/lib/chukwa \
    CHUKWA_REPO_DIR=/app/repo \
    CHUKWA_REPO_ZIP=/app/chukwa-repo.zip \
    CHUKWA_BIND=0.0.0.0:8080 \
    RUST_LOG=info,tower_http=info
EXPOSE 8080
ENTRYPOINT ["/usr/bin/tini", "--"]
CMD ["/usr/local/bin/chukwa-serve"]
