# H33 Digital SCIF Backend - Production Dockerfile
# Xeon-Optimized FHE API with PQC, ZKP, and Embedded Node.js Service
#
# Multi-stage build for multi-runtime container (Rust + Node.js)

# =============================================================================
# Stage 1: Rust Build
# =============================================================================
FROM rust:1.85-bookworm AS rust-builder

WORKDIR /app

# Install build dependencies
RUN apt-get update && apt-get install -y \
    pkg-config \
    libssl-dev \
    cmake \
    clang \
    && rm -rf /var/lib/apt/lists/*

# Copy manifests first for dependency caching
COPY Cargo.toml Cargo.lock ./

# Create dummy src for dependency compilation
RUN mkdir -p src && \
    echo "fn main() {}" > src/main.rs && \
    echo "pub fn dummy() {}" > src/lib.rs

# Build dependencies only (cached layer)
RUN cargo build --release && \
    rm -rf src target/release/deps/h33*

# Copy actual source code
COPY src ./src
COPY benches ./benches

# Build the application
RUN cargo build --release --bin h33-xeon-api

# =============================================================================
# Stage 2: Node.js Build
# =============================================================================
FROM node:20-alpine AS node-builder

WORKDIR /app/h33-node

# Copy package files for dependency installation
COPY h33-node/package*.json ./

# Install production dependencies only
RUN npm ci --only=production --ignore-scripts

# Copy Node.js source code
COPY h33-node ./

# Remove dev files and unnecessary items
RUN rm -rf tests scripts .env* *.md node_modules/.cache

# =============================================================================
# Stage 3: Runtime
# =============================================================================
FROM debian:bookworm-slim AS runtime

WORKDIR /app

# Install runtime dependencies including Node.js
RUN apt-get update && apt-get install -y \
    ca-certificates \
    libssl3 \
    curl \
    && rm -rf /var/lib/apt/lists/*

# Install Node.js runtime
RUN curl -fsSL https://deb.nodesource.com/setup_20.x | bash - && \
    apt-get install -y nodejs && \
    rm -rf /var/lib/apt/lists/*

# Create non-root user for security
RUN useradd -r -u 1000 -g nogroup h33

# Copy Rust binary from builder
COPY --from=rust-builder /app/target/release/h33-xeon-api /app/h33-xeon-api

# Copy Node.js application from builder
COPY --from=node-builder /app/h33-node /app/h33-node

# Set ownership
RUN chown -R h33:nogroup /app

# Switch to non-root user
USER h33

# Expose ports (Rust API + Node.js API)
EXPOSE 8080 9000

# Health check (checks Rust service, which monitors Node.js)
HEALTHCHECK --interval=30s --timeout=10s --start-period=15s --retries=3 \
    CMD curl -f http://localhost:8080/health || exit 1

# Environment variables
ENV RUST_LOG=info
ENV RUST_BACKTRACE=1
ENV H33_ENV=production
ENV H33_PORT=8080
ENV H33_NODE_ENABLED=true
ENV H33_NODE_PORT=9000
ENV H33_NODE_ENTRY=h33-node/src/server.js

# Run the Rust binary (which spawns Node.js internally)
ENTRYPOINT ["/app/h33-xeon-api"]
