# H33 scif-backend — polygon-anchor production image.
#
# Adapted from deploy/mode2-bundle/Dockerfile.v13 with two deltas:
#   1. crates/h33-replay-verify-core/ lines removed — that dep migrated to a
#      git source in Cargo.toml; no local crate dir exists. v13's local
#      references were stale.
#   2. ARG CI_COMMIT_SHA + ENV CI_COMMIT_SHA propagation added so build.rs
#      bakes the commit SHA into the binary as H33_GIT_SHA — /health returns
#      it for post-deploy verification.
#
# Build:
#   cd ~/scif-backend
#   docker buildx build --platform linux/arm64 \
#     --build-arg CI_COMMIT_SHA=$(git rev-parse HEAD) \
#     -t h33-rust:polygon-<sha7> \
#     -f deploy/polygon-anchor/Dockerfile .

FROM rust:1.88-bookworm AS builder

WORKDIR /app

RUN apt-get update && apt-get install -y \
    pkg-config \
    libssl-dev \
    cmake \
    clang \
    && rm -rf /var/lib/apt/lists/*

# Copy root manifests first for dependency caching.
COPY Cargo.toml Cargo.lock ./

# Copy every workspace member's manifest. If you add a new member to
# Cargo.toml [workspace].members, you MUST add it here too.
COPY h33-node-bindings/Cargo.toml h33-node-bindings/Cargo.toml
COPY h33-fhe-client/Cargo.toml h33-fhe-client/Cargo.toml
COPY h33-client/Cargo.toml h33-client/Cargo.toml
COPY h33-key-convert/Cargo.toml h33-key-convert/Cargo.toml
COPY v100-turn/Cargo.toml v100-turn/Cargo.toml

# Copy h33-substrate (sibling path dep at ../h33-substrate in dev; provided
# inside the build context via git submodule at scif-backend/h33-substrate).
COPY h33-substrate/Cargo.toml h33-substrate/Cargo.toml
COPY h33-substrate/src h33-substrate/src

# Dummy-build to cache dependencies, then strip the dummy artifacts.
RUN mkdir -p src && \
    echo "fn main() {}" > src/main.rs && \
    echo "pub fn dummy() {}" > src/lib.rs && \
    mkdir -p h33-node-bindings/src && echo "pub fn dummy() {}" > h33-node-bindings/src/lib.rs && \
    mkdir -p h33-fhe-client/src && echo "pub fn dummy() {}" > h33-fhe-client/src/lib.rs && \
    mkdir -p h33-client/src && echo "pub fn dummy() {}" > h33-client/src/lib.rs && \
    mkdir -p h33-key-convert/src && \
    mkdir -p v100-turn/src/bin && \
        echo "pub fn dummy() {}" > v100-turn/src/lib.rs && \
        echo "fn main() {}" > v100-turn/src/main.rs && \
        echo "fn main() {}" > v100-turn/src/bin/loadtest.rs && \
    sed -i '/^\[\[bench\]\]/,/^$/d' Cargo.toml && \
    sed -i '/^\[\[bench\]\]/,/^$/d' v100-turn/Cargo.toml && \
    sed -i 's|path = "../h33-substrate"|path = "h33-substrate"|' Cargo.toml && \
    # h33-substrate ships a `[workspace]` declaration in its Cargo.toml (so
    # it can be developed standalone). Inside this docker context it's a
    # plain path dep of /app's workspace, so its own [workspace] declaration
    # would create two competing workspace roots ("multiple workspace roots
    # found in the same workspace"). Strip the [workspace] line.
    sed -i '/^\[workspace\]$/d' h33-substrate/Cargo.toml

RUN cargo build --release --bin h33-xeon-api 2>&1 || true
RUN rm -rf src target/release/deps/h33* target/release/deps/libh33* \
    target/release/.fingerprint/h33* target/release/libh33* target/release/h33*

# Copy actual source code. NOT benches/ — it's in .dockerignore, and the
# sed step above stripped [[bench]] sections from Cargo.toml so cargo
# won't look for them.
COPY src ./src
COPY h33-key-convert/src ./h33-key-convert/src
COPY h33-client/src ./h33-client/src
COPY build.rs ./build.rs
COPY proto ./proto

# Build the real release. CI_COMMIT_SHA flows into H33_GIT_SHA via build.rs,
# which prints `cargo:rustc-env=H33_GIT_SHA=...` so the binary's /health
# endpoint reports the commit it was built from. The deploy pipeline asserts
# this matches the expected SHA after the container swap.
ARG CI_COMMIT_SHA
ENV CI_COMMIT_SHA=${CI_COMMIT_SHA}
RUN test -n "$CI_COMMIT_SHA" || { echo "FAIL: --build-arg CI_COMMIT_SHA=<sha> is required"; exit 1; }

# Override Cargo.toml [profile.release] for the deploy build to fit the
# buildkit container's memory ceiling. The repo default `lto = "fat"` +
# `codegen-units = 1` blows past 7.6 GiB on the linker stage (rustc gets
# SIGKILL'd by the OOM killer). The Polygon-anchor handler is I/O-bound on
# on-chain writes, so the FHE-hot-path inlining we lose is negligible for
# this deploy. Production benchmark builds (cargo build --release without
# these env vars) still get fat LTO + 1 codegen unit unchanged.
ENV CARGO_PROFILE_RELEASE_LTO=false
ENV CARGO_PROFILE_RELEASE_CODEGEN_UNITS=16
# Surface real errors instead of `tail -20`-truncating a 3300s build run.
RUN cargo build --release --bin h33-xeon-api

# Runtime stage — minimal.
FROM debian:bookworm-slim
RUN apt-get update && apt-get install -y \
    ca-certificates \
    libssl3 \
    curl \
    && rm -rf /var/lib/apt/lists/*

WORKDIR /app
COPY --from=builder /app/target/release/h33-xeon-api /usr/local/bin/h33-xeon-api

EXPOSE 8080
HEALTHCHECK --interval=30s --timeout=5s --start-period=30s --retries=3 \
    CMD curl -fsS http://localhost:8080/health || exit 1

ENTRYPOINT ["/usr/local/bin/h33-xeon-api"]
