# H33 Governance Verifier — Multi-stage Docker Build
#
# Runtime: zero network, zero ports, zero runtime dependencies.
# Pure offline governance bundle verification.

# ── Builder ──
FROM rust:1.78-bookworm AS builder

WORKDIR /build

# Copy workspace manifests first for layer caching
COPY Cargo.toml Cargo.lock ./
COPY h33-key-convert/ h33-key-convert/

# Copy the h33-substrate crate (workspace dependency)
COPY ../h33-substrate/ /h33-substrate/

# Copy source
COPY src/ src/

# Build only the verifier binary in release mode
RUN cargo build --release --bin h33-verifier \
    && strip target/release/h33-verifier

# ── Runtime ──
FROM debian:bookworm-slim

RUN apt-get update && apt-get install -y --no-install-recommends ca-certificates \
    && rm -rf /var/lib/apt/lists/*

COPY --from=builder /build/target/release/h33-verifier /usr/local/bin/h33-verifier

# No network, no ports
ENTRYPOINT ["h33-verifier"]
