# syntax=docker/dockerfile:1.6
#
# visionA-backend / remote-proxy — multi-stage Docker image
#
# 設計原則同 Dockerfile.api-server（見該檔 header）。
# 唯一差別：
#   - build 的是 ./cmd/remote-proxy
#   - 對外 expose 3800（tunnel WS，local agent 用）+ 3801（internal HTTP，api-server 用）
#   - HEALTHCHECK 打 tunnel port 的 /healthz

# ---- Stage 1: builder ----------------------------------------------------
FROM golang:1.26-alpine AS builder

RUN apk add --no-cache git ca-certificates

WORKDIR /src

COPY go.mod go.sum ./
RUN go mod download

COPY . .

ENV CGO_ENABLED=0 GOOS=linux
RUN go build -trimpath -ldflags="-s -w" -o /out/remote-proxy ./cmd/remote-proxy

# ---- Stage 2: runtime ----------------------------------------------------
FROM alpine:3.19

RUN apk add --no-cache ca-certificates curl tzdata && \
    addgroup -S -g 1001 visiona && \
    adduser -S -u 1001 -G visiona visiona

WORKDIR /app

COPY --from=builder --chown=visiona:visiona /out/remote-proxy /app/remote-proxy

USER visiona:visiona

# 3800：tunnel server（面向 local agent，WebSocket upgrade）
# 3801：internal HTTP（面向 api-server，同 compose network 內互通）
EXPOSE 3800 3801

ENV VISIONA_HOST=0.0.0.0 \
    VISIONA_TUNNEL_PORT=3800 \
    VISIONA_PROXY_INTERNAL_PORT=3801 \
    VISIONA_LOG_LEVEL=info

# Healthcheck 打 tunnel listener 的 /healthz（internal port 雖然也有但不對外）
HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
    CMD curl -fsS http://localhost:3800/healthz || exit 1

ENTRYPOINT ["/app/remote-proxy"]