dyolo-kya 2.0.0

FROM rust:1.85-slim AS builder

WORKDIR /build

# Copy all Cargo manifests so the dependency graph can be resolved before
# any real source is copied — this keeps the dep-fetch layer cached across
# source-only changes.
COPY Cargo.toml ./
COPY dyolo-kya-redis/Cargo.toml       dyolo-kya-redis/Cargo.toml
COPY dyolo-kya-gateway/Cargo.toml     dyolo-kya-gateway/Cargo.toml
COPY dyolo-kya-cli/Cargo.toml         dyolo-kya-cli/Cargo.toml
COPY dyolo-kya-pg/Cargo.toml          dyolo-kya-pg/Cargo.toml
COPY dyolo-kya-identity/Cargo.toml    dyolo-kya-identity/Cargo.toml

# Lockfile is optional — present in CI, may be absent in fresh checkouts.
COPY Cargo.loc[k] ./

# Stub every workspace member so Cargo can fetch and cache all dependencies
# without needing real source. Includes the bench file declared in Cargo.toml.
RUN mkdir -p benches && touch benches/chain_bench.rs && \
    for d in . dyolo-kya-redis dyolo-kya-pg dyolo-kya-identity; do \
      mkdir -p $d/src && echo "pub fn _stub(){}" > $d/src/lib.rs; \
    done && \
    mkdir -p dyolo-kya-gateway/src && echo "fn main(){}" > dyolo-kya-gateway/src/main.rs && \
    mkdir -p dyolo-kya-cli/src     && echo "fn main(){}" > dyolo-kya-cli/src/main.rs

RUN cargo build --release -p dyolo-kya-gateway

# Copy real source and rebuild only what changed.
COPY src/                src/
COPY build.rs            build.rs
COPY cbindgen.toml       cbindgen.toml
COPY benches/            benches/
COPY dyolo-kya-redis/    dyolo-kya-redis/
COPY dyolo-kya-pg/       dyolo-kya-pg/
COPY dyolo-kya-identity/ dyolo-kya-identity/
COPY dyolo-kya-gateway/  dyolo-kya-gateway/

RUN touch src/lib.rs dyolo-kya-gateway/src/main.rs && \
    cargo build --release -p dyolo-kya-gateway

# ── Runtime ───────────────────────────────────────────────────────────────────
FROM debian:bookworm-slim

RUN apt-get update && apt-get install -y --no-install-recommends \
    ca-certificates libssl3 curl && \
    rm -rf /var/lib/apt/lists/*

COPY --from=builder /build/target/release/dyolo-kya-gateway /usr/local/bin/dyolo-kya-gateway

ENV GATEWAY_ADDR=0.0.0.0:8080
EXPOSE 8080

HEALTHCHECK CMD curl -f http://localhost:8080/health || exit 1

# Set DYOLO_SIGNING_KEY_HEX and DYOLO_MAC_KEY_HEX at runtime via environment
# or secrets manager. Omitting them generates ephemeral keys — acceptable for
# development, but certs will be unverifiable after a container restart.
ENTRYPOINT ["/usr/local/bin/dyolo-kya-gateway"]