# ─────────────────────────────────────────────
# Stage 1: Build
# ─────────────────────────────────────────────
# SHA256 pinned for reproducible builds (E10-05).
# To refresh: docker pull --platform linux/amd64 golang:1.24-alpine && docker inspect ... | jq -r '.[0].RepoDigests[0]'
FROM golang:1.24-alpine@sha256:8bee1901f1e530bfb4a7850aa7a479d17ae3a18beb6e09064ed54cfd245b7191 AS builder

RUN apk add --no-cache git ca-certificates

WORKDIR /app

# Download dependencies first (cache layer)
COPY go.mod go.sum ./
RUN go mod download

# Copy source and build
COPY . .
RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 \
    go build -ldflags="-s -w -extldflags '-static'" \
    -o /app/bin/proxy ./cmd/proxy/

# ─────────────────────────────────────────────
# Stage 2: Runtime (distroless — no shell, minimal attack surface)
# ─────────────────────────────────────────────
# SHA256 pinned for reproducible builds (E10-05).
FROM gcr.io/distroless/static-debian12@sha256:20bc6c0bc4d625a22a8fde3e55f6515709b32055ef8fb9cfbddaa06d1760f838

WORKDIR /app

# Copy binary and default config
COPY --from=builder /app/bin/proxy .
COPY --from=builder /app/config.yaml .

# Non-root user (distroless default uid 65532)
USER 65532:65532

EXPOSE 8090

ENTRYPOINT ["/app/proxy"]