# SaaS bridge-peer container. Multi-stage; final image ~50 MB
# (Python + fastapi + the twin binary).
#
# Per-SaaS Dockerfiles inherit this base and set ARQERA_SAAS_NAME +
# any SaaS-specific args.

ARG TWIN_VERSION=v0.3.0
ARG SAAS_NAME=template

FROM alpine:3.20 AS fetcher
ARG TWIN_VERSION
ARG TARGETARCH
RUN apk add --no-cache curl ca-certificates
RUN case "$TARGETARCH" in \
        amd64) ARCH="x86_64-unknown-linux-musl" ;; \
        arm64) ARCH="aarch64-unknown-linux-musl" ;; \
    esac && \
    curl -fsSL "https://github.com/Arqera-IO/ara-protocol/releases/download/${TWIN_VERSION}/twin-${ARCH}.tar.xz" \
        | tar -xJ -C /tmp --strip-components=1 -O > /usr/local/bin/twin && \
    chmod +x /usr/local/bin/twin

FROM python:3.12-slim AS runtime
ARG SAAS_NAME
ENV ARQERA_SAAS_NAME=${SAAS_NAME}

COPY --from=fetcher /usr/local/bin/twin /usr/local/bin/twin
RUN pip install --no-cache-dir fastapi uvicorn

WORKDIR /app
COPY main.py /app/main.py

# Required env at runtime:
#   PEER_SEED                    — Ed25519 seed (per-bridge identity)
#   ARQERA_SAAS_SIGNING_SECRET   — SaaS-supplied webhook signing secret
#
# Optional:
#   ARQERA_SAAS_SIG_HEADER       — defaults to X-Hub-Signature-256
#   ARQERA_USE_KEYCHAIN          — Mac-only; ignored elsewhere
ENV PEER_SEED=""
ENV ARQERA_SAAS_SIGNING_SECRET=""
ENV ARQERA_SAAS_SIG_HEADER="X-Hub-Signature-256"

RUN mkdir -p /root/.arqera

EXPOSE 8000

CMD sh -c 'echo -n "${PEER_SEED}" > /root/.arqera/peer.key && chmod 600 /root/.arqera/peer.key && exec uvicorn main:app --host 0.0.0.0 --port 8000'
