zclaw_openfang/Dockerfile

# ============================================================
# ZCLAW SaaS Backend - Multi-stage Docker Build
# ============================================================

# ---- Stage 1: Builder ----
FROM rust:1.75-bookworm AS builder

# Install build dependencies for sqlx (postgres) and libsqlite3-sys (bundled)
RUN apt-get update && apt-get install -y --no-install-recommends \
    pkg-config \
    libssl-dev \
    && rm -rf /var/lib/apt/lists/*

WORKDIR /app

# Copy workspace manifests first to leverage Docker layer caching
COPY Cargo.toml Cargo.lock ./

# Create stub source files so cargo can resolve and cache dependencies
# This avoids rebuilding dependencies when only application code changes
RUN mkdir -p crates/zclaw-saas/src \
    && echo 'fn main() {}' > crates/zclaw-saas/src/main.rs \
    && for crate in zclaw-types zclaw-memory zclaw-runtime zclaw-kernel \
                  zclaw-skills zclaw-hands zclaw-channels zclaw-protocols \
                  zclaw-pipeline zclaw-growth; do \
        mkdir -p crates/$crate/src && echo '' > crates/$crate/src/lib.rs; \
    done \
    && mkdir -p desktop/src-tauri/src && echo 'fn main() {}' > desktop/src-tauri/src/main.rs

# Pre-build dependencies (release profile with caching)
RUN cargo build --release --package zclaw-saas 2>/dev/null || true

# Copy actual source code (invalidates stubs, triggers recompile of app code only)
COPY crates/ crates/
COPY desktop/ desktop/

# Touch source files to invalidate the stub timestamps
RUN touch crates/zclaw-saas/src/main.rs \
    && for crate in zclaw-types zclaw-memory zclaw-runtime zclaw-kernel \
                  zclaw-skills zclaw-hands zclaw-channels zclaw-protocols \
                  zclaw-pipeline zclaw-growth; do \
        touch crates/$crate/src/lib.rs 2>/dev/null || true; \
    done \
    && touch desktop/src-tauri/src/main.rs 2>/dev/null || true

# Build the actual binary
RUN cargo build --release --package zclaw-saas

# ---- Stage 2: Runtime ----
FROM debian:bookworm-slim AS runtime

# Install runtime dependencies (ca-certificates for HTTPS, libgcc for Rust runtime)
RUN apt-get update && apt-get install -y --no-install-recommends \
    ca-certificates \
    libgcc-s \
    && rm -rf /var/lib/apt/lists/* \
    && update-ca-certificates

# Create non-root user for security
RUN groupadd --gid 1000 zclaw \
    && useradd --uid 1000 --gid zclaw --shell /bin/false zclaw

WORKDIR /app

# Copy binary from builder
COPY --from=builder /app/target/release/zclaw-saas /app/zclaw-saas

# Copy configuration file
COPY saas-config.toml /app/saas-config.toml

# Ensure the non-root user owns the application files
RUN chown -R zclaw:zclaw /app

USER zclaw

# Expose the SaaS API port
EXPOSE 8080

# Health check endpoint (matches the saas-config.toml port)
HEALTHCHECK --interval=30s --timeout=5s --start-period=10s --retries=3 \
    CMD ["/app/zclaw-saas", "--healthcheck"] || exit 1

ENTRYPOINT ["/app/zclaw-saas"]