# Multi-stage: static CGO-free build (pure-Go SQLite) → distroless runtime.
FROM golang:1.25 AS build
WORKDIR /src

# Cache module downloads.
COPY go.mod go.sum ./
RUN go mod download

COPY . .
# CGO disabled so the binary is fully static for a distroless/scratch base.
RUN CGO_ENABLED=0 GOOS=linux go build -trimpath -ldflags="-s -w" -o /out/ai-bot .

FROM gcr.io/distroless/static-debian12:nonroot
WORKDIR /app
COPY --from=build /out/ai-bot /app/ai-bot
# System prompt(s) ship with the image; override via SYSTEM_PROMPT_PATH + a mount.
COPY --from=build /src/prompts /app/prompts
# STATE_DIR (SQLite: spend ledger + txn dedup) is a mounted volume in compose.
ENV STATE_DIR=/state
# Appservice transaction-push port (Synapse → bot). Match AS_ADDR / the
# registration `url`.
ENV AS_ADDR=:8009
EXPOSE 8009
USER nonroot:nonroot
ENTRYPOINT ["/app/ai-bot"]