Dockerfile.goreleaser

# GoReleaser Dockerfile
# Used by GoReleaser to package pre-built binaries into Docker images.
# For standalone builds, use the main Dockerfile instead.

# Create /data directory with correct ownership for non-root user (UID 65532)
FROM busybox:1.36-uclibc AS perms
RUN mkdir -p /data && chown 65532:65532 /data

FROM gcr.io/distroless/static-debian12

# Copy wget from busybox for healthcheck (distroless has no shell tools)
COPY --from=busybox:1.36-uclibc /bin/wget /usr/bin/wget

# OCI labels are set via GoReleaser build_flag_templates

# Copy pre-built binary from GoReleaser
COPY sentinel-gate /sentinel-gate

# State persistence volume with correct ownership for non-root user.
# --chown is REQUIRED: COPY --from=<stage> does not preserve ownership by default
# (copies as 0:0), which would strip the chown done in the perms stage and leave
# /data owned by root, breaking write access for the nonroot user (UID 65532).
COPY --chown=65532:65532 --from=perms /data /data
VOLUME ["/data"]
ENV SENTINEL_GATE_STATE_PATH=/data/state.json
ENV PORT=8080
ENV SENTINEL_GATE_ADMIN_OPEN=true

# Working directory under the writable volume. REQUIRED: the binary creates
# evidence-key.pem using a relative path; without WORKDIR /data it would try
# to write to / (root filesystem, read-only for the nonroot user) and crash
# at startup. The main Dockerfile already sets this; they must stay aligned.
WORKDIR /data

# Run as non-root user
USER nonroot:nonroot

# Expose HTTP port
EXPOSE 8080

# Liveness check: verifies the process is alive and responding.
# Uses /health (not /readyz) so a persistent kill switch does not trigger a restart loop.
# The kill switch is a deliberate security state, not a failure — the admin can resume
# via the dashboard or POST /admin/api/v1/system/resume.
HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 \
    CMD ["/usr/bin/wget", "--no-verbose", "--tries=1", "--spider", "http://localhost:8080/health"]

ENTRYPOINT ["/sentinel-gate"]
CMD ["start"]