# Stage 1: Rebuild gosu with patched Go compiler
# gosu 1.19 (bundled in postgres base image) was built with Go 1.24.6, which contains:
#   - CVE-2025-68121 (CRITICAL): crypto/tls vulnerability
#   - CVE-2025-58183 (HIGH): archive/tar unbounded allocation
#   - CVE-2025-61726 (HIGH): net/url memory exhaustion
#   - CVE-2025-61728 (HIGH): archive/zip CPU exhaustion
#   - CVE-2025-61729 (HIGH): crypto/x509 DoS
#   - CVE-2025-61730 (HIGH): TLS 1.3 handshake vulnerability
# Rebuilding from source with Go 1.26 (Alpine 3.22) eliminates all Go stdlib CVEs.
FROM golang:1.26-alpine3.22 AS gosu-builder

ARG GOSU_VERSION=1.19
RUN CGO_ENABLED=0 go install -ldflags '-s -w' -trimpath github.com/tianon/gosu@v${GOSU_VERSION}

# Stage 2: PostgreSQL with pgvector and patched gosu
FROM postgres:17.7-alpine3.22

LABEL maintainer="Mosaic Stack <dev@mosaic.local>"
LABEL description="PostgreSQL 17 with pgvector extension and patched gosu"

# Replace vulnerable gosu binary with version rebuilt using Go 1.26
COPY --from=gosu-builder /go/bin/gosu /usr/local/bin/gosu
RUN chmod +sx /usr/local/bin/gosu && gosu nobody true

# Update Alpine packages for any remaining OS-level patches
RUN apk update && apk upgrade

# Install build dependencies for pgvector
RUN apk add --no-cache --virtual .build-deps \
    git \
    build-base

# Clone and build pgvector v0.7.4 (without LLVM bitcode compilation)
RUN git clone --branch v0.7.4 https://github.com/pgvector/pgvector.git /tmp/pgvector \
    && cd /tmp/pgvector \
    && make OPTFLAGS="" with_llvm=no \
    && make install with_llvm=no \
    && rm -rf /tmp/pgvector

# Clean up build dependencies to reduce image size
RUN apk del .build-deps

# Copy initialization scripts
COPY init-scripts/ /docker-entrypoint-initdb.d/

# Expose PostgreSQL port
EXPOSE 5432