# PostgreSQL with pgvector and up-to-date gosu
#
# Override the base image's gosu binary with the latest from tianon/gosu.
# The postgres base image bundles gosu built with Go 1.24.6, which contains:
#   - CVE-2025-68121 (CRITICAL): crypto/tls vulnerability
#   - CVE-2025-58183 (HIGH): archive/tar unbounded allocation
#   - CVE-2025-61726 (HIGH): net/url memory exhaustion
#   - CVE-2025-61728 (HIGH): archive/zip CPU exhaustion
#   - CVE-2025-61729 (HIGH): crypto/x509 DoS
#   - CVE-2025-61730 (HIGH): TLS 1.3 handshake vulnerability
# The tianon/gosu image is rebuilt with recent Go toolchains, eliminating these CVEs.
# Using COPY --from avoids `go install` failures (gosu lacks semver Go module tags).
FROM postgres:17.7-alpine3.22

LABEL maintainer="Mosaic Stack <dev@mosaic.local>"
LABEL description="PostgreSQL 17 with pgvector extension and patched gosu"

# Replace vulnerable gosu binary with latest pre-built version from tianon/gosu
COPY --from=tianon/gosu /gosu /usr/local/bin/gosu
RUN chmod +x /usr/local/bin/gosu && gosu nobody true

# Update Alpine packages for any remaining OS-level patches
RUN apk update && apk upgrade

# Install build dependencies for pgvector
RUN apk add --no-cache --virtual .build-deps \
    git \
    build-base

# Clone and build pgvector v0.7.4 (without LLVM bitcode compilation)
RUN git clone --branch v0.7.4 https://github.com/pgvector/pgvector.git /tmp/pgvector \
    && cd /tmp/pgvector \
    && make OPTFLAGS="" with_llvm=no \
    && make install with_llvm=no \
    && rm -rf /tmp/pgvector

# Clean up build dependencies to reduce image size
RUN apk del .build-deps

# Copy initialization scripts
COPY init-scripts/ /docker-entrypoint-initdb.d/

# Expose PostgreSQL port
EXPOSE 5432