veza/veza-stream-server/Dockerfile

# Build stage - context: repo root (for veza-common path dep)
FROM rust:alpine AS builder

WORKDIR /build

# Copy veza-common (path dependency) and stream-server
COPY veza-common ./veza-common
COPY veza-stream-server/Cargo.toml veza-stream-server/Cargo.lock ./veza-stream-server/
COPY veza-stream-server/benches ./veza-stream-server/benches

# Install build dependencies
RUN apk add --no-cache musl-dev ca-certificates perl make pkgconfig openssl-dev protobuf-dev openssl-libs-static

WORKDIR /build/veza-stream-server

# Fetch dependencies (this layer will be cached if Cargo.toml/Cargo.lock don't change)
RUN cargo fetch --locked

# Copy source code
COPY veza-stream-server/src ./src
COPY veza-stream-server/migrations ./migrations
COPY veza-stream-server/proto ./proto
COPY veza-stream-server/build.rs ./

# Build the application (runtime queries only, no SQLX_OFFLINE needed)
RUN cargo build --release --locked --target x86_64-unknown-linux-musl

# Runtime stage
FROM alpine:3.21

# Install runtime dependencies
RUN apk --no-cache add ca-certificates tzdata && \
    # Add wget for health checks
    apk --no-cache add wget && \
    # Clean up apk cache
    rm -rf /var/cache/apk/*

# Create non-root user for security
RUN addgroup -g 1001 -S app && \
    adduser -S app -u 1001 -G app -h /app -s /bin/sh && \
    mkdir -p /var/log/veza && chown app:app /var/log/veza

# Set working directory
WORKDIR /app

# Copy binary from builder
COPY --from=builder --chown=app:app /build/veza-stream-server/target/x86_64-unknown-linux-musl/release/stream_server /app/stream_server

# Copy migrations if they exist (Removed as directory does not exist)
# COPY --from=builder --chown=app:app /app/migrations ./migrations

# Switch to app user
USER app

# Expose port (matches VITE_STREAM_PORT and docker-compose mapping)
EXPOSE 18082

# Health check
HEALTHCHECK --interval=30s --timeout=15s --start-period=60s --retries=5 \
    CMD wget --no-verbose --tries=1 --spider http://localhost:${PORT:-18082}/health || exit 1

# Run the application
CMD ["./stream_server"]
fix(chat-server): ensure sqlx-data.json available for Docker build - Remove sqlx-data.json from .dockerignore to allow SQLX_OFFLINE build - Use repo root as build context for veza-common path dependency - Add SQLX_OFFLINE=true and COPY sqlx-data.json in Dockerfile 2026-02-18 11:38:16 +00:00			`# Build stage - context: repo root (for veza-common path dep)`
adding initial stream server (Rust) 2025-12-03 19:36:56 +00:00			`FROM rust:alpine AS builder`

fix(chat-server): ensure sqlx-data.json available for Docker build - Remove sqlx-data.json from .dockerignore to allow SQLX_OFFLINE build - Use repo root as build context for veza-common path dependency - Add SQLX_OFFLINE=true and COPY sqlx-data.json in Dockerfile 2026-02-18 11:38:16 +00:00			`WORKDIR /build`

			`# Copy veza-common (path dependency) and stream-server`
			`COPY veza-common ./veza-common`
			`COPY veza-stream-server/Cargo.toml veza-stream-server/Cargo.lock ./veza-stream-server/`
			`COPY veza-stream-server/benches ./veza-stream-server/benches`
adding initial stream server (Rust) 2025-12-03 19:36:56 +00:00
			`# Install build dependencies`
			`RUN apk add --no-cache musl-dev ca-certificates perl make pkgconfig openssl-dev protobuf-dev openssl-libs-static`

fix(chat-server): ensure sqlx-data.json available for Docker build - Remove sqlx-data.json from .dockerignore to allow SQLX_OFFLINE build - Use repo root as build context for veza-common path dependency - Add SQLX_OFFLINE=true and COPY sqlx-data.json in Dockerfile 2026-02-18 11:38:16 +00:00			`WORKDIR /build/veza-stream-server`
adding initial stream server (Rust) 2025-12-03 19:36:56 +00:00
			`# Fetch dependencies (this layer will be cached if Cargo.toml/Cargo.lock don't change)`
			`RUN cargo fetch --locked`

			`# Copy source code`
fix(chat-server): ensure sqlx-data.json available for Docker build - Remove sqlx-data.json from .dockerignore to allow SQLX_OFFLINE build - Use repo root as build context for veza-common path dependency - Add SQLX_OFFLINE=true and COPY sqlx-data.json in Dockerfile 2026-02-18 11:38:16 +00:00			`COPY veza-stream-server/src ./src`
			`COPY veza-stream-server/migrations ./migrations`
			`COPY veza-stream-server/proto ./proto`
			`COPY veza-stream-server/build.rs ./`
adding initial stream server (Rust) 2025-12-03 19:36:56 +00:00
fix(chat-server): ensure sqlx-data.json available for Docker build - Remove sqlx-data.json from .dockerignore to allow SQLX_OFFLINE build - Use repo root as build context for veza-common path dependency - Add SQLX_OFFLINE=true and COPY sqlx-data.json in Dockerfile 2026-02-18 11:38:16 +00:00			`# Build the application (runtime queries only, no SQLX_OFFLINE needed)`
adding initial stream server (Rust) 2025-12-03 19:36:56 +00:00			`RUN cargo build --release --locked --target x86_64-unknown-linux-musl`

			`# Runtime stage`
fix(v0.12.6): apply all pentest remediations — 36 findings across 36 files CRITICAL fixes: - Race condition (TOCTOU) in payout/refund with SELECT FOR UPDATE (CRITICAL-001/002) - IDOR on analytics endpoint — ownership check enforced (CRITICAL-003) - CSWSH on all WebSocket endpoints — origin whitelist (CRITICAL-004) - Mass assignment on user self-update — strip privileged fields (CRITICAL-005) HIGH fixes: - Path traversal in marketplace upload — UUID filenames (HIGH-001) - IP spoofing — use Gin trusted proxy c.ClientIP() (HIGH-002) - Popularity metrics (followers, likes) set to json:"-" (HIGH-003) - bcrypt cost hardened to 12 everywhere (HIGH-004) - Refresh token lock made mandatory (HIGH-005) - Stream token replay prevention with access_count (HIGH-006) - Subscription trial race condition fixed (HIGH-007) - License download expiration check (HIGH-008) - Webhook amount validation (HIGH-009) - pprof endpoint removed from production (HIGH-010) MEDIUM fixes: - WebSocket message size limit 64KB (MEDIUM-010) - HSTS header in nginx production (MEDIUM-001) - CORS origin restricted in nginx-rtmp (MEDIUM-002) - Docker alpine pinned to 3.21 (MEDIUM-003/004) - Redis authentication enforced (MEDIUM-005) - GDPR account deletion expanded (MEDIUM-006) - .gitignore hardened (MEDIUM-007) LOW/INFO fixes: - GitHub Actions SHA pinning on all workflows (LOW-001) - .env.example security documentation (INFO-001) - Production CORS set to HTTPS (LOW-002) All tests pass. Go and Rust compile clean. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-03-13 23:44:46 +00:00			`FROM alpine:3.21`
adding initial stream server (Rust) 2025-12-03 19:36:56 +00:00
			`# Install runtime dependencies`
			`RUN apk --no-cache add ca-certificates tzdata && \`
			`# Add wget for health checks`
			`apk --no-cache add wget && \`
			`# Clean up apk cache`
			`rm -rf /var/cache/apk/*`

			`# Create non-root user for security`
			`RUN addgroup -g 1001 -S app && \`
feat: backend, stream server & infra improvements Backend (Go): - Config: CORS, RabbitMQ, rate limit, main config updates - Routes: core, distribution, tracks routing changes - Middleware: rate limiter, endpoint limiter, response cache hardening - Handlers: distribution, search handler fixes - Workers: job worker improvements - Upload validator and logging config additions - New migrations: products, orders, performance indexes - Seed tooling and data Stream Server (Rust): - Audio processing, config, routes, simple stream server updates - Dockerfile improvements Infrastructure: - docker-compose.yml updates - nginx-rtmp config changes - Makefile improvements (config, dev, high, infra) - Root package.json and lock file updates - .env.example updates Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-18 10:36:06 +00:00			`adduser -S app -u 1001 -G app -h /app -s /bin/sh && \`
			`mkdir -p /var/log/veza && chown app:app /var/log/veza`
adding initial stream server (Rust) 2025-12-03 19:36:56 +00:00
			`# Set working directory`
			`WORKDIR /app`

			`# Copy binary from builder`
fix(chat-server): ensure sqlx-data.json available for Docker build - Remove sqlx-data.json from .dockerignore to allow SQLX_OFFLINE build - Use repo root as build context for veza-common path dependency - Add SQLX_OFFLINE=true and COPY sqlx-data.json in Dockerfile 2026-02-18 11:38:16 +00:00			`COPY --from=builder --chown=app:app /build/veza-stream-server/target/x86_64-unknown-linux-musl/release/stream_server /app/stream_server`
adding initial stream server (Rust) 2025-12-03 19:36:56 +00:00
			`# Copy migrations if they exist (Removed as directory does not exist)`
			`# COPY --from=builder --chown=app:app /app/migrations ./migrations`

			`# Switch to app user`
			`USER app`

feat: backend, stream server & infra improvements Backend (Go): - Config: CORS, RabbitMQ, rate limit, main config updates - Routes: core, distribution, tracks routing changes - Middleware: rate limiter, endpoint limiter, response cache hardening - Handlers: distribution, search handler fixes - Workers: job worker improvements - Upload validator and logging config additions - New migrations: products, orders, performance indexes - Seed tooling and data Stream Server (Rust): - Audio processing, config, routes, simple stream server updates - Dockerfile improvements Infrastructure: - docker-compose.yml updates - nginx-rtmp config changes - Makefile improvements (config, dev, high, infra) - Root package.json and lock file updates - .env.example updates Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-18 10:36:06 +00:00			`# Expose port (matches VITE_STREAM_PORT and docker-compose mapping)`
			`EXPOSE 18082`
adding initial stream server (Rust) 2025-12-03 19:36:56 +00:00
			`# Health check`
			`HEALTHCHECK --interval=30s --timeout=15s --start-period=60s --retries=5 \`
feat: backend, stream server & infra improvements Backend (Go): - Config: CORS, RabbitMQ, rate limit, main config updates - Routes: core, distribution, tracks routing changes - Middleware: rate limiter, endpoint limiter, response cache hardening - Handlers: distribution, search handler fixes - Workers: job worker improvements - Upload validator and logging config additions - New migrations: products, orders, performance indexes - Seed tooling and data Stream Server (Rust): - Audio processing, config, routes, simple stream server updates - Dockerfile improvements Infrastructure: - docker-compose.yml updates - nginx-rtmp config changes - Makefile improvements (config, dev, high, infra) - Root package.json and lock file updates - .env.example updates Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-18 10:36:06 +00:00			`CMD wget --no-verbose --tries=1 --spider http://localhost:${PORT:-18082}/health \|\| exit 1`
adding initial stream server (Rust) 2025-12-03 19:36:56 +00:00
			`# Run the application`
			`CMD ["./stream_server"]`