From e17b74041509baf22ac9687f11ffdf8c3a8b8d20 Mon Sep 17 00:00:00 2001
From: Draco-Lunaris-Echo <Draco-Lunaris-Echo@moon-dragon.us>
Date: Sun, 7 Jun 2026 22:59:32 -0500
Subject: [PATCH] fix(docker): complete Dockerfile audit - migrations, deps,
 openssl (#49)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Three issues fixed in the multi-stage Docker build:

1. CRITICAL: Add COPY migrations/ to rust-builder stage
   - sqlx::migrate!(../../migrations) is a compile-time proc macro
   - Without migrations/ present, cargo build fails with 'no such file or directory'
   - Previously migrations/ was only copied in runtime stage (too late)

2. Copy individual crate Cargo.toml files for dependency caching
   - The dummy-build caching step only copied workspace Cargo.toml/Cargo.lock
   - Without crate-level manifests, cargo couldn't resolve the workspace
   - This meant the cache layer was ineffective (rebuilt everything on code changes)

3. Add openssl package to runtime stage
   - entrypoint.sh uses openssl rand, openssl genpkey, openssl pkey
   - Only libssl3t64 (shared library) was installed, not the CLI tool
   - Runtime would fail on first-run key generation

All stages verified: Ubuntu 24.04 ✅  Rust via rustup (1.85+) ✅
---
 Dockerfile | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/Dockerfile b/Dockerfile
index 1dcd01a..ac6e58a 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -28,6 +28,14 @@ WORKDIR /usr/src/app
 
 # Cache dependencies by building a dummy project first
 COPY Cargo.toml Cargo.lock ./
+COPY crates/pm-web/Cargo.toml crates/pm-web/Cargo.toml
+COPY crates/pm-worker/Cargo.toml crates/pm-worker/Cargo.toml
+COPY crates/pm-core/Cargo.toml crates/pm-core/Cargo.toml
+COPY crates/pm-agent-client/Cargo.toml crates/pm-agent-client/Cargo.toml
+COPY crates/pm-auth/Cargo.toml crates/pm-auth/Cargo.toml
+COPY crates/pm-ca/Cargo.toml crates/pm-ca/Cargo.toml
+COPY crates/pm-reports/Cargo.toml crates/pm-reports/Cargo.toml
+COPY crates/migrate-secrets/Cargo.toml crates/migrate-secrets/Cargo.toml
 RUN mkdir -p crates/pm-web/src crates/pm-worker/src crates/pm-core/src \
     crates/pm-agent-client/src crates/pm-auth/src crates/pm-ca/src \
     crates/pm-reports/src crates/migrate-secrets/src
@@ -43,6 +51,7 @@ RUN cargo build --release 2>/dev/null || true
 
 # Now build the real project
 COPY crates/ crates/
+COPY migrations/ migrations/
 RUN cargo build --release
 
 # Verify binaries exist
@@ -84,6 +93,7 @@ RUN apt-get update && apt-get install -y \
     ca-certificates \
     libssl3t64 \
     libfontconfig1 \
+    openssl \
     postgresql-client-16 \
     argon2 \
     curl \