# syntax=docker/dockerfile:1.7
# Partner-agnostic xray-core client image. config.json is bind-mounted.
#
# xray-core pin: teddysun/xray:<tag> maps 1:1 to XTLS/Xray-core releases.
# Current pin: 26.5.9 (2026-05-21). Verified working with fingerprint:randomized
# Reality config (the utls/CurvePreferences crash in 26.5.0-26.5.3 was fixed by
# upstream 26.5.4+; 26.5.9 = current latest at pin time).
# Always pin to a specific tag, never :latest -- :latest defeats per-bundle
# reproducibility and re-opens the crash class if upstream regresses.
# 2026-05-20 fleet outage RCA: 26.4+ added a default-deny private-IP matcher in
# the freedom outbound that broke xray-reality -> 127.0.0.1:8907 forwarding.
# Server-side fix lives in oxpulse-chat xray_config.rs (ipsBlocked:[]).
# To bump: verify the new tag against a partner-edge xray-client.json using
# fingerprint:randomized, edit the FROM tag below AND open a bundle release
# (bump VERSION in release-please or tag manually) so partner-edge-xray image
# rebuilds.
FROM teddysun/xray:26.5.9

ARG VERSION=dev
LABEL org.opencontainers.image.source="https://github.com/anatolykoptev/oxpulse-partner-edge"
LABEL org.opencontainers.image.description="OxPulse partner-edge xray-client — VLESS+Reality+XHTTP tunnel"
LABEL org.opencontainers.image.licenses="MIT"
LABEL org.opencontainers.image.version="${VERSION}"
LABEL oxpulse.component="partner-edge-xray"
LABEL oxpulse.version="${VERSION}"

# Upstream image lacks `ss`; add iproute2-style check tool for healthcheck.
USER root
RUN (apk add --no-cache iproute2 2>/dev/null \
  || (command -v apt-get >/dev/null && apt-get update -q && apt-get install -y -q iproute2 && rm -rf /var/lib/apt/lists/*) \
  || true)

EXPOSE 3080

HEALTHCHECK --interval=30s --timeout=5s --retries=3 \
  CMD sh -c "ss -ltn 2>/dev/null | grep -q ':3080 ' || netstat -ltn 2>/dev/null | grep -q ':3080 ' || exit 1"

# Upstream ENTRYPOINT launches xray with /etc/xray/config.json.