# Containerization Runbook

## Image Build

If the repo consumes internal packages from Gitea, pass feed credentials as build args.

```bash
docker build   --build-arg NUGET_FEED_USERNAME=<gitea-login>   --build-arg NUGET_FEED_TOKEN=<gitea-token>   -t agilewebs/thalos-bff:dev .
```

## Local Run

```bash
docker run --rm -p 8080:8080 \
  -e ThalosService__GrpcAddress=http://thalos-service:8081 \
  -e ThalosBff__Oidc__Google__ClientId=<google-client-id> \
  -e ThalosBff__Oidc__Google__ClientSecret=<google-client-secret> \
  -e ThalosBff__Oidc__Google__RedirectUri=https://auth.dream-views.com/api/identity/oidc/google/callback \
  -e ThalosBff__Oidc__StateSigningSecret=<state-signing-secret> \
  -e ThalosBff__SessionCookieSecure=true \
  -e ThalosBff__SessionCookieDomain=.dream-views.com \
  --name thalos-bff agilewebs/thalos-bff:dev
```

## Health Probe

- Path: `/health`
- Fallback path: `/healthz`
- Port: `8080`

## Runtime Notes

- Requires `ThalosService__GrpcAddress` to target thalos-service in distributed runs.
- gRPC client contract protobuf is vendored at `src/Thalos.Bff.Rest/Protos/identity_runtime.proto` to keep image builds repo-local.
- OIDC callback requires `ThalosBff__Oidc__Google__ClientId`, `ClientSecret`, `RedirectUri`, and `StateSigningSecret`.
- For cross-subdomain SPA auth, set `ThalosBff__SessionCookieDomain=.dream-views.com` and secure cookies in non-local environments.
- Callback failures should land back on the central auth host (or another allowlisted return host) with `authError` and `correlationId` query values for UX recovery and support diagnostics.
- The OIDC state cookie is transient and should be cleared after any callback attempt, successful or failed.