FROM python:3.11-slim AS builder

WORKDIR /app

# Install build deps
RUN apt-get update && apt-get install -y --no-install-recommends \
    build-essential \
    && rm -rf /var/lib/apt/lists/*

# Copy requirements and install into a target directory
COPY /requirements.txt /app/requirements.txt
RUN python -m pip install --upgrade pip && \
    # install into a prefix so console_scripts (gunicorn) are placed into /app/_deps/bin
    python -m pip install --no-cache-dir --upgrade --prefix /app/_deps -r /app/requirements.txt

COPY . /app/src

FROM python:3.11-slim

WORKDIR /app

# Create non-root user
RUN addgroup --system appgroup && adduser --system --ingroup appgroup appuser

# Copy installed deps from builder
COPY --from=builder /app/_deps /app/_deps
ENV PYTHONPATH=/app/_deps/lib/python3.11/site-packages:/app
ENV PATH=/app/_deps/bin:$PATH

# Copy application code
COPY --from=builder /app/src /app

# Copy entrypoint and make executable
COPY /entrypoint.sh /app/entrypoint.sh
RUN chmod +x /app/entrypoint.sh

# Ensure minimal runtime packages are present (curl used by healthcheck and some runtime scripts)
RUN apt-get update && apt-get install -y --no-install-recommends \
    curl \
    ca-certificates \
    && rm -rf /var/lib/apt/lists/* \
    && mkdir -p /app/data \
    && chown -R appuser:appgroup /app/data

USER appuser

ENV FLASK_APP=app.py
ENV FLASK_RUN_HOST=0.0.0.0
ENV PYTHONUNBUFFERED=1
ENV GUNICORN_WORKERS=2
ENV GUNICORN_TIMEOUT=30

EXPOSE 5002

# Docker HEALTHCHECK: check the /health endpoint
HEALTHCHECK --interval=30s --timeout=5s --retries=3 CMD curl -f http://localhost:5002/health || exit 1

# Default to the entrypoint script which computes worker count if not provided
ENTRYPOINT ["/app/entrypoint.sh"]