# syntax=docker/dockerfile:1

# Build stage
FROM python:3.12-slim AS builder

ENV PYTHONDONTWRITEBYTECODE=1
ENV PYTHONUNBUFFERED=1

WORKDIR /app

RUN apt-get update \
    && apt-get install -y --no-install-recommends gcc \
    && rm -rf /var/lib/apt/lists/*

COPY requirements.txt ./
RUN pip install --no-cache-dir --user -r requirements.txt

# Runtime stage
FROM python:3.12-slim

ENV PYTHONDONTWRITEBYTECODE=1
ENV PYTHONUNBUFFERED=1
ENV PATH=/home/aegis/.local/bin:$PATH
ENV PYTHONPATH=/app/src:$PYTHONPATH

WORKDIR /app

# Non-root runtime user
RUN useradd -m -u 1000 -s /usr/sbin/nologin aegis

COPY --from=builder --chown=aegis:aegis /root/.local /home/aegis/.local
COPY --chown=aegis:aegis src/ ./src/
COPY --chown=aegis:aegis scripts/ ./scripts/

RUN mkdir -p /var/log/aegis-mcp /tmp/aegis-mcp \
    && chown -R aegis:aegis /var/log/aegis-mcp /tmp/aegis-mcp

USER aegis

EXPOSE 8080

HEALTHCHECK --interval=30s --timeout=10s --start-period=10s --retries=3 \
  CMD python -c "import httpx; httpx.get('http://127.0.0.1:8080/health', timeout=5)" || exit 1

CMD ["python", "-m", "aegis_gitea_mcp.server"]