# ── Build stage ────────────────────────────────────────────────────────────────
FROM python:3.10-slim AS builder

WORKDIR /app
COPY requirements.txt .
RUN pip install --no-cache-dir --prefix=/install -r requirements.txt

# ── Runtime stage ──────────────────────────────────────────────────────────────
FROM python:3.10-slim

# Non-root user for security
RUN addgroup --system appgroup && adduser --system --ingroup appgroup appuser

WORKDIR /app

# Copy installed packages from builder
COPY --from=builder /install /usr/local

# Copy application code
COPY --chown=appuser:appgroup . .

# Directories that will be mounted as volumes (data = SQLite default location)
RUN mkdir -p uploads vectordb data && chown -R appuser:appgroup uploads vectordb data

USER appuser

ENV PYTHONDONTWRITEBYTECODE=1
ENV PYTHONUNBUFFERED=1
ENV FLASK_ENV=$FLASK_ENV
ENV SECRET_KEY=$SECRET_KEY
ENV AI_PROVIDER=$AI_PROVIDER
ENV LM_STUDIO_URL=$LM_STUDIO_URL
ENV LM_STUDIO_MODEL=$LM_STUDIO_MODEL
ENV LM_STUDIO_EMBEDDING_MODEL=$LM_STUDIO_EMBEDDING_MODEL
ENV OPENAI_API_KEY=$OPENAI_API_KEY
ENV OPENAI_MODEL=$OPENAI_MODEL
ENV DATABASE_URI=$DATABASE_URI
ENV RAG_TOP_K=$RAG_TOP_K
ENV RAG_CHUNK_SIZE=$RAG_CHUNK_SIZE
ENV RAG_CHUNK_OVERLAP=$RAG_CHUNK_OVERLAP

EXPOSE 5000

HEALTHCHECK --interval=30s --timeout=10s --start-period=30s --retries=3 \
  CMD python -c "import urllib.request; urllib.request.urlopen('http://localhost:5000/auth/login')" || exit 1

CMD ["gunicorn", "--bind", "0.0.0.0:5000", "--workers", "2", "--timeout", "120", "app:create_app()"]