# Multi-stage build for production
FROM python:3.9-slim as builder

# Install build dependencies
RUN apt-get update && apt-get install -y \
    gcc \
    g++ \
    && rm -rf /var/lib/apt/lists/*

# Create virtual environment
RUN python -m venv /opt/venv
ENV PATH="/opt/venv/bin:$PATH"

# Copy and install requirements
COPY requirements.txt .
RUN pip install --no-cache-dir --upgrade pip && \
    pip install --no-cache-dir -r requirements.txt

# Production stage
FROM python:3.9-slim

# Set security options
ENV PYTHONDONTWRITEBYTECODE=1 \
    PYTHONUNBUFFERED=1 \
    PIP_NO_CACHE_DIR=1 \
    PIP_DISABLE_PIP_VERSION_CHECK=1

# Install runtime dependencies only
RUN apt-get update && apt-get upgrade -y && apt-get install -y \
    curl \
    && rm -rf /var/lib/apt/lists/* \
    && apt-get clean

# Create non-root user with fixed UID
RUN groupadd -g 1001 deploy && useradd -u 1001 -g deploy deploy

# Copy virtual environment from builder
COPY --from=builder /opt/venv /opt/venv
ENV PATH="/opt/venv/bin:$PATH"
RUN chown -R deploy:deploy /opt/venv

# Create app directory and set permissions
WORKDIR /app
RUN mkdir -p /app/database /app/logs && \
    chown -R deploy:deploy /app

# Copy application code
COPY --chown=deploy:deploy . .

# Switch to non-root user
USER deploy

# Health check
HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 \
    CMD curl -f http://localhost:8000/health || exit 1

# Expose metrics port
EXPOSE 8000

# Graceful shutdown
STOPSIGNAL SIGTERM

# Run application
CMD ["python", "run_helper.py"]