# syntax=docker/dockerfile:1

# Stage 1: Builder
FROM python:3.14-slim@sha256:bc389f7dfcb21413e72a28f491985326994795e34d2b86c8ae2f417b4e7818aa AS builder

# Install uv from official image
COPY --from=ghcr.io/astral-sh/uv@sha256:b1e699368d24c57cda93c338a57a8c5a119009ba809305cc8e86986d4a006754 /uv /usr/local/bin/uv

ENV UV_SYSTEM_PYTHON=1

WORKDIR /app

# Copy dependency files first for layer caching
COPY pyproject.toml uv.lock README.md LICENSE ./
COPY src/ src/

# Export frozen requirements and install to isolated prefix
RUN uv export --frozen --no-dev > requirements.txt && \
    uv pip install --prefix=/install -r requirements.txt && \
    uv pip install --prefix=/install --no-deps .

# Stage 2: Runtime
FROM python:3.14-slim@sha256:bc389f7dfcb21413e72a28f491985326994795e34d2b86c8ae2f417b4e7818aa

# Apply security updates to base image packages
RUN apt-get update && \
    apt-get upgrade -y --no-install-recommends && \
    rm -rf /var/lib/apt/lists/*

# Create non-root user
RUN groupadd --gid 10001 wickformatter && \
    useradd --uid 10001 --gid wickformatter --shell /bin/false --no-create-home wickformatter

# Copy installed packages from builder
COPY --from=builder /install /usr/local

# Switch to non-root user
USER wickformatter

# MCP server entrypoint
ENTRYPOINT ["wick-formatter-mcp"]
