# Multi-stage Dockerfile for peon-mcp
# Produces two target images: peon-ui (~200MB) and peon-loop (~800MB)

# ============================================================================
# Stage 1: node-builder - Build React frontend
# ============================================================================
FROM node:22-slim AS node-builder

WORKDIR /build

# Install UI dependencies
COPY ui/package.json ui/package-lock.json ./ui/
RUN cd ui && npm ci

# Copy UI source and peon_mcp directory (needed for Vite build path)
COPY ui/ ./ui/
COPY peon_mcp/ ./peon_mcp/

# Build React SPA (outputs to ../peon_mcp/static)
RUN cd ui && npm run build

# ============================================================================
# Stage 2: python-builder - Build Python wheel
# ============================================================================
FROM python:3.12-slim AS python-builder

WORKDIR /build

# Install uv from official image
COPY --from=ghcr.io/astral-sh/uv:latest /uv /usr/local/bin/uv

# Copy Python project files
COPY pyproject.toml uv.lock README.md ./
COPY peon_mcp/ ./peon_mcp/

# Overwrite static dir with freshly-built frontend assets from Stage 1
COPY --from=node-builder /build/peon_mcp/static ./peon_mcp/static

# Build Python wheel
RUN uv build --wheel

# ============================================================================
# Stage 3: peon-ui - Web dashboard (target image)
# ============================================================================
FROM python:3.12-slim AS peon-ui

# Install uv
COPY --from=ghcr.io/astral-sh/uv:latest /uv /usr/local/bin/uv

# Install the wheel
COPY --from=python-builder /build/dist/*.whl /tmp/
RUN uv pip install --system /tmp/*.whl && rm /tmp/*.whl

# Copy healthcheck script
COPY docker/healthcheck.py /usr/local/bin/healthcheck.py
RUN chmod +x /usr/local/bin/healthcheck.py

# Environment defaults
ENV PEON_UI_HOST=0.0.0.0 \
    PEON_UI_PORT=8420 \
    PEON_DB_PATH=/data/peon_tasks.db

# Create data directory and non-root user
RUN mkdir -p /data && \
    groupadd -g 1000 peon && \
    useradd -u 1000 -g 1000 -s /bin/bash -m peon && \
    chown -R peon:peon /data

USER peon
WORKDIR /home/peon

EXPOSE 8420

# Health check (stdlib-only Python script, no curl/wget needed)
HEALTHCHECK --interval=30s --timeout=5s --start-period=10s --retries=3 \
    CMD python /usr/local/bin/healthcheck.py

ENTRYPOINT ["peon-ui"]

# ============================================================================
# Stage 4: peon-loop - Agent loop with full toolchain (target image)
# ============================================================================
FROM python:3.12-slim AS peon-loop

# Install system dependencies
RUN apt-get update && apt-get install -y --no-install-recommends \
    git \
    curl \
    ca-certificates \
    gnupg \
    && rm -rf /var/lib/apt/lists/*

# Install GitHub CLI
RUN curl -fsSL https://cli.github.com/packages/githubcli-archive-keyring.gpg \
    | gpg --dearmor -o /usr/share/keyrings/githubcli-archive-keyring.gpg && \
    echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/githubcli-archive-keyring.gpg] https://cli.github.com/packages stable main" \
    | tee /etc/apt/sources.list.d/github-cli.list > /dev/null && \
    apt-get update && apt-get install -y gh && \
    rm -rf /var/lib/apt/lists/*

# Install Node.js 22 (required for Claude CLI)
RUN curl -fsSL https://deb.nodesource.com/setup_22.x | bash - && \
    apt-get install -y nodejs && \
    rm -rf /var/lib/apt/lists/*

# Install Claude CLI globally
RUN npm install -g @anthropic-ai/claude-code

# Install uv
COPY --from=ghcr.io/astral-sh/uv:latest /uv /usr/local/bin/uv

# Install the peon-mcp wheel
COPY --from=python-builder /build/dist/*.whl /tmp/
RUN uv pip install --system /tmp/*.whl && rm /tmp/*.whl

# Environment defaults
ENV PEON_DB_PATH=/data/peon_tasks.db

# Create directories and non-root user
RUN mkdir -p /data /repo && \
    groupadd -g 1000 peon && \
    useradd -u 1000 -g 1000 -s /bin/bash -m peon && \
    chown -R peon:peon /data /repo

# Configure git to trust all directories (needed for bind-mounted repos)
RUN git config --system --add safe.directory '*'

# Configure git credential helper to use GH_TOKEN env var
RUN git config --system credential.helper '!f() { echo "password=${GH_TOKEN}"; }; f'

USER peon
WORKDIR /repo

# Use exec form for proper signal propagation (SIGTERM → SIGINT)
ENTRYPOINT ["peon-loop"]
