# syntax=docker/dockerfile:1
# Production Dockerfile for SEF-Agents MCP Server
# Multi-stage build: build layer separate from runtime layer

# ── Stage 1: build ────────────────────────────────────────────────────────────
FROM python:3.13-slim AS builder

WORKDIR /build

COPY --from=ghcr.io/astral-sh/uv:0.5.5 /uv /usr/local/bin/uv

COPY pyproject.toml uv.lock* ./
COPY src/ ./src/
COPY README.md ./

# Install into an isolated prefix so stage 2 can COPY it cleanly
RUN uv pip install --system --no-cache --prefix /install .

# ── Stage 2: runtime ──────────────────────────────────────────────────────────
FROM python:3.13-slim AS runtime

# OCI standard labels
LABEL org.opencontainers.image.title="SEF Agents" \
      org.opencontainers.image.description="AI-powered guidance for the Synchronous Engineering Framework — MCP server" \
      org.opencontainers.image.source="https://github.com/Mishtert/sef-agents" \
      org.opencontainers.image.licenses="MIT"

# Non-root user — least privilege
RUN addgroup --system appgroup && adduser --system --ingroup appgroup appuser

WORKDIR /app

# Copy installed packages from builder
COPY --from=builder /install /usr/local

# Copy source (needed for rules/ config/ etc. that are loaded at runtime)
COPY --from=builder /build/src ./src

USER appuser

# MCP stdio transport — port unused but documents intent for future http mode
EXPOSE 8080

HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 \
    CMD python -c "import sef_agents; print('ok')" || exit 1

ENTRYPOINT ["python", "-m", "sef_agents.server"]
