# 1. Builder Stage
FROM python:3.14-slim AS builder
COPY --from=ghcr.io/astral-sh/uv:latest /uv /uvx /bin/
WORKDIR /app

# Install dependencies into a local .venv
COPY pyproject.toml uv.lock ./
RUN uv sync --frozen --no-install-project --no-dev

# Copy source and install the project
COPY src ./src
COPY README.md ./
RUN uv sync --frozen --no-dev

# 2. Execution Stage
FROM python:3.14-slim

# Defense-in-Depth: Create an unprivileged user to trap WASM escapes
RUN useradd -u 10000 -m -s /bin/bash coreason && \
    mkdir -p /app/data/lancedb /app/data/plugins /app/data/bronze /app/data/silver /app/data/gold && \
    chown -R coreason:coreason /app

WORKDIR /app

# Copy the pre-built environment from the builder
COPY --from=builder --chown=coreason:coreason /app/.venv /app/.venv
COPY --from=builder --chown=coreason:coreason /app/src /app/src

# Ensure the virtualenv is on the PATH
ENV PATH="/app/.venv/bin:$PATH"
ENV PYTHONPATH="/app/src:$PYTHONPATH"

# Drop root privileges
USER coreason

# Boot the API Edge by default
ENTRYPOINT ["coreason"]
CMD ["serve", "--port", "8000"]
