# Multi-stage Dockerfile - Unified FastAPI + Next.js Frontend
# Stage 1: Build Next.js frontend (produces .next/standalone/)
FROM node:24-trixie-slim@sha256:9707cd4542f400df5078df04f9652a272429112f15202d22b5b8bdd148df494f AS frontend-builder

WORKDIR /frontend

RUN npm install -g npm@11.12.1

# Copy frontend package files
COPY frontend/package.json frontend/package-lock.json* ./

# Install frontend dependencies
# Use npm install (not npm ci) to allow regeneration of lock file with all dependencies
# This ensures platform-specific optionalDependencies like @img/sharp-* are included
RUN npm install

# Copy frontend source
COPY frontend/ .

# Build frontend (Next.js standalone output)
RUN npm run build

# Stage 2: Build Python dependencies (requires gcc for compiled extensions)
FROM python:3.12-slim-trixie@sha256:fa48eefe2146644c2308b909d6bb7651a768178f84fc9550dcd495e4d6d84d01 AS python-builder

WORKDIR /app

# Install build-only tools (not copied to final image)
RUN apt-get update && apt-get upgrade -y && apt-get install -y --no-install-recommends gcc && \
    apt-get clean && rm -rf /var/cache/apt/archives/* /var/lib/apt/lists/*

# Create a virtual environment to hold all Python packages
RUN python -m venv /opt/venv
ENV PATH="/opt/venv/bin:$PATH"

RUN python -m pip install --no-cache-dir "pip==26.0.1"

# Copy Python project files and install dependencies
COPY pyproject.toml README.md ./
COPY backend/ backend/
# Install as a regular (non-editable) package so all code is embedded in the venv
# and does not depend on source files being present in the final image
RUN python -m pip install --no-cache-dir .

# Stage 3: Final runtime image - no build tools, no supervisor
FROM python:3.12-slim-trixie@sha256:fa48eefe2146644c2308b909d6bb7651a768178f84fc9550dcd495e4d6d84d01

WORKDIR /app

# Install runtime dependencies: nginx for reverse proxy, curl for health check, Node.js to run Next.js
RUN apt-get update && apt-get upgrade -y && apt-get install -y --no-install-recommends \
    nginx \
    curl \
    && apt-get clean && rm -rf /var/cache/apt/archives/* /var/lib/apt/lists/*

# Copy virtual environment with all Python packages from builder stage
COPY --from=python-builder /opt/venv /opt/venv

# Set PATH to use the virtual environment
ENV PATH="/opt/venv/bin:$PATH"

# Upgrade system pip to remediate CVE-2025-8869 and CVE-2026-1703
RUN /usr/local/bin/python -m pip install --no-cache-dir "pip==26.0.1"

# Copy application code
# (backend package is installed via pyproject.toml; no separate copy needed)

# Copy Node.js binary from the frontend builder (needed to run Next.js standalone server)
COPY --from=frontend-builder /usr/local/bin/node /usr/local/bin/node

# Copy Next.js standalone application
COPY --from=frontend-builder /frontend/.next/standalone /app/frontend
COPY --from=frontend-builder /frontend/.next/static /app/frontend/.next/static
COPY --from=frontend-builder /frontend/public /app/frontend/public

# Copy nginx configuration
COPY infra/config/nginx.conf /etc/nginx/sites-available/default

# Copy and enable the entrypoint script
COPY infra/config/docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh
RUN chmod +x /usr/local/bin/docker-entrypoint.sh

# Create log directories for nginx
RUN mkdir -p /var/log/nginx

# Set production environment variables
# Note: Override APP_SECRET_KEY in production with a secure value
ENV APP_ENV=production \
    APP_DEBUG=0 \
    CORS_ORIGINS=* \
    RATE_LIMIT_PER_IP=30 \
    RATE_LIMIT_GLOBAL=200 \
    CACHE_DURATION=300 \
    REQUEST_TIMEOUT=15 \
    NEXTJS_PORT=3000 \
    NEXTJS_HOSTNAME=127.0.0.1

# Generate a secret key at build time (should be overridden in production)
# Use docker run -e APP_SECRET_KEY=your-key to override
RUN python -c "import secrets; print(f'APP_SECRET_KEY={secrets.token_hex(32)}')" >> /app/.env.production

# Expose port 80 (nginx will handle both frontend and API proxying)
EXPOSE 80

# Health check
HEALTHCHECK --interval=30s --timeout=10s --start-period=40s --retries=3 \
    CMD curl -f http://localhost:80/api/v1/health/ready || exit 1

# Use the entrypoint script to start nginx + gunicorn (replaces supervisor)
ENTRYPOINT ["/usr/local/bin/docker-entrypoint.sh"]
