# syntax=docker/dockerfile:1.6
FROM python:3.12-slim AS builder

WORKDIR /app

# Install only what's needed to build the wheel.
RUN pip install --no-cache-dir build

COPY pyproject.toml README.md ./
COPY src/ src/
RUN python -m build --wheel --outdir /dist

# ─── runtime stage ──────────────────────────────────────────────────
FROM python:3.12-slim

# Non-root user — proxy never needs root.
RUN useradd -r -u 1000 -s /sbin/nologin llmleash \
    && mkdir -p /var/lib/llmleash /var/log/llmleash \
    && chown -R llmleash:llmleash /var/lib/llmleash /var/log/llmleash

WORKDIR /app
COPY --from=builder /dist/*.whl /tmp/
RUN pip install --no-cache-dir /tmp/*.whl[proxy] && rm /tmp/*.whl

USER llmleash

# Defaults — override via env or CLI flags.
ENV LLM_LEASH_PROXY_LISTEN=0.0.0.0:8000 \
    LLM_LEASH_PROXY_AUDIT_LOG=/var/log/llmleash/audit.jsonl

EXPOSE 8000

# Healthcheck pings /healthz.
HEALTHCHECK --interval=15s --timeout=5s --start-period=5s --retries=3 \
    CMD python -c "import urllib.request,sys; \
                   sys.exit(0 if urllib.request.urlopen('http://127.0.0.1:8000/healthz',timeout=3).status==200 else 1)"

ENTRYPOINT ["llm-leash-proxy"]
