# syntax=docker/dockerfile:1
#
# Production container for browser-recon-server.
#
# Build:   docker build -t browser-recon .
# Run:     docker run -p 8080:8080 --env-file .env browser-recon
#
# Render auto-builds this on every push to the linked branch.
# It expects PORT in env (Render injects it). DATABASE_URL is also injected
# when a Postgres database is linked via render.yaml.

FROM python:3.11-slim

ENV PYTHONUNBUFFERED=1 \
    PYTHONDONTWRITEBYTECODE=1 \
    PIP_NO_CACHE_DIR=1 \
    PIP_DISABLE_PIP_VERSION_CHECK=1

WORKDIR /app

# Install dependencies first (layer cache). Rye produces requirements.lock
# in pip-compatible format.
COPY requirements.lock pyproject.toml README.md ./
RUN pip install --no-deps -r requirements.lock

# Copy application source.
COPY browser_recon/ ./browser_recon/
COPY browser_recon_server/ ./browser_recon_server/
COPY alembic/ ./alembic/
COPY alembic.ini ./
COPY scripts/ ./scripts/

# Render injects PORT; default for local docker run.
ENV PORT=8080
EXPOSE 8080

# alembic upgrade head migrates on every start (idempotent).
# uvicorn --proxy-headers honours X-Forwarded-For from Render's load balancer.
CMD ["sh", "-c", "alembic upgrade head && exec uvicorn browser_recon_server.app:app --host 0.0.0.0 --port ${PORT} --proxy-headers --forwarded-allow-ips='*'"]
