# SPDX-License-Identifier: Apache-2.0
# chktm container image
#
# Build:  podman build -t quay.io/<namespace>/chktm:latest .
# Run:    podman run -v chktm-data:/data -p 8000:8000 quay.io/<namespace>/chktm:latest
#
# The SQLite database is expected on a persistent volume mounted at /data.
# Run `chktm init` first (via a Job or manually) to populate the database.
#
# OpenShift SCC compatibility:
#   - Runs as non-root with arbitrary UID (GID 0 / root group)
#   - No privilege escalation, no added capabilities
#   - Read-only root filesystem (writable: /data, /tmp)

# --- Stage 1: Build ---
FROM python:3.12-slim AS builder

WORKDIR /build
COPY pyproject.toml README.md ./
COPY src/ src/

RUN pip install --no-cache-dir --prefix=/install .

# --- Stage 2: Runtime ---
FROM python:3.12-slim

LABEL org.opencontainers.image.title="chktm" \
      org.opencontainers.image.description="Screen proposed marks against the US trademark corpus" \
      org.opencontainers.image.source="https://github.com/nickschuetz/chktm" \
      org.opencontainers.image.licenses="Apache-2.0"

# Copy installed packages from builder.
COPY --from=builder /install /usr/local

# OpenShift runs containers with an arbitrary UID in the root group (GID 0).
# All writable directories must be owned by root group with group-write perms.
# We do NOT hardcode a UID — the `USER` directive sets a default, but OpenShift
# overrides it at runtime with the assigned UID.
RUN mkdir -p /data /tmp && \
    chown -R 1001:0 /data /tmp && \
    chmod -R g=u /data /tmp && \
    # Ensure the Python package cache and home dir work with arbitrary UIDs.
    chmod -R g=u /usr/local/lib/python3.12

# Default to non-root. OpenShift will override with its assigned UID.
USER 1001

ENV CHKTM_DATA_DIR=/data \
    PYTHONUNBUFFERED=1 \
    HOME=/tmp

EXPOSE 8000

VOLUME ["/data"]

# Default: start the web UI + MCP server.
# Override with `chktm init` or `chktm update` for data management.
ENTRYPOINT ["chktm"]
CMD ["serve", "--host", "0.0.0.0", "--port", "8000"]
