FROM python:3.11-slim

WORKDIR /app

# Install system dependencies
RUN apt-get update && apt-get install -y \
    build-essential \
    libpq-dev \
    curl \
    && rm -rf /var/cache/apt/archives/* \
    && rm -rf /var/lib/apt/lists/*

# Copy package definition and install dependencies
COPY pyproject.toml .
COPY README.md .
COPY mirror_mcp/ ./mirror_mcp/
COPY src/ ./src/
COPY static/ ./static/
COPY config/ ./config/
COPY scripts/ ./scripts/
RUN pip install --no-cache-dir .

# Create non-root user
RUN useradd -m -u 1000 mcpserver && \
    chown -R mcpserver:mcpserver /app

USER mcpserver

# Health check (uses MCP_SERVER_PORT env var)
HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 \
    CMD sh -c 'curl -f http://localhost:${MCP_SERVER_PORT:-8500}/tools || exit 1'

# Run server using MCP_SERVER_PORT env var
# --proxy-headers: trust X-Forwarded-Proto/Host from Caddy so redirect Location uses https://
# --forwarded-allow-ips="*": safe because uvicorn only binds localhost inside the container
CMD sh -c 'exec uvicorn src.server:app --host 0.0.0.0 --port ${MCP_SERVER_PORT:-8500} --proxy-headers --forwarded-allow-ips="*"'
