FROM ghcr.io/astral-sh/uv:python3.12-bookworm-slim

WORKDIR /app

# The uv base image bundles uv, so no `pip install uv` needed. Copy the
# manifest + lockfile first as their own layer so editing source files
# doesn't bust the dep cache. ``uv sync --frozen`` refuses to mutate
# uv.lock at build time — if pyproject.toml drifts from uv.lock, the
# build fails loudly instead of silently floating versions, which is
# the whole #158 fix. ``uv.lock*`` keeps the COPY glob permissive so
# the build error fires from `uv sync` (clearer message) rather than
# from COPY.
COPY pyproject.toml uv.lock* ./
RUN uv sync --frozen --no-cache

# #803 SECURITY/MED: create a non-root user (uid 1000) and switch to it
# before CMD. The uv base image defaults to uid 0 (root), so without
# this every parbaked container ran with elevated privileges — defence
# in depth against a runtime RCE (a container break-out would land as
# root). ``useradd -u 1000`` pins the uid so the fly volume mounted at
# ``/data`` (see fly.toml ``[[mounts]]``) is writable by the runtime
# user once parbaked chowns it at startup.
RUN useradd -u 1000 -ms /bin/bash parbaked \
    && mkdir -p /data \
    && chown -R parbaked:parbaked /app /data

COPY --chown=parbaked:parbaked . .

USER parbaked

ENV PORT=8000
EXPOSE 8000

# Kernel runtime — parbaked finds your routes/ files and wires the
# auth/admin/health routers itself. No main.py needed. ``uv sync``
# installs into ``.venv`` (no --system flag exists on sync), so invoke
# uvicorn from that venv rather than expecting a system install.
#
# ``--no-proxy-headers`` (#722): parbaked owns the X-Forwarded-For
# trust decision via ``ParbakedConfig.trust_proxy_headers`` — letting
# uvicorn pre-mutate ``request.client.host`` opens a rate-limit-bucket
# bypass on any deploy whose immediate peer is loopback (``nginx →
# 127.0.0.1:8000``).
#
# WARNING (#794): ``trust_proxy_headers=True`` is only safe when the
# upstream proxy OVERWRITES inbound XFF. Fly's edge APPENDS rather
# than overwriting (see #726), so the generated fly.toml leaves
# PARBAKED_TRUST_PROXY_HEADERS unset and the safe-default
# ``trust_proxy_headers=False`` applies. The runtime emits a stderr
# WARN at boot whenever the knob is on.
CMD [".venv/bin/uvicorn", "parbaked.runtime:create_app", "--factory", "--no-proxy-headers", "--host", "0.0.0.0", "--port", "8000"]
