# Multi-stage Dockerfile - Unified FastAPI + React Frontend
# Stage 1: Build React frontend
FROM node:lts-trixie-slim@sha256:9ad7e7db423b2ca7ddcc01568da872701ef6171505bd823978736247885c7eb4 AS frontend-builder

WORKDIR /frontend

# Copy frontend package files
COPY frontend/package.json ./

# Install frontend dependencies
RUN npm install

# Copy frontend source
COPY frontend/ .

# Build frontend
RUN npm run build

# Stage 2: Build Python dependencies (requires gcc for compiled extensions)
FROM python:3.12-slim-trixie AS python-builder

WORKDIR /app

# Install build-only tools (not copied to final image)
RUN apt-get update && apt-get install -y --no-install-recommends gcc && \
    rm -rf /var/lib/apt/lists/*

# Create a virtual environment to hold all Python packages
RUN python -m venv /opt/venv
ENV PATH="/opt/venv/bin:$PATH"

# Copy Python project files and install dependencies
COPY pyproject.toml README.md ./
COPY src/ src/
# Install as a regular (non-editable) package so all code is embedded in the venv
# and does not depend on source files being present in the final image
RUN pip install --no-cache-dir .

# Stage 3: Final runtime image - no build tools, no supervisor
FROM python:3.12-slim-trixie

WORKDIR /app

# Install only runtime dependencies (nginx for serving, curl for health check)
# No gcc, no supervisor (and their transitive vulnerability-carrying deps)
RUN apt-get update && apt-get install -y --no-install-recommends \
    nginx \
    curl \
    && rm -rf /var/lib/apt/lists/*

# Copy virtual environment with all Python packages from builder stage
COPY --from=python-builder /opt/venv /opt/venv

# Set PATH to use the virtual environment
ENV PATH="/opt/venv/bin:$PATH"

# Copy application code
COPY api.py .

# Copy built frontend from builder stage
COPY --from=frontend-builder /frontend/dist /usr/share/nginx/html

# Copy nginx configuration
COPY infra/config/nginx.conf /etc/nginx/sites-available/default

# Copy and enable the entrypoint script
COPY infra/config/docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh
RUN chmod +x /usr/local/bin/docker-entrypoint.sh

# Create log directories for nginx
RUN mkdir -p /var/log/nginx

# Set production environment variables
# Note: Override FLASK_SECRET_KEY in production with a secure value
ENV FLASK_ENV=production \
    FLASK_DEBUG=0 \
    CORS_ORIGINS=* \
    RATE_LIMIT_PER_IP=30 \
    RATE_LIMIT_GLOBAL=200 \
    CACHE_DURATION=300 \
    REQUEST_TIMEOUT=15

# Generate a secret key at build time (should be overridden in production)
# Use docker run -e FLASK_SECRET_KEY=your-key to override
RUN python -c "import secrets; print(f'FLASK_SECRET_KEY={secrets.token_hex(32)}')" >> /app/.env.production

# Expose port 80 (nginx will handle both frontend and API proxying)
EXPOSE 80

# Health check
HEALTHCHECK --interval=30s --timeout=10s --start-period=40s --retries=3 \
    CMD curl -f http://localhost:80/api/v1/health/ready || exit 1

# Use the entrypoint script to start nginx + gunicorn (replaces supervisor)
ENTRYPOINT ["/usr/local/bin/docker-entrypoint.sh"]
