# syntax=docker/dockerfile:1.7
ARG PYTHON_BASE_IMAGE=python:3.11.15-slim-trixie@sha256:9358444059ed78e2975ada2c189f1c1a3144a5dab6f35bff8c981afb38946634

FROM ${PYTHON_BASE_IMAGE} AS builder

ENV PYTHONDONTWRITEBYTECODE=1 \
    PYTHONUNBUFFERED=1 \
    POLICYNIM_LANCEDB_URI=/app/data/lancedb-baked

WORKDIR /app

RUN pip install --no-cache-dir uv==0.7.12

COPY pyproject.toml uv.lock README.md LICENSE ./
COPY src ./src
COPY policies ./policies
COPY evals ./evals

RUN uv sync --frozen
RUN --mount=type=secret,id=nvidia_api_key,required=true \
    sh -c 'NVIDIA_API_KEY="$(cat /run/secrets/nvidia_api_key)" uv run policynim ingest'


FROM ${PYTHON_BASE_IMAGE} AS runtime

ENV PYTHONDONTWRITEBYTECODE=1 \
    PYTHONUNBUFFERED=1 \
    POLICYNIM_LANCEDB_URI=/app/data/lancedb-baked \
    POLICYNIM_MCP_HOST=0.0.0.0 \
    PATH=/app/.venv/bin:$PATH

WORKDIR /app

COPY --from=builder /app/.venv /app/.venv
COPY --from=builder /app/src /app/src
COPY --from=builder /app/policies /app/policies
COPY --from=builder /app/evals /app/evals
COPY --from=builder /app/pyproject.toml /app/pyproject.toml
COPY --from=builder /app/README.md /app/README.md
COPY --from=builder /app/LICENSE /app/LICENSE
COPY --from=builder /app/data/lancedb-baked /app/data/lancedb-baked

CMD ["policynim", "mcp", "--transport", "streamable-http"]
