# ── Stage 1: build wheel ──────────────────────────────────────────────────────
FROM python:3.11-slim AS builder

WORKDIR /build

# Install build tools
RUN pip install --no-cache-dir hatchling

COPY pyproject.toml .
COPY src/ src/

RUN pip wheel --no-cache-dir --wheel-dir /wheels .


# ── Stage 2: runtime image ────────────────────────────────────────────────────
FROM python:3.11-slim

# System packages needed at runtime:
#   unixodbc-dev  — pyodbc SQL Server support
#   ca-certificates — TLS verification against internal CAs
RUN apt-get update && apt-get install -y --no-install-recommends \
        unixodbc \
        ca-certificates \
    && rm -rf /var/lib/apt/lists/*

WORKDIR /app

# Copy the pre-built wheel and all dependencies
COPY --from=builder /wheels /wheels
RUN pip install --no-cache-dir --no-index --find-links /wheels mcp-privileged \
    && rm -rf /wheels

# Non-root service user
RUN useradd --system --no-create-home --shell /usr/sbin/nologin mcpuser

# Mount-points for runtime secrets (provided by docker secret / volume)
RUN install -d -o mcpuser -g mcpuser /run/secrets /app/certs

USER mcpuser

EXPOSE 8443

# Health check — lightweight GET /health (no auth required)
HEALTHCHECK --interval=30s --timeout=5s --start-period=10s --retries=3 \
    CMD python -c "import urllib.request; urllib.request.urlopen('http://localhost:8443/health')"

ENTRYPOINT ["mcp-privileged"]