# Multi-stage: builder installs deps; runtime copies only site-packages and app code.
# Single image for both dev and prod; Compose files differentiate behavior.

# --- Stage 1: builder (dependencies only) ---
FROM python:3.12-slim AS builder
WORKDIR /app
COPY requirements.txt .
RUN pip install --no-cache-dir -r requirements.txt

# --- Stage 2: runtime (minimal final image) ---
FROM python:3.12-slim

WORKDIR /app

# Install gosu (drop privileges in entrypoint)
RUN apt-get update && apt-get install -y --no-install-recommends gosu \
    && rm -rf /var/lib/apt/lists/*

# Copy installed packages and console scripts from builder (no requirements.txt, no pip layer)
COPY --from=builder /usr/local/lib/python3.12/site-packages /usr/local/lib/python3.12/site-packages
COPY --from=builder /usr/local/bin /usr/local/bin

# Application code (duty_teller package + entrypoint, migrations, webapp)
ENV PYTHONPATH=/app
COPY main.py alembic.ini entrypoint.sh ./
COPY duty_teller/ ./duty_teller/
COPY alembic/ ./alembic/
COPY webapp/ ./webapp/

# Create data dir; entrypoint runs as root, fixes perms for volume, then runs app as botuser
RUN adduser --disabled-password --gecos "" botuser \
    && mkdir -p /app/data && chown -R botuser:botuser /app

# Entrypoint runs as root: fix /app/data ownership (for volume mount), run migrations, then exec as botuser
ENTRYPOINT ["/bin/sh", "./entrypoint.sh"]
CMD ["python", "main.py"]