# ── Stage 1: Build wheel ─────────────────────────────────────
FROM python:3.13-slim AS builder

WORKDIR /build
COPY pyproject.toml README.md ./
COPY src/ ./src/

# Build the wheel
RUN pip install --no-cache-dir build \
    && python -m build --wheel --outdir /build/dist

# Install runtime + tools deps into a prefix
RUN pip install --no-cache-dir --prefix=/install /build/dist/*.whl \
    && pip install --no-cache-dir --prefix=/install "asyncpg>=0.29" "httpx>=0.27" "beautifulsoup4>=4.12"

# ── Stage 2: Runtime (NO source code) ────────────────────────
FROM python:3.13-slim

LABEL org.opencontainers.image.title="qRemoteX" \
      org.opencontainers.image.description="qRaptor Remote Execution Agent — run AI agents on your infrastructure" \
      org.opencontainers.image.vendor="AugmentAppz" \
      org.opencontainers.image.version="2.0.0" \
      org.opencontainers.image.url="https://qraptor.ai" \
      org.opencontainers.image.documentation="https://qraptor.ai/docs/qremotex" \
      org.opencontainers.image.source="https://qraptor.ai" \
      org.opencontainers.image.licenses="Proprietary"

ENV PYTHONUNBUFFERED=1 \
    PYTHONDONTWRITEBYTECODE=1

# Security: upgrade base packages to pick up CVE fixes, install curl for healthcheck, then clean up
RUN apt-get update \
    && apt-get upgrade -y --no-install-recommends \
    && apt-get install -y --no-install-recommends curl tini \
    && rm -rf /var/lib/apt/lists/*

# Security: non-root user
RUN groupadd -r qremotex && useradd -r -g qremotex -d /app -s /sbin/nologin qremotex

WORKDIR /app

# Copy ONLY installed packages (no source code)
COPY --from=builder /install /usr/local

# Entrypoint script for optional user package installation
COPY scripts/docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh
RUN chmod +x /usr/local/bin/docker-entrypoint.sh

# Create writable dirs (owned by qremotex)
RUN mkdir -p /app/downloads /app/user-packages \
    && chown -R qremotex:qremotex /app

# Drop privileges
USER qremotex

# Health-check — verifies the Python package is importable
HEALTHCHECK --interval=30s --timeout=5s --retries=3 \
    CMD python -c "from qremotex.config import ExecutorConfig; print('ok')"

ENTRYPOINT ["/usr/bin/tini", "--", "docker-entrypoint.sh"]
CMD ["python", "-m", "qremotex.main"]
