# Build stage
FROM python:3.8-slim-bullseye as builder

# Install system dependencies
RUN apt-get update && \
    apt-get install -y --no-install-recommends \
    build-essential \
    libpq-dev && \
    rm -rf /var/lib/apt/lists/*

# Create non-root user
RUN groupadd -r appuser && \
    useradd -r -g appuser appuser

WORKDIR /app
COPY requirements.txt .

# Install dependencies as non-root user
USER appuser
RUN pip install --user --no-cache-dir -r requirements.txt

# Production stage
FROM python:3.8-slim-bullseye as production

# Runtime dependencies
RUN apt-get update && \
    apt-get install -y --no-install-recommends \
    libpq5 \
    curl && \
    rm -rf /var/lib/apt/lists/*

# Create non-root user
RUN groupadd -r appuser && \
    useradd -r -g appuser appuser && \
    mkdir -p /home/appuser/.local && \
    chown -R appuser:appuser /home/appuser

WORKDIR /app

# Copy application code
COPY --chown=appuser:appuser . .
COPY --from=builder --chown=appuser:appuser /home/appuser/.local /home/appuser/.local

# Create and set permissions for runtime directories
RUN mkdir -p /app/cache /app/data /app/logs && \
    chown -R appuser:appuser /app

USER appuser
ENV PATH=/home/appuser/.local/bin:$PATH
ENV PYTHONPATH=/app

# Application environment variables
ENV CACHE_DIR=/app/cache \
    VECTOR_STORE_PATH=/app/data \
    LOG_PATH=/app/logs \
    PYTHONUNBUFFERED=1

# Health check
HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 \
    CMD curl -f http://localhost:8000/health || exit 1

CMD ["python", "-m", "src.orchestration.agent_controller"]