# Stage 1: Build wheels
FROM registry.redhat.io/ubi9/python-311:latest AS builder

WORKDIR /opt/app-root/src/build

COPY pyproject.toml README.md ./
COPY src/ src/

RUN pip wheel --no-cache-dir --wheel-dir=/opt/app-root/src/wheels .

# Stage 2: Runtime
FROM registry.redhat.io/ubi9/python-311:latest

LABEL io.openshift.expose-services="8080:http" \
      io.k8s.description="Sanicode — AI-assisted code sanitization scanner" \
      io.k8s.display-name="Sanicode" \
      maintainer="Sanicode Contributors"

COPY --from=builder --chown=1001:0 /opt/app-root/src/wheels /opt/app-root/src/wheels

RUN pip install --no-cache-dir --no-index --find-links=/opt/app-root/src/wheels sanicode && \
    rm -rf /opt/app-root/src/wheels

# Copy data directories for compliance DB, rules, and prompt templates.
# chown 1001:0 so OpenShift's random UID (always GID 0) can read;
# chmod g=u so group perms mirror user (dirs 775, files 664).
COPY --chown=1001:0 data/ /opt/app-root/src/data/
COPY --chown=1001:0 rules/ /opt/app-root/src/rules/
COPY --chown=1001:0 prompts/ /opt/app-root/src/prompts/

RUN chmod -R g=u /opt/app-root/src/data /opt/app-root/src/rules /opt/app-root/src/prompts

EXPOSE 8080

ENTRYPOINT ["sanicode"]
CMD ["serve", "--host", "0.0.0.0", "--port", "8080"]
