FROM python:3.13-slim

ENV PYTHONDONTWRITEBYTECODE=1 \
    PYTHONUNBUFFERED=1 \
    PIP_NO_CACHE_DIR=1 \
    JUPYTER_PLATFORM_DIRS=1 \
    PATTER_NOTEBOOKS_IN_DOCKER=1

RUN apt-get update \
 && apt-get install -y --no-install-recommends ca-certificates curl git \
 && rm -rf /var/lib/apt/lists/*

# Non-root user. UID 1000 matches the most common host user on Linux/macOS so
# the bind-mounted /notebooks tree stays writable without a chown dance.
ARG PUID=1000
ARG PGID=1000
RUN groupadd --gid "${PGID}" patter \
 && useradd --uid "${PUID}" --gid "${PGID}" --create-home --shell /bin/bash patter

WORKDIR /notebooks/python

# Top-level dep pins. PATTER_VERSION lets a builder override the SDK version
# without rewriting requirements.txt — e.g. docker build --build-arg PATTER_VERSION=0.5.5
ARG PATTER_VERSION=0.5.4
COPY requirements.txt /tmp/requirements.txt
RUN pip install --no-cache-dir -r /tmp/requirements.txt \
 && pip install --no-cache-dir --upgrade "getpatter==${PATTER_VERSION}"

# 8888 → JupyterLab. 8765 → EmbeddedServer for T2/T4 live cells.
EXPOSE 8888 8765

USER patter

# JUPYTER_TOKEN is supplied by docker-compose (generated by _setup.start_docker
# or set explicitly in the user environment). The wrapper aborts the launch
# when the variable is unset, so unauthenticated Lab requires explicit opt-in
# via PATTER_NOTEBOOKS_NO_TOKEN=1.
CMD ["sh", "-c", "exec jupyter lab \
    --ip=0.0.0.0 \
    --port=8888 \
    --no-browser \
    --ServerApp.token=\"${JUPYTER_TOKEN:-}\" \
    --ServerApp.password= \
    --ServerApp.root_dir=/notebooks/python"]
