# ==========================================
# Stage 1: Builder (Compilers & Heavy Lifting)
# ==========================================
FROM python:3.12-slim-bookworm AS builder

WORKDIR /src
ENV PYTHONDONTWRITEBYTECODE=1 \
    PYTHONUNBUFFERED=1

# 1. Install Build Dependencies
COPY packages.txt .
RUN apt-get update && apt-get install -y --no-install-recommends \
    build-essential \
    libpq-dev \
    git \
    curl \
    && xargs -a packages.txt apt-get install -y --no-install-recommends \
    && rm -rf /var/lib/apt/lists/*

# 2. Install uv
RUN curl -LsSf https://astral.sh/uv/0.7.12/install.sh | sh && \
    cp /root/.local/bin/uv /usr/local/bin/uv && \
    cp /root/.local/bin/uvx /usr/local/bin/uvx

# 3. Create Virtual Environment
RUN uv venv /opt/venv
ENV PATH="/opt/venv/bin:$PATH"

# 4. Install Requirements (Aggressive Cleanup Mode)
COPY requirements-main.txt .
COPY requirements-rag.txt .
COPY requirements-app.txt .

RUN uv pip install --no-cache-dir \
    --index-strategy unsafe-best-match \
    -r requirements-main.txt \
    -r requirements-rag.txt \
    -r requirements-app.txt \
    --extra-index-url https://download.pytorch.org/whl/cpu && \
    # A. Uninstall Torch and NVIDIA bloat
    uv pip uninstall torch torchvision torchaudio && \
    uv pip freeze | grep nvidia | cut -d= -f1 | xargs -r uv pip uninstall && \
    # B. Re-install strictly CPU-only versions
    uv pip install --no-cache-dir torch torchvision torchaudio --index-url https://download.pytorch.org/whl/cpu

# ==========================================
# Stage 2: Runtime (Minimal & Secure)
# ==========================================
FROM python:3.12-slim-bookworm AS runtime

WORKDIR /src

# 1. Install Runtime Dependencies & Security Updates
RUN apt-get update && \
    apt-get upgrade -y && \
    apt-get install -y --no-install-recommends \
    ffmpeg \
    tesseract-ocr \
    tesseract-ocr-eng \
    libmagic1 \
    antiword \
    curl \
    gnupg \
    libpq5 \
    libxml2 \
    unixodbc \
    unixodbc-dev \
    && rm -rf /var/lib/apt/lists/*

# 2. Install Microsoft ODBC Driver 18 for SQL Server (supports both amd64 and arm64)
RUN curl -fsSL https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor -o /usr/share/keyrings/microsoft-prod.gpg && \
    echo "deb [arch=amd64,arm64 signed-by=/usr/share/keyrings/microsoft-prod.gpg] https://packages.microsoft.com/debian/12/prod bookworm main" > /etc/apt/sources.list.d/mssql-release.list && \
    apt-get update && \
    ACCEPT_EULA=Y apt-get install -y --no-install-recommends msodbcsql18 && \
    rm -rf /var/lib/apt/lists/*

# 2. Configure Environment & User
ENV PATH="/opt/venv/bin:$PATH" \
    PYTHONDONTWRITEBYTECODE=1 \
    PYTHONUNBUFFERED=1 \
    HF_HOME="/home/genassist/.cache" \
    PLAYWRIGHT_BROWSERS_PATH="/opt/playwright"

RUN useradd -m -u 1000 genassist

# 3. Copy LEAN Virtual Environment from Builder
COPY --from=builder /opt/venv /opt/venv

# 4. Install Playwright with Chromium
RUN playwright install --with-deps chromium && \
    chown -R genassist:genassist "/opt/playwright"

# 5. Copy Application Code
COPY --chown=genassist:genassist ./run.py ./run_celery.py ./migrations.py ./alembic.ini /src/
COPY --chown=genassist:genassist ./app /src/app
COPY --chown=genassist:genassist ./alembic /src/alembic

# Optional: Certs
COPY --chown=genassist:genassist ./certs /src/certs

# ---------------------------------------------------------------------------
# Create Log & Cache directories and fix permissions
# 1. Create .cache (for legra/graphrag)
# 2. Create datavolume/logs (for access logs)
# 3. Grant full ownership to genassist user
# ---------------------------------------------------------------------------
RUN mkdir -p /src/.cache && \
    mkdir -p /src/datavolume/logs && \
    chown -R genassist:genassist /src

# 6. Set User and Entrypoint
USER genassist

EXPOSE 8000
CMD ["python", "/src/run.py"]