# Multi-stage build for Dexorder user container
FROM continuumio/miniconda3:latest AS builder

WORKDIR /build

# Install build dependencies including protobuf compiler
RUN apt-get update && apt-get install -y --no-install-recommends \
    gcc \
    g++ \
    protobuf-compiler \
    && rm -rf /var/lib/apt/lists/*

# Copy dependency specifications
COPY environment.yml .
COPY dexorder/ dexorder/

# Copy protobuf definitions (copied by bin/build from canonical /protobuf/)
COPY protobuf/ protobuf/

# Compile protobufs to Python
RUN mkdir -p dexorder/generated && \
    protoc --python_out=dexorder/generated --proto_path=protobuf protobuf/*.proto && \
    touch dexorder/generated/__init__.py

# Create conda environment and install dependencies
RUN conda env create -f environment.yml -p /build/env && \
    conda clean -afy

# =============================================================================
# Runtime stage
# =============================================================================
FROM continuumio/miniconda3:latest

WORKDIR /app

# Install runtime dependencies only
RUN apt-get update && apt-get install -y --no-install-recommends \
    libzmq5 \
    git \
    && rm -rf /var/lib/apt/lists/*

# Create non-root user
RUN groupadd -r dexorder && useradd -r -g dexorder -u 1000 dexorder

# Copy conda environment from builder
COPY --from=builder /build/env /opt/conda/envs/dexorder

# Copy application code
COPY dexorder/ /app/dexorder/
COPY main.py /app/

# Copy generated protobuf code from builder
COPY --from=builder /build/dexorder/generated/ /app/dexorder/generated/

# Create directories for config, secrets, and data
# Note: /app will be read-only at runtime except for /app/data (mounted volume)
RUN mkdir -p /app/config /app/secrets /app/data && \
    chown -R root:root /app && \
    chmod -R 755 /app && \
    chown dexorder:dexorder /app/data && \
    chmod 700 /app/data

# Create writable tmp directory (read-only rootfs requirement)
RUN mkdir -p /tmp && chmod 1777 /tmp

# Copy entrypoint script
COPY entrypoint.sh /app/
RUN chmod 755 /app/entrypoint.sh && chown root:root /app/entrypoint.sh

# Switch to non-root user
USER dexorder

# Environment variables (can be overridden in k8s)
ENV PYTHONPATH=/app \
    PYTHONUNBUFFERED=1 \
    MPLCONFIGDIR=/tmp \
    NUMBA_CACHE_DIR=/tmp/numba_cache \
    LOG_LEVEL=INFO \
    CONFIG_PATH=/app/config/config.yaml \
    SECRETS_PATH=/app/config/secrets.yaml \
    ZMQ_XPUB_PORT=5570 \
    ZMQ_GATEWAY_ENDPOINT=tcp://gateway:5571 \
    MCP_SERVER_NAME=dexorder-user \
    MCP_TRANSPORT=sse \
    MCP_HTTP_PORT=3000 \
    MCP_HTTP_HOST=0.0.0.0 \
    IDLE_TIMEOUT_MINUTES=15 \
    ENABLE_IDLE_SHUTDOWN=true

# Health check endpoint (simple check if process is running)
HEALTHCHECK --interval=30s --timeout=5s --start-period=10s --retries=3 \
    CMD /opt/conda/envs/dexorder/bin/python -c "import sys; sys.exit(0)"

# Run the main application using conda environment via entrypoint
ENTRYPOINT ["/app/entrypoint.sh"]
