# MOD-OSINT — Hugging Face Docker Space
# Runs the GUI wizard wired to engine/pipeline_orchestrator.py on port 7860.
FROM python:3.11-slim

ARG BUILD_DATE="unknown"
ARG VCS_REF="unknown"

LABEL maintainer="moddux" \
      org.opencontainers.image.title="MOD-OSINT" \
      org.opencontainers.image.description="MOD-OSINT Streamlit GUI for HF Docker Space" \
      org.opencontainers.image.source="https://github.com/moddux/MOD-OSINT" \
      org.opencontainers.image.created="${BUILD_DATE}" \
      org.opencontainers.image.revision="${VCS_REF}"

ENV PYTHONDONTWRITEBYTECODE=1 \
    PYTHONUNBUFFERED=1 \
    PIP_NO_CACHE_DIR=1 \
    STREAMLIT_BROWSER_GATHER_USAGE_STATS=false \
    STREAMLIT_SERVER_HEADLESS=true \
    STREAMLIT_SERVER_ADDRESS=0.0.0.0 \
    STREAMLIT_SERVER_PORT=7860

RUN apt-get update \
    && apt-get install -y --no-install-recommends \
        ca-certificates \
        git \
        curl \
    && rm -rf /var/lib/apt/lists/*

WORKDIR /app

# Install runtime dependencies first for cache reuse.
COPY requirements-hf.txt ./requirements-hf.txt
RUN python -m pip install --upgrade pip \
    && pip install --no-cache-dir -r requirements-hf.txt

# Create runtime user before copying app files.
RUN useradd -m -u 1000 appuser

# Copy application source (honors .dockerignore).
COPY --chown=appuser:appuser . .

# Runtime dirs and entrypoint permissions.
RUN mkdir -p /app/runs /app/logs \
    && chown -R appuser:appuser /app/runs /app/logs \
    && chmod 775 /app/runs /app/logs \
    && chmod +x /app/scripts/docker_entrypoint.sh

USER appuser

EXPOSE 7860

HEALTHCHECK --interval=30s --timeout=5s --start-period=20s --retries=5 \
  CMD curl -fsS http://127.0.0.1:7860/_stcore/health || exit 1

ENTRYPOINT ["bash", "scripts/docker_entrypoint.sh"]