# Flow UI Container
# Production-ready deployment with uvicorn workers

FROM python:3.11-slim AS base

WORKDIR /app

# Install system dependencies
RUN apt-get update && apt-get install -y --no-install-recommends \
    git \
    curl \
    && rm -rf /var/lib/apt/lists/*

# Install uv for fast dependency management
RUN pip install --no-cache-dir uv

# -------------------------------------------------------------------
# Builder stage: install dependencies
# -------------------------------------------------------------------
FROM base AS builder

# Copy files needed for build (hatchling requires README.md)
COPY pyproject.toml uv.lock README.md ./

# Install dependencies to system (no venv needed in container)
RUN uv pip install --system .

# -------------------------------------------------------------------
# Final stage: copy app and run
# -------------------------------------------------------------------
FROM base AS final

# Copy installed packages from builder
COPY --from=builder /usr/local/lib/python3.11/site-packages /usr/local/lib/python3.11/site-packages
COPY --from=builder /usr/local/bin /usr/local/bin

# Copy application source (includes pre-built frontend in src/flow/ui/ui/)
COPY src/ ./src/

# Copy files needed for package install
COPY pyproject.toml README.md ./

# Install the app itself (editable, uses already-installed deps)
RUN uv pip install --system --no-deps -e .

# Create non-root user for security
RUN useradd --create-home --shell /bin/bash flowuser
RUN mkdir -p /app/data && chown -R flowuser:flowuser /app
USER flowuser

# Configuration
ENV PORT=7860
ENV FLOW_DATA_DIR=/app/data
ENV UVICORN_WORKERS=2

# Auth is disabled by default - enable via HF Space Secrets or .env:
#   AUTH_ENABLED=true
#   AUTH_MODE=github (or basic)
#   AUTH_SECRET=<random-string>
#   AUTH_GITHUB_CLIENT_ID=<your-client-id>
#   AUTH_GITHUB_CLIENT_SECRET=<your-secret>
#   AUTH_GITHUB_ALLOWED_USERS=user1,user2

# Expose the port
EXPOSE ${PORT}

# Health check - matches the actual endpoint in main.py
HEALTHCHECK --interval=30s --timeout=10s --start-period=10s --retries=3 \
    CMD curl -f http://localhost:${PORT}/api/health || exit 1

# Production uvicorn with multiple workers
# - workers: handle concurrent requests (CPU-bound, use 2-4 for most cases)
# - For I/O bound (which this is), uvicorn's async handles concurrency well
# - limit-concurrency prevents overload
CMD uvicorn flow.ui.main:app \
    --host 0.0.0.0 \
    --port ${PORT} \
    --workers ${UVICORN_WORKERS} \
    --limit-concurrency 100 \
    --timeout-keep-alive 30