# Stage 1: Base with system dependencies and tool installations
FROM python:3.12-slim as builder

# Install system dependencies
RUN apt-get update && apt-get install -y \
    git \
    curl \
    && rm -rf /var/lib/apt/lists/*

# Install Hadolint (for Dockerfile linting)
RUN curl -Lo /bin/hadolint https://github.com/hadolint/hadolint/releases/download/v2.12.0/hadolint-Linux-x86_64 && \
    chmod +x /bin/hadolint

# Install Checkov (for Kubernetes security scanning)
RUN pip install checkov==3.1.123

# Install Trivy (for container and IaC scanning) - Native MCP server
RUN curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v0.47.0

# Install Semgrep (for code scanning) - Will use native MCP server
RUN pip install semgrep==1.76.0

# Install UV package manager
COPY --from=ghcr.io/astral-sh/uv:latest /uv /uvx /bin/

# Stage 2: App with source code and UV sync
FROM python:3.12-slim

# Create non-root user
RUN useradd --create-home --shell /bin/bash app
WORKDIR /app
USER app

# Install runtime dependencies
RUN apt-get update && apt-get install -y \
    git \
    && rm -rf /var/lib/apt/lists/*

# Copy UV from builder stage
COPY --from=builder /bin/uv /bin/uv
COPY --from=builder /bin/uvx /bin/uvx

# Copy application code
COPY --chown=app:app pyproject.toml .
COPY --chown=app:app README.md .
COPY --chown=app:app src/ ./src/
COPY --chown=app:app mcp_servers/ ./mcp_servers/
COPY --chown=app:app crews/ ./crews/
COPY --chown=app:app tools/ ./tools/
COPY --chown=app:app config/ ./config/
COPY --chown=app:app contexts/ ./contexts/

# Install Python dependencies using UV
RUN uv sync --frozen --no-dev

# Set environment variables
ENV PYTHONPATH=/app/src
ENV PATH="/app/.venv/bin:$PATH"

# Expose port
EXPOSE 8000

# Set entrypoint
ENTRYPOINT ["uvicorn", "src.pr_reviewer.main:app", "--host", "0.0.0.0", "--port", "8000"]