FROM python:3.12-slim AS builder

WORKDIR /build
COPY pyproject.toml README.md LICENSE ./
COPY src/ src/

RUN pip install --no-cache-dir build \
    && python -m build --wheel --outdir dist/

# ─── Runtime ───────────────────────────────────
FROM python:3.12-slim

LABEL org.opencontainers.image.title="AttestMCP"
LABEL org.opencontainers.image.description="Transparent MCP proxy with tamper-evident audit trails"
LABEL org.opencontainers.image.source="https://github.com/attestmcp/attestmcp"
LABEL org.opencontainers.image.licenses="Apache-2.0"

RUN groupadd --gid 1000 attestmcp \
    && useradd --uid 1000 --gid attestmcp --create-home attestmcp

COPY --from=builder /build/dist/*.whl /tmp/
RUN pip install --no-cache-dir /tmp/*.whl \
    && rm -rf /tmp/*.whl

# Default data directory for the audit SQLite database
RUN mkdir -p /data && chown attestmcp:attestmcp /data
VOLUME /data

USER attestmcp
WORKDIR /home/attestmcp

ENV ATTESTMCP_DB_PATH=/data/audit.db
ENV ATTESTMCP_HOST=0.0.0.0
ENV ATTESTMCP_PORT=8080

EXPOSE 8080

HEALTHCHECK --interval=30s --timeout=5s --start-period=5s --retries=3 \
    CMD ["python", "-c", "import urllib.request; urllib.request.urlopen('http://localhost:8080/health')"]

ENTRYPOINT ["attestmcp"]
CMD ["serve"]
