# ─────────────────────────────────────────────────────────────────
#  Ten31 Database — StartOS 0.4 container image
# ─────────────────────────────────────────────────────────────────
#  Build context (from the startos manifest dockerBuild.workdir)
#  is the repository root (two levels up from start9/0.4/), so all
#  COPY paths below are relative to the repo root.
#
#  This image is intentionally self-contained under start9/0.4/:
#  no files are pulled from start9/0.3.5/ so the two packages can
#  evolve independently.
#
#  As of 0.1.0:40 the image NO LONGER ships a seed snapshot. The
#  initial migration from 0.3.5 has been completed; from this
#  release forward the live /data volume on the StartOS host is
#  the sole source of truth and is preserved across sideloads.
# ─────────────────────────────────────────────────────────────────
FROM python:3.11-slim

ENV PYTHONDONTWRITEBYTECODE=1 \
    PYTHONUNBUFFERED=1 \
    CRM_ENV=production \
    CRM_HOST=0.0.0.0 \
    CRM_PORT=8080 \
    CRM_DATA_DIR=/data \
    CRM_FRONTEND_DIR=/app/frontend

WORKDIR /app

RUN apt-get update \
  && apt-get install -y --no-install-recommends ca-certificates curl \
  && rm -rf /var/lib/apt/lists/*

# ── Python dependencies ─────────────────────────────────────────
# `cryptography` is required by the Gmail integration's RS256 JWT signing
# (DWD bearer tokens). The two Phase-0 deps are runtime-only for the ingest
# pipeline + MCP server (the CRM web server itself still needs no new deps):
#   * fastembed — client-side BM25 (Qdrant/bm25) for the sparse retrieval leg
#                 (backend/ingest/sparse.py auto-detects it).
#   * mcp       — MCP Python SDK, only needed to run backend/mcp/server.py.
# Everything else server.py needs is stdlib.
#
# ⚠️ PRE-RELEASE — VERIFY THESE PINS BUILD ON BOTH ARCHES BEFORE RELEASE ⚠️
# fastembed==0.4.2 and mcp==1.2.0 were pinned best-effort and have NOT been
# confirmed to build on both x86_64 AND aarch64 (StartOS runs arm64). fastembed
# in particular pulls onnxruntime (no wheel on some arches → source build) and
# downloads a model on first use. Build the image on aarch64 and run the ingest
# once to confirm before cutting a release. See INGEST_PACKAGING.md "Pre-release
# checks". Do not bump these without re-verifying on both arches.
RUN pip install --no-cache-dir \
      cryptography==42.0.5 \
      fastembed==0.4.2 \
      mcp==1.2.0

# ── Application source ──────────────────────────────────────────
COPY backend/server.py        /app/backend/server.py
COPY backend/email_integration /app/backend/email_integration
# Phase-0 substrate: ingest pipeline (entity resolution + backfill) and the
# CRM MCP server. Shipped alongside the web server so the one-time index build
# and the (manually-run) MCP server can execute on the box where /data/crm.db
# lives. See start9/0.4/INGEST_PACKAGING.md.
COPY backend/ingest           /app/backend/ingest
COPY backend/mcp              /app/backend/mcp
COPY frontend                 /app/frontend

# ── StartOS wrapper scripts ─────────────────────────────────────
COPY start9/0.4/docker_entrypoint.sh /usr/local/bin/docker_entrypoint.sh
COPY start9/0.4/healthcheck.sh       /usr/local/bin/healthcheck.sh

RUN chmod +x /usr/local/bin/docker_entrypoint.sh \
             /usr/local/bin/healthcheck.sh

EXPOSE 8080
ENTRYPOINT ["/usr/local/bin/docker_entrypoint.sh"]