FROM python:3.12-slim

WORKDIR /app

# Install system deps for underthesea / numpy + dumb-init + Rust toolchain for maturin
RUN apt-get update && \
    apt-get install -y --no-install-recommends gcc g++ dumb-init curl && \
    curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain stable --profile minimal && \
    rm -rf /var/lib/apt/lists/* && \
    echo 'export PATH="/root/.cargo/bin:$PATH"' >> /etc/profile.d/cargo.sh
ENV PATH="/root/.cargo/bin:${PATH}"

COPY pyproject.toml .
# Install maturin first, then deps with --no-build-isolation for packages needing Rust
RUN /root/.cargo/bin/cargo --version && \
    pip install --no-cache-dir maturin setuptools wheel && \
    pip install --no-cache-dir --no-build-isolation "underthesea==6.8.0" && \
    (pip install --no-cache-dir . 2>/dev/null || pip install --no-cache-dir \
    "fastapi==0.115.0" \
    "uvicorn[standard]==0.32.0" \
    "xgboost==2.1.0" \
    "numpy==1.26.4" \
    "pydantic==2.9.0" \
    "pydantic-settings==2.5.0" \
    "httpx==0.27.0" \
    "slowapi==0.1.9")

COPY app/ ./app/

# Pre-download underthesea models at build time
RUN python -c "from underthesea import word_tokenize; word_tokenize('test')" 2>/dev/null || true

RUN useradd --create-home --shell /bin/bash appuser && chown -R appuser:appuser /app

EXPOSE 8000

HEALTHCHECK --interval=30s --timeout=5s --start-period=15s --retries=3 \
    CMD python -c "import httpx; httpx.get('http://localhost:8000/health').raise_for_status()"

USER appuser

ENTRYPOINT ["dumb-init", "--"]
CMD ["uvicorn", "app.main:app", "--host", "0.0.0.0", "--port", "8000", "--timeout-graceful-shutdown", "30"]