# fleettickets — INC + CRQ ticket ingestion image (Coolify-deployable).
# A small batch/cron worker: it has no web server. Coolify keeps the container
# running (CMD below) and fires the ingests via two Scheduled Tasks:
#     python -m inc.import_inc --from-bucket --apply        (cron: */20 6-20 * * *)
#     python -m crq.import_crq --from-bucket --apply        (cron: */20 6-20 * * *)
# (run from /app so the inc/ and crq/ packages + pipeline.py/shared.py import.)
# Env (set in Coolify): DATABASE_URL, RUSTFS_*, GEOCODER_*. S3 is via boto3 — no
# aws CLI needed. psycopg2-binary ships its own libpq, so no build toolchain.
FROM python:3.12-slim

ENV PYTHONUNBUFFERED=1 \
    PIP_NO_CACHE_DIR=1 \
    TZ=Africa/Nairobi

RUN apt-get update \
    && apt-get install -y --no-install-recommends tzdata \
    && rm -rf /var/lib/apt/lists/*

WORKDIR /app

# Pinned, reproducible installs from uv.lock (FT-SEC-02): uv export --frozen fails
# the build if the lockfile drifts from pyproject.toml. Runtime imports straight
# from /app via `python -m inc.import_inc` — the project itself needs no install.
COPY --from=ghcr.io/astral-sh/uv:latest /uv /bin/uv
COPY pyproject.toml uv.lock ./
RUN uv export --frozen --no-dev --no-emit-project --format requirements-txt -o /tmp/requirements.txt \
    && uv pip install --system -r /tmp/requirements.txt \
    && rm /tmp/requirements.txt

COPY . .

# Non-privileged runtime user (Coolify Scheduled Tasks exec as this user too).
RUN useradd -m tickets-user
USER tickets-user

# Keep the container alive so Coolify Scheduled Tasks can exec into it.
CMD ["tail", "-f", "/dev/null"]
