# Use a slim Python image
FROM python:3.12-slim

# Install uv
COPY --from=ghcr.io/astral-sh/uv:latest /uv /bin/uv

# Install system dependencies (Required for Postgres and Healthchecks)
RUN apt-get update && apt-get install -y \
    libpq5 \
    postgresql-client \
    curl \
    && rm -rf /var/lib/apt/lists/*

# Set working directory
WORKDIR /app

# Copy dependency files (lockfile pins exact versions — SEC-05)
COPY pyproject.toml uv.lock ./

# Install the locked dependency set into the system environment.
# `uv export --frozen` fails the build if uv.lock is out of sync with pyproject.toml,
# so image builds are reproducible and can't silently pull newer packages.
RUN uv export --frozen --no-dev --no-emit-project --format requirements-txt -o /tmp/requirements.txt \
    && uv pip install --system -r /tmp/requirements.txt \
    && rm /tmp/requirements.txt

# Copy the rest of the application
COPY . .

# Security: Run as a non-privileged user (standard for 24/7 telemetry)
RUN useradd -m telemetry-user
USER telemetry-user

# CMD is handled by docker-compose.yml to differentiate movement vs events