FROM python:3.12-slim

ENV PYTHONUNBUFFERED=1
WORKDIR /app

# Deps first so a code-only change doesn't bust the pip-install cache.
COPY web/requirements.txt .
RUN pip install --no-cache-dir -r requirements.txt

# App code.
COPY web/ .

# Stamp with the git SHA read from the build context's .git dir. Kept last so
# only this thin layer invalidates per commit. Coolify doesn't expose the SHA
# as an env/build-arg, but it does leave .git intact in the checkout — so we
# parse HEAD ourselves. Build context must be the repo root for .git to be
# visible (see docker-compose.yml).
COPY .git /tmp/.git
RUN set -eu; \
    HEAD=$(cat /tmp/.git/HEAD 2>/dev/null || echo ""); \
    case "$HEAD" in \
      "ref: "*) REF=$(printf '%s' "$HEAD" | awk '{print $2}'); \
                SHA=$(cat "/tmp/.git/$REF" 2>/dev/null || \
                      awk -v r="$REF" '$2==r {print $1}' /tmp/.git/packed-refs 2>/dev/null || \
                      echo "");; \
      *) SHA="$HEAD";; \
    esac; \
    printf '%s\n' "${SHA:-dev}" > /git_commit; \
    rm -rf /tmp/.git

EXPOSE 8000

HEALTHCHECK --interval=30s --timeout=5s --start-period=10s --retries=3 \
  CMD python -c "import urllib.request,sys; sys.exit(0 if urllib.request.urlopen('http://127.0.0.1:8000/health', timeout=3).status==200 else 1)"

CMD ["uvicorn", "app:app", "--host", "0.0.0.0", "--port", "8000", "--proxy-headers", "--forwarded-allow-ips", "*"]