# syntax=docker/dockerfile:1.7
FROM python:3.13-slim

ENV DEBIAN_FRONTEND=noninteractive \
    PYTHONUNBUFFERED=1 \
    PYTHONDONTWRITEBYTECODE=1 \
    PIP_NO_CACHE_DIR=1 \
    HOME=/data \
    MEMPALACE_PALACE_PATH=/data/palace

# libgomp1: required at runtime by onnxruntime (used by chromadb's default
# embedding function — all-MiniLM-L6-v2 ONNX).
RUN apt-get update \
 && apt-get install -y --no-install-recommends ca-certificates libgomp1 \
 && rm -rf /var/lib/apt/lists/*

# Unraid convention: appdata is owned by nobody:users (99:100). Run as that
# UID/GID so files written to /data inherit the right ownership on the host.
RUN groupadd -g 100 users \
 && useradd  -u 99 -g 100 -m -d /data -s /usr/sbin/nologin mempalace

WORKDIR /build
COPY pyproject.toml README.md ./
COPY mempalace ./mempalace
RUN pip install --no-cache-dir . mcp-proxy \
 && rm -rf /build

WORKDIR /data
RUN chown -R 99:100 /data
USER 99:100

# 8765 — MCP over SSE (mcp-proxy)
# 8766 — HTTP ingest (in-process thread, started when MEMPALACE_INGEST_PORT set)
EXPOSE 8765 8766

HEALTHCHECK --interval=30s --timeout=5s --start-period=30s --retries=3 \
  CMD python -c "import socket,sys;s=socket.socket();s.settimeout(2);sys.exit(0 if s.connect_ex(('127.0.0.1',8765))==0 else 1)"

# mcp-proxy wraps the stdio MCP server and exposes it as SSE on :8765.
# --pass-environment forwards MEMPALACE_* vars to the spawned child.
CMD ["mcp-proxy","--sse-host","0.0.0.0","--sse-port","8765","--pass-environment","--","mempalace-mcp"]
