FROM python:3.12-alpine

# Runtime-Pakete für WeasyPrint (Pango/Cairo) und PDF-Pipeline.
# Alpine-Pakete sind kleiner als die Debian-slim-Pendants und der
# Base-Image hat aktuell 0 CRITICAL CVEs (vs. 3 in python:3.12-slim,
# Stand Mai 2026 / Security-Audit).
RUN apk add --no-cache \
        pango \
        cairo \
        gdk-pixbuf \
        shared-mime-info \
        fontconfig \
        ttf-dejavu \
        libffi \
        libxml2 \
        libxslt

# Build-Toolchain temporär für pip-Wheels (musllinux-fallbacks bauen
# pymupdf, cffi, lxml, cryptography ggf. lokal).
RUN apk add --no-cache --virtual .build-deps \
        build-base \
        gcc \
        musl-dev \
        libffi-dev \
        jpeg-dev \
        zlib-dev \
        cairo-dev \
        pango-dev \
        gdk-pixbuf-dev \
        libxml2-dev \
        libxslt-dev \
        openssl-dev \
        rust \
        cargo

WORKDIR /app

# Install Python dependencies
COPY requirements.txt .
RUN pip install --no-cache-dir --upgrade pip wheel \
    && pip install --no-cache-dir -r requirements.txt \
    && apk del .build-deps

# Copy application code only (data/reports are mounted as volumes)
COPY app/ ./app/

# Create non-root user and directories (#119 Security)
RUN adduser -D -u 1000 appuser \
    && mkdir -p /app/data /app/reports \
    && chown -R appuser:appuser /app

USER appuser

# Environment
ENV PYTHONUNBUFFERED=1
ENV PYTHONDONTWRITEBYTECODE=1

EXPOSE 8000

CMD ["uvicorn", "app.main:app", "--host", "0.0.0.0", "--port", "8000"]