# TODO: Pin to sha256 digest after verifying with: docker pull python:3.11-slim && docker inspect python:3.11-slim --format='{{index .RepoDigests 0}}'
FROM python:3.11-slim

# Install system dependencies and build TA-Lib from source
RUN apt-get update && apt-get install -y \
    build-essential \
    wget \
    curl \
    libpq-dev \
    && rm -rf /var/lib/apt/lists/*

RUN wget https://prdownloads.sourceforge.net/ta-lib/ta-lib-0.4.0-src.tar.gz

# Verify checksum (update TALIB_SHA256 if upgrading version)
ARG TALIB_SHA256=da95f4c849e5f97f19a9c14c9bdb6f92ba4f7e2b0b3e49af3e5a8e22b6e84a81
RUN echo "${TALIB_SHA256}  ta-lib-0.4.0-src.tar.gz" | sha256sum -c -

RUN tar -xzf ta-lib-0.4.0-src.tar.gz \
    && cd ta-lib/ \
    && ./configure --prefix=/usr \
    && make \
    && make install \
    && cd .. \
    && rm -rf ta-lib ta-lib-0.4.0-src.tar.gz

# Set working directory
WORKDIR /app

# Copy dependency files
COPY pyproject.toml ./

# Install Python dependencies
RUN pip install --no-cache-dir --upgrade pip && \
    pip install --no-cache-dir .

# Copy application code
COPY . .

# Expose port for FastAPI
EXPOSE 8001

# Create non-root user and set ownership
RUN useradd -r -s /bin/false appuser
RUN chown -R appuser:appuser /app

# Switch to non-root user
USER appuser

# Run the inference server by default
CMD ["uvicorn", "app.main:app", "--host", "0.0.0.0", "--port", "8001"]
