# Stage 1: Backend Python environment builder
FROM python:3.11-slim as backend-builder
WORKDIR /usr/src/app
COPY backend/requirements.txt .
RUN pip install --no-cache-dir --upgrade pip && \
    pip install --no-cache-dir -r requirements.txt

# Stage 2: Frontend React application builder
FROM node:18-alpine as frontend-builder
WORKDIR /app/frontend
# Copy package manifests and install dependencies
COPY frontend/package.json frontend/package-lock.json ./
RUN npm install
# Copy the rest of the frontend source code and build
COPY frontend/ ./
RUN npm run build

# Stage 3: Final application image
FROM python:3.11-slim

# Define arguments for user/group IDs with non-root defaults
ARG USER_ID=1001
ARG GROUP_ID=1001

# Install gosu for user privilege escalation
RUN apt-get update && apt-get install -y --no-install-recommends gosu && rm -rf /var/lib/apt/lists/*

# Create a non-root user and group
RUN groupadd -g $GROUP_ID appgroup && \
    useradd -r -u $USER_ID -g appgroup appuser

# Set the working directory
WORKDIR /app

# Copy installed Python packages from the backend-builder stage
COPY --from=backend-builder /usr/local/lib/python3.11/site-packages /usr/local/lib/python3.11/site-packages

# Copy application code and built frontend, setting ownership to the new user
COPY --chown=$USER_ID:$GROUP_ID backend/app /app/app
COPY --chown=$USER_ID:$GROUP_ID backend/start.sh /app/start.sh
COPY --chown=$USER_ID:$GROUP_ID --from=frontend-builder /app/frontend/build /app/static

# Create data directory, set permissions, and make start script executable
# Note: The chown here is for the image layer. The runtime chown will be done in start.sh
RUN chmod +x /app/start.sh && \
    mkdir -p /app/data && \
    chown -R $USER_ID:$GROUP_ID /app/data

# By default, the container will run as root, allowing start.sh to fix permissions.
# The USER directive is intentionally omitted.

# Set the default command to run the application
CMD ["bash", "start.sh"]