# Sequential Thinking Age-Encrypted Wrapper

# Stage 1: Build Python MCP server
FROM python:3.11-slim AS python-builder

WORKDIR /mcp

# Install Sequential Thinking MCP server dependencies
# Note: For Beat 1, we'll use a minimal Python HTTP server
# Full MCP server integration happens in later beats
RUN pip install --no-cache-dir \
    fastapi==0.109.0 \
    uvicorn[standard]==0.27.0 \
    pydantic==2.5.3

# Copy MCP compatibility server
COPY deploy/seqthink/mcp_server.py /mcp/server.py

# Stage 2: Runtime
FROM debian:bookworm-slim

# Install runtime dependencies
RUN apt-get update && \
    apt-get install -y --no-install-recommends \
    ca-certificates \
    curl \
    python3 \
    python3-pip && \
    apt-get clean && \
    rm -rf /var/lib/apt/lists/*

# Install Python packages in runtime
RUN pip3 install --no-cache-dir --break-system-packages \
    fastapi==0.109.0 \
    uvicorn[standard]==0.27.0 \
    pydantic==2.5.3

# Create non-root user
RUN useradd -r -u 1000 -m -s /bin/bash seqthink

# Copy wrapper binary built on host (GOWORK=off GOOS=linux go build ...)
COPY deploy/seqthink/bin/seqthink-wrapper /usr/local/bin/seqthink-wrapper
COPY --from=python-builder /mcp/server.py /opt/mcp/server.py

# Copy entrypoint
COPY deploy/seqthink/entrypoint.sh /entrypoint.sh
RUN chmod +x /entrypoint.sh

# Setup directories
RUN mkdir -p /etc/seqthink /var/log/seqthink && \
    chown -R seqthink:seqthink /etc/seqthink /var/log/seqthink

# Switch to non-root user
USER seqthink
WORKDIR /home/seqthink

# Health check
HEALTHCHECK --interval=30s --timeout=10s --start-period=40s --retries=3 \
    CMD curl -f http://localhost:8443/health || exit 1

# Expose wrapper port (MCP server on 127.0.0.1:8000 is internal only)
EXPOSE 8443

# Run entrypoint
ENTRYPOINT ["/entrypoint.sh"]