CHORUS/deploy/seqthink/Dockerfile

# Sequential Thinking Age-Encrypted Wrapper
# Beat 1: Plaintext skeleton - encryption added in Beat 2

# Stage 1: Build Go wrapper
FROM golang:1.23-alpine AS go-builder

WORKDIR /build

# Install build dependencies
RUN apk add --no-cache git make

# Copy go mod files
COPY go.mod go.sum ./
RUN go mod download

# Copy source code
COPY . .

# Build the wrapper binary
RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo \
    -ldflags '-w -s -extldflags "-static"' \
    -o seqthink-wrapper \
    ./cmd/seqthink-wrapper

# Stage 2: Build Python MCP server
FROM python:3.11-slim AS python-builder

WORKDIR /mcp

# Install Sequential Thinking MCP server dependencies
# Note: For Beat 1, we'll use a minimal Python HTTP server
# Full MCP server integration happens in later beats
RUN pip install --no-cache-dir \
    fastapi==0.109.0 \
    uvicorn[standard]==0.27.0 \
    pydantic==2.5.3

# Copy MCP server stub (to be replaced with real implementation)
COPY deploy/seqthink/mcp_stub.py /mcp/server.py

# Stage 3: Runtime
FROM debian:bookworm-slim

# Install runtime dependencies
RUN apt-get update && \
    apt-get install -y --no-install-recommends \
    ca-certificates \
    python3 \
    python3-pip && \
    apt-get clean && \
    rm -rf /var/lib/apt/lists/*

# Install Python packages in runtime
RUN pip3 install --no-cache-dir --break-system-packages \
    fastapi==0.109.0 \
    uvicorn[standard]==0.27.0 \
    pydantic==2.5.3

# Create non-root user
RUN useradd -r -u 1000 -m -s /bin/bash seqthink

# Copy binaries
COPY --from=go-builder /build/seqthink-wrapper /usr/local/bin/
COPY --from=python-builder /mcp/server.py /opt/mcp/server.py

# Copy entrypoint
COPY deploy/seqthink/entrypoint.sh /entrypoint.sh
RUN chmod +x /entrypoint.sh

# Setup directories
RUN mkdir -p /etc/seqthink /var/log/seqthink && \
    chown -R seqthink:seqthink /etc/seqthink /var/log/seqthink

# Switch to non-root user
USER seqthink
WORKDIR /home/seqthink

# Health check
HEALTHCHECK --interval=30s --timeout=10s --start-period=40s --retries=3 \
    CMD curl -f http://localhost:8443/health || exit 1

# Expose wrapper port (MCP server on 127.0.0.1:8000 is internal only)
EXPOSE 8443

# Run entrypoint
ENTRYPOINT ["/entrypoint.sh"]