FROM python:3.12-slim-bookworm

WORKDIR /app

# Install system dependencies for Playwright/Chromium
RUN apt-get update && apt-get install -y --no-install-recommends \
    libnss3 libnspr4 libatk1.0-0 libatk-bridge2.0-0 libcups2 \
    libdrm2 libxkbcommon0 libxcomposite1 libxdamage1 libxfixes3 \
    libxrandr2 libgbm1 libpango-1.0-0 libcairo2 libasound2 \
    curl \
    # Browser-matrix stage 1: Firefox + WebKit deps + Xvfb (headed runs)
    xvfb \
    libdbus-glib-1-2 libxt6 \
    libwoff1 libvpx7 libevent-2.1-7 libopus0 libgstreamer-plugins-base1.0-0 \
    libgstreamer-gl1.0-0 libgstreamer1.0-0 libwebpdemux2 libharfbuzz-icu0 \
    libenchant-2-2 libsecret-1-0 libhyphen0 libmanette-0.2-0 libflite1 \
    libgles2 libx264-164 \
    && rm -rf /var/lib/apt/lists/*

# Create user BEFORE installing Playwright (so browsers are in user's cache)
RUN useradd --create-home appuser

COPY requirements.txt .
RUN pip install --no-cache-dir -r requirements.txt

# Install Playwright browsers AS appuser (so they land in /home/appuser/.cache/)
# Stage 1: chromium + firefox + webkit (Mobile-Safari = WebKit + devices preset)
USER appuser
RUN playwright install chromium firefox webkit
USER root

# ── Browser-matrix stage 1.3: echte Third-Party-Browser (amd64-only) ──────
# Chrome-/Edge-Channel + Brave gibt es nur fuer amd64 (Prod/Orca). Auf arm64
# (macmini-Dev) best-effort uebersprungen → der Build bricht NICHT; die Matrix
# laeuft dort mit den 4 Default-Engines (chromium/firefox/webkit/iPhone).
# Brave/Chrome/Edge sind opt-in-Extras (EXTRA_PROFILES, nur auf Anforderung).
# TARGETARCH fuellt BuildKit automatisch aus der Zielplattform.
ARG TARGETARCH=amd64
RUN set -eux; \
    if [ "$TARGETARCH" = "amd64" ]; then \
      ( curl -fsSLo /usr/share/keyrings/brave-browser-archive-keyring.gpg \
          https://brave-browser-apt-release.s3.brave.com/brave-browser-archive-keyring.gpg && \
        echo "deb [arch=amd64 signed-by=/usr/share/keyrings/brave-browser-archive-keyring.gpg] https://brave-browser-apt-release.s3.brave.com/ stable main" \
          > /etc/apt/sources.list.d/brave-browser-release.list && \
        apt-get update && \
        apt-get install -y --no-install-recommends brave-browser && \
        rm -rf /var/lib/apt/lists/* ) \
        || echo "WARN: Brave-Install uebersprungen (Arch/Netz)"; \
    else echo "TARGETARCH=$TARGETARCH != amd64 — Brave uebersprungen"; fi

# Playwright-Channels Chrome + Edge (Google-/Microsoft-Builds, amd64-only).
# Als root, da system-weit nach /opt installiert; --with-deps zieht OS-Libs.
RUN set -eux; \
    if [ "$TARGETARCH" = "amd64" ]; then \
      ( playwright install --with-deps chrome msedge ) \
        || echo "WARN: Chrome/Edge-Channel uebersprungen"; \
    else echo "TARGETARCH=$TARGETARCH != amd64 — Chrome/Edge uebersprungen"; fi

COPY . .
RUN chown -R appuser:appuser /app

USER appuser

EXPOSE 8094

# P83 — Build-SHA fuer check-rebuild-needed.sh
ARG BUILD_SHA="unknown"
ENV BUILD_SHA=${BUILD_SHA}

CMD ["uvicorn", "main:app", "--host", "0.0.0.0", "--port", "8094"]
