# Neuron Soul — GKE container image
#
# Build strategy:
#   1. CI pre-downloads all artifacts from Artifact Registry into build-artifacts/
#      (neuron soul binary, El compiler, El runtime). No GCP credentials are needed
#      inside the build — all AR access happens in the CI workflow before docker build.
#   2. Build engram from source (neuron-technologies/engram, cloned by CI into ./engram/).
#   3. Package soul + engram in an Ubuntu 24.04 runtime image (GLIBC 2.39).
#   4. entrypoint.sh starts engram on :8742, waits for it to be healthy,
#      then starts the soul with ENGRAM_URL pointing at it (HTTP mode).
#
# Expected build context layout (prepared by deploy-gke.yaml before docker build):
#   build-artifacts/neuron         — pre-built linux/amd64 soul binary
#   build-artifacts/elc            — El compiler (for engram source compilation)
#   build-artifacts/el_runtime.c   — El C runtime
#   build-artifacts/el_runtime.h   — El C runtime header
#   engram/src/server.el           — engram source (cloned by CI)
#   entrypoint.sh                  — container entrypoint
#
# Required env vars (injected via ExternalSecret at runtime):
#   NEURON_PORT, NEURON_LLM_0_URL, NEURON_LLM_0_KEY, NEURON_LLM_0_FORMAT,
#   SOUL_CGI_ID, SOUL_IDENTITY, NEURON_TOKEN, NEURON_API_URL, ENGRAM_URL,
#   ENGRAM_DATA_DIR

# ── Stage 1: Build engram from source ────────────────────────────────────────
FROM ubuntu:24.04 AS engram-builder

RUN apt-get update -qq && \
    apt-get install -y --no-install-recommends \
      ca-certificates \
      gcc \
      libc6-dev \
      libcurl4-openssl-dev && \
    rm -rf /var/lib/apt/lists/*

# El SDK pre-downloaded by CI into build-artifacts/
COPY build-artifacts/elc           /usr/local/bin/elc
COPY build-artifacts/el_runtime.c  /usr/local/lib/el/el_runtime.c
COPY build-artifacts/el_runtime.h  /usr/local/lib/el/el_runtime.h
RUN chmod +x /usr/local/bin/elc

# engram source cloned by CI into ./engram/
COPY engram/src/server.el /build/src/server.el

RUN mkdir -p /build/dist && \
    /usr/local/bin/elc /build/src/server.el > /build/dist/engram.c && \
    echo "Compiled server.el -> engram.c ($(wc -l < /build/dist/engram.c) lines)" && \
    cc -std=c11 -O2 \
      -I /usr/local/lib/el \
      -o /build/dist/engram \
      /build/dist/engram.c \
      /usr/local/lib/el/el_runtime.c \
      -lcurl -lpthread -lm && \
    echo "Built engram:" && ls -lh /build/dist/engram && \
    chmod +x /build/dist/engram

# ── Stage 2: Runtime image ───────────────────────────────────────────────────
# Ubuntu 24.04: GLIBC 2.39 satisfies both neuron-soul and engram binary deps.
FROM ubuntu:24.04

RUN apt-get update -qq && \
    apt-get install -y --no-install-recommends \
      ca-certificates \
      libcurl4t64 \
      curl && \
    rm -rf /var/lib/apt/lists/* && \
    useradd -r -u 10000 -m -s /bin/bash soul

# soul binary pre-downloaded by CI into build-artifacts/
COPY build-artifacts/neuron        /usr/local/bin/neuron
COPY --from=engram-builder /build/dist/engram /usr/local/bin/engram
COPY entrypoint.sh                 /usr/local/bin/entrypoint.sh

RUN chmod +x /usr/local/bin/neuron /usr/local/bin/engram /usr/local/bin/entrypoint.sh

# /data is the engram mount point (PVC at runtime).
RUN mkdir -p /data && chown soul:soul /data

USER soul
WORKDIR /home/soul

EXPOSE 7770

# ENGRAM_URL and ENGRAM_DATA_DIR trigger HTTP mode in the soul.
# SOUL_ENGRAM_PATH must NOT be set — its presence would enable legacy file mode.
ENV NEURON_PORT=7770 \
    ENGRAM_URL=http://localhost:8742 \
    ENGRAM_DATA_DIR=/data

ENTRYPOINT ["/usr/local/bin/entrypoint.sh"]
