# Neuron Soul — GKE container image
#
# Build strategy:
#   1. Download the pre-built linux/amd64 soul binary (package: neuron-soul)
#      from Artifact Registry (foundation-dev).
#   2. Download the El SDK from Artifact Registry and build engram from source
#      (the neuron-technologies/engram repo is a git submodule). Engram has
#      never been published as a standalone Artifact Registry package.
#   3. Package both in an Ubuntu 24.04 runtime image (GLIBC 2.39 required by
#      binaries compiled on Ubuntu 24.04 CI runners).
#   4. entrypoint.sh starts engram on :8742, waits for it to be healthy,
#      then starts the soul with ENGRAM_URL pointing at it (HTTP mode).
#
# Required env vars (injected via ExternalSecret at runtime):
#   NEURON_PORT, NEURON_LLM_0_URL, NEURON_LLM_0_KEY, NEURON_LLM_0_FORMAT,
#   SOUL_CGI_ID, SOUL_IDENTITY, NEURON_TOKEN, NEURON_API_URL, ENGRAM_URL,
#   ENGRAM_DATA_DIR

ARG SOUL_VERSION=latest

# ── Stage 1: Download neuron-soul + El SDK from Artifact Registry ─────────────
FROM ubuntu:24.04 AS downloader

ARG SOUL_VERSION

RUN apt-get update -qq && \
    apt-get install -y --no-install-recommends \
      ca-certificates \
      curl \
      gnupg \
      apt-transport-https && \
    echo "deb [signed-by=/usr/share/keyrings/cloud.google.gpg] https://packages.cloud.google.com/apt cloud-sdk main" \
      > /etc/apt/sources.list.d/google-cloud-sdk.list && \
    curl -fsSL https://packages.cloud.google.com/apt/doc/apt-key.gpg \
      | gpg --dearmor -o /usr/share/keyrings/cloud.google.gpg && \
    apt-get update -qq && \
    apt-get install -y --no-install-recommends google-cloud-cli && \
    rm -rf /var/lib/apt/lists/*

RUN --mount=type=secret,id=gcp_sa_key \
    GCP_SA_KEY=$(cat /run/secrets/gcp_sa_key 2>/dev/null || echo "") && \
    if [ -n "$GCP_SA_KEY" ]; then \
      echo "$GCP_SA_KEY" > /tmp/gcp-key.json && \
      gcloud auth activate-service-account --key-file=/tmp/gcp-key.json; \
    fi && \
    gcloud config set project neuron-785695 && \
    mkdir -p /tmp/soul /tmp/el-sdk && \
    \
    # ── soul ──────────────────────────────────────────────────────────────── \
    if [ "${SOUL_VERSION}" = "latest" ]; then \
      SOUL_VER=$(gcloud artifacts versions list \
        --repository=foundation-dev \
        --location=us-central1 \
        --project=neuron-785695 \
        --package=neuron-soul \
        --sort-by="~createTime" \
        --limit=1 \
        --format="value(name)" 2>/dev/null | awk -F/ '{print $NF}'); \
    else \
      SOUL_VER="${SOUL_VERSION}"; \
    fi && \
    echo "Downloading neuron-soul@${SOUL_VER}" && \
    gcloud artifacts generic download \
      --repository=foundation-dev \
      --location=us-central1 \
      --project=neuron-785695 \
      --package=neuron-soul \
      --version="${SOUL_VER}" \
      --destination=/tmp/soul/ && \
    mv /tmp/soul/neuron* /tmp/soul/neuron 2>/dev/null || true && \
    chmod +x /tmp/soul/neuron && \
    \
    # ── El SDK (needed to build engram from source) ────────────────────────── \
    ELC_VER=$(gcloud artifacts versions list \
      --repository=foundation-dev --location=us-central1 --project=neuron-785695 \
      --package=el-elc --sort-by="~createTime" --limit=1 \
      --format="value(name)" 2>/dev/null | awk -F/ '{print $NF}') && \
    gcloud artifacts generic download \
      --repository=foundation-dev --location=us-central1 --project=neuron-785695 \
      --package=el-elc --version="${ELC_VER}" --destination=/tmp/el-sdk/ && \
    mv /tmp/el-sdk/elc* /tmp/el-sdk/elc 2>/dev/null || true && \
    chmod +x /tmp/el-sdk/elc && \
    \
    RC_VER=$(gcloud artifacts versions list \
      --repository=foundation-dev --location=us-central1 --project=neuron-785695 \
      --package=el-runtime-c --sort-by="~createTime" --limit=1 \
      --format="value(name)" 2>/dev/null | awk -F/ '{print $NF}') && \
    gcloud artifacts generic download \
      --repository=foundation-dev --location=us-central1 --project=neuron-785695 \
      --package=el-runtime-c --version="${RC_VER}" --destination=/tmp/el-sdk/ && \
    mv /tmp/el-sdk/el_runtime.c* /tmp/el-sdk/el_runtime.c 2>/dev/null || true && \
    \
    RH_VER=$(gcloud artifacts versions list \
      --repository=foundation-dev --location=us-central1 --project=neuron-785695 \
      --package=el-runtime-h --sort-by="~createTime" --limit=1 \
      --format="value(name)" 2>/dev/null | awk -F/ '{print $NF}') && \
    gcloud artifacts generic download \
      --repository=foundation-dev --location=us-central1 --project=neuron-785695 \
      --package=el-runtime-h --version="${RH_VER}" --destination=/tmp/el-sdk/ && \
    mv /tmp/el-sdk/el_runtime.h* /tmp/el-sdk/el_runtime.h 2>/dev/null || true && \
    \
    rm -f /tmp/gcp-key.json && \
    echo "Downloads complete:" && ls -lh /tmp/soul/ /tmp/el-sdk/

# ── Stage 2: Build engram from source ────────────────────────────────────────
FROM ubuntu:24.04 AS engram-builder

RUN apt-get update -qq && \
    apt-get install -y --no-install-recommends \
      ca-certificates \
      gcc \
      libc6-dev \
      libcurl4-openssl-dev && \
    rm -rf /var/lib/apt/lists/*

COPY --from=downloader /tmp/el-sdk/elc           /usr/local/bin/elc
COPY --from=downloader /tmp/el-sdk/el_runtime.c  /usr/local/lib/el/el_runtime.c
COPY --from=downloader /tmp/el-sdk/el_runtime.h  /usr/local/lib/el/el_runtime.h

# engram source is expected at ./engram/src/server.el in the build context.
# The deploy-gke.yaml CI must clone neuron-technologies/engram alongside this repo.
COPY engram/src/server.el /build/src/server.el

RUN mkdir -p /build/dist && \
    /usr/local/bin/elc /build/src/server.el > /build/dist/engram.c && \
    echo "Compiled server.el -> engram.c ($(wc -l < /build/dist/engram.c) lines)" && \
    cc -std=c11 -O2 \
      -I /usr/local/lib/el \
      -o /build/dist/engram \
      /build/dist/engram.c \
      /usr/local/lib/el/el_runtime.c \
      -lcurl -lpthread -lm && \
    echo "Built engram:" && ls -lh /build/dist/engram && \
    chmod +x /build/dist/engram

# ── Stage 3: Runtime image ───────────────────────────────────────────────────
# Ubuntu 24.04: GLIBC 2.39 satisfies both neuron-soul and engram binary deps.
FROM ubuntu:24.04

RUN apt-get update -qq && \
    apt-get install -y --no-install-recommends \
      ca-certificates \
      libcurl4t64 \
      curl && \
    rm -rf /var/lib/apt/lists/* && \
    useradd -r -u 10000 -m -s /bin/bash soul

COPY --from=downloader    /tmp/soul/neuron        /usr/local/bin/neuron
COPY --from=engram-builder /build/dist/engram     /usr/local/bin/engram
COPY entrypoint.sh                                /usr/local/bin/entrypoint.sh

RUN chmod +x /usr/local/bin/neuron /usr/local/bin/engram /usr/local/bin/entrypoint.sh

# /data is the engram mount point (PVC at runtime).
RUN mkdir -p /data && chown soul:soul /data

USER soul
WORKDIR /home/soul

EXPOSE 7770

# ENGRAM_URL and ENGRAM_DATA_DIR trigger HTTP mode in the soul.
# SOUL_ENGRAM_PATH must NOT be set — its presence would enable legacy file mode.
ENV NEURON_PORT=7770 \
    ENGRAM_URL=http://localhost:8742 \
    ENGRAM_DATA_DIR=/data

ENTRYPOINT ["/usr/local/bin/entrypoint.sh"]