# Zipper Node — minimal, hardened, RAM-only by enforcement.
#
# Build:    docker build -t zipper-node:latest .
# Run:      see docker-compose.yml or the operator README
#
# Design intent:
#   - No filesystem writes by the running app (read-only root + tmpfs /tmp)
#   - No file logging (stdout only; container log driver should be 'none')
#   - Drops to non-root UID 1000
#   - Single WebSocket port (9000) — designed to sit behind nginx HTTPS
#   - Minimal dependencies: python:3.12-slim + websockets + cryptography

FROM python:3.12-slim

RUN apt-get update && \
    apt-get install -y --no-install-recommends curl && \
    rm -rf /var/lib/apt/lists/* && \
    pip install --no-cache-dir \
        websockets==15.0.1 \
        cryptography==43.0.1 && \
    useradd -u 1000 -m -s /bin/sh app

WORKDIR /app
COPY zipper_server.py /app/zipper_server.py
RUN chown -R app:app /app && mkdir -p /data && chown app:app /data

USER app

VOLUME ["/data"]

ENV ZIPPER_PORT=9000 \
    MAX_SESSION_BYTES=1048576 \
    MAX_BLOCK_BYTES=4096 \
    SESSION_TIMEOUT_SECS=600 \
    PYTHONUNBUFFERED=1 \
    PYTHONDONTWRITEBYTECODE=1

EXPOSE 9000

HEALTHCHECK --interval=30s --timeout=5s --retries=2 \
    CMD curl -fsS http://127.0.0.1:${ZIPPER_PORT}/health || exit 1

ENTRYPOINT ["python", "-u", "/app/zipper_server.py"]
