# NVIDIA Sidecar 限流代理 — 生产 Docker 镜像 (BIZ-46 Phase3 §4)
#
# 构建：
#   docker build -t nvidia-sidecar:latest .
#
# 运行：
#   docker run -d --name nvidia-sidecar \
#     -p 127.0.0.1:9190:9190 \
#     -p 127.0.0.1:9191:9191 \
#     -e SIDECAR_API_KEY="nvapi-xxx" \
#     -e SIDECAR_RATE_RPM=40 \
#     -v $(pwd)/logs:/opt/nvidia-sidecar/logs \
#     nvidia-sidecar:latest

FROM python:3.12-slim AS base

WORKDIR /app

# 安装依赖（利用 Docker 层缓存）
COPY pyproject.toml .
RUN pip install --no-cache-dir fastapi>=0.115 \
    "uvicorn[standard]>=0.34" httpx>=0.28 PyYAML>=6.0 \
    structlog>=24.4 "prometheus-client>=0.21" pydantic>=2.0

# 复制源码
COPY . .

# 非 root 用户运行
RUN useradd -r -m -s /bin/false sidecar \
    && mkdir -p /opt/nvidia-sidecar/logs \
    && chown -R sidecar:sidecar /app /opt/nvidia-sidecar/logs
USER sidecar

# 健康检查
HEALTHCHECK --interval=30s --timeout=5s --retries=3 \
    CMD python -c "import httpx; r=httpx.get('http://127.0.0.1:9190/health'); exit(0 if r.status_code==200 else 1)"

EXPOSE 9190 9191

CMD ["uvicorn", "nvidia_sidecar.server:app", "--host", "0.0.0.0", "--port", "9190"]