# syntax=docker/dockerfile:1.7
#
# tile-cache-fixture builder image. Built once per CI; output is a named
# Docker volume (`tile-cache-fixture`) mounted RO into the SUT by
# `docker/docker-compose.test.yml`.
#
# Public-boundary discipline: this image does NOT install the SUT
# package. It depends only on:
#   * Pillow — JPEG re-encode of the paired _gmaps.png reference tiles
#     and the deterministic stub-tile generator.
#   * faiss-cpu — deterministic HNSW descriptor index emission.
#   * numpy — backing array dtype for FAISS.
#
# Reproducibility:
#   * Pin Python to 3.10-slim (matches the runner image's Python line).
#   * Pin Pillow, faiss-cpu, numpy to the versions verified deterministic
#     in `e2e/_unit_tests/fixtures/test_tile_cache_builder.py`.
#   * `PYTHONHASHSEED=0` neutralises hash-order non-determinism.

FROM python:3.10.14-slim-bookworm@sha256:9c9efb0c19a8bb1f08e8e7a13be5d671e51bcb9c83a3a8b0e2ad7d8aaeb33b30

ENV PYTHONUNBUFFERED=1 \
    PYTHONDONTWRITEBYTECODE=1 \
    PYTHONHASHSEED=0 \
    PIP_NO_CACHE_DIR=1

RUN apt-get update \
 && apt-get install -y --no-install-recommends \
        libgomp1 \
        ca-certificates \
 && rm -rf /var/lib/apt/lists/*

RUN pip install --no-cache-dir \
        "Pillow>=10.4,<12.0" \
        "numpy>=1.26,<2.0" \
        "faiss-cpu>=1.8,<2.0"

WORKDIR /opt/builder
COPY builder.py /opt/builder/builder.py

# Drop root for runtime; the image only reads /input and writes to
# /output, both bind-mounted by the caller.
RUN useradd -u 10001 -m -d /home/builder builder \
 && mkdir -p /input /output \
 && chown -R builder:builder /opt/builder /input /output
USER 10001:10001

ENTRYPOINT ["python", "/opt/builder/builder.py"]
CMD ["--input-dir", "/input", "--output-dir", "/output"]
